misp-circl-feed/feeds/circl/stix-2.1/2e29b34e-9558-46ba-96b2-211295ece344.json

{
    "type": "bundle",
    "id": "bundle--2e29b34e-9558-46ba-96b2-211295ece344",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T11:21:12.000Z",
            "modified": "2021-02-04T11:21:12.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--2e29b34e-9558-46ba-96b2-211295ece344",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T11:21:12.000Z",
            "modified": "2021-02-04T11:21:12.000Z",
            "name": "OSINT - Hildegard: New TeamTNT Malware Targeting Kubernetes",
            "published": "2021-02-04T11:21:39Z",
            "object_refs": [
                "indicator--176f9db1-1f95-4ea1-998a-7d0253d6d45f",
                "indicator--ea90cee2-3338-459b-bf2e-8f84edd9c74d",
                "indicator--4f61af6e-155f-46bd-ad05-8ef20e4ca408",
                "indicator--740ba33d-f828-4737-a56f-303cfcd290f5",
                "indicator--2062baa3-04a0-4feb-9623-842a1aafec3c",
                "indicator--d335ffab-1b09-4ece-a139-43524c9a871a",
                "indicator--ccd37fe0-a473-4e9c-acb0-55f7dc917a66",
                "indicator--85a67a9c-b76a-424c-8fd7-fd2f413deafd",
                "indicator--282fc55b-627c-4d5e-9342-1af5184ddb5a",
                "indicator--bdeca9c5-acfc-482a-973f-80386ddc837f",
                "indicator--5d9e3240-96da-40be-866a-ea3fc431a40e",
                "indicator--afa6e590-1959-4c42-b77e-1fd4a9896826",
                "indicator--a5e1d11b-0f73-4cf4-b3ef-b8e723e6d30a",
                "indicator--2c26666d-b912-4e8a-9f68-803f0b824429",
                "indicator--c939eb92-cd87-408a-b2c1-5c25430c0470",
                "indicator--33821510-4992-4ecb-84e9-1d320038a927",
                "indicator--5ecf50d7-0d07-4c15-844a-6d2954367bc3",
                "indicator--06a70163-a39c-4f54-bbdb-a87a814f1c99",
                "indicator--49958838-8ef3-42ca-8053-92baf705789a",
                "indicator--e309ca78-38e1-4c9a-ab77-b42459ff8396",
                "indicator--778de61f-d6d7-4c20-9eb1-c75d829a3c4c",
                "indicator--72ed2178-2db5-4c4f-a3b6-ec0f2dfe8855",
                "indicator--e3c384cd-1c89-4a4b-a874-1652562a02b8",
                "indicator--6020f6d1-af71-4e4a-8a12-225c0242d370",
                "indicator--dfb15087-2708-4da2-9b47-298071b8304d",
                "indicator--a086e984-6da5-4f73-8030-469f98c3227c",
                "x-misp-object--94c1c886-20de-4707-b937-40b85b53bd3f",
                "indicator--d5ed01ea-338f-445b-90e6-e5344378aa83",
                "x-misp-object--62edf8d4-05c9-4862-8d42-f8a4806a36bc",
                "indicator--387943cb-ee93-42dd-98b0-2c27066365df",
                "x-misp-object--10416647-701f-4247-93af-3e201abed9b2",
                "indicator--13c55aeb-731f-4f9f-bed7-54bc16691ee0",
                "x-misp-object--663a8f21-2bf4-499e-9f5c-ba6bd04faa87",
                "indicator--1cc03dbc-d46a-4ee2-aef9-82cc7ef7c97a",
                "x-misp-object--1247892f-3395-4415-933b-581bc19ca772",
                "indicator--0c47742b-164b-4df9-8c71-ef7acafe77cc",
                "x-misp-object--7454fe7f-f8e1-45bc-acb5-b270c3d9d93d",
                "indicator--b7657286-0c79-4c4e-9e45-b5c47795b70e",
                "x-misp-object--16f3ee0a-c011-439f-8bf5-2f88b5671de2",
                "indicator--cd4e86bb-5672-428e-ad55-00bd5ec27323",
                "x-misp-object--31ac78bf-1fb8-40f3-8c88-a6f5c1c1ed9c",
                "indicator--172dce95-5a65-4cf0-b710-277a5832b326",
                "x-misp-object--cd6c16c4-35f5-474c-b49d-e5d213880efc",
                "indicator--de8d5991-babe-4c5d-9343-0a1bd17eaba9",
                "x-misp-object--a38d8b07-b456-42ae-b58a-036d656a2a25",
                "indicator--3b265851-d607-41db-883a-3cdf383f8c65",
                "x-misp-object--383195f4-cd06-40ad-b1f9-8a3f078d3c81",
                "x-misp-object--4a242786-2019-442c-a76c-a9b208d7a3c3",
                "relationship--f478518f-6d94-4bc5-aaec-be0fe6974266",
                "relationship--931aefcf-a87c-4f16-8e41-4b67d4753a09",
                "relationship--c00ebd3d-f26b-4b7c-8a14-a310be7392f9",
                "relationship--1d70f5a0-2ea0-4ad0-a70f-ec4e6cb0c95f",
                "relationship--ac1bf525-825a-40fe-ae35-5db89c4e798a",
                "relationship--44db2a3d-0cb3-43fb-aaaf-63e9a7c4eda3",
                "relationship--3a516f66-39c8-4393-9cd3-3d4f5e772fd6",
                "relationship--4f63dc74-146a-4773-8788-5164aadd475a",
                "relationship--f3bff403-34a5-4b57-8e11-b20aec7213aa",
                "relationship--1e5a4650-7294-47ee-8112-f8dd7915f298"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "type:OSINT",
                "osint:lifetime=\"perpetual\"",
                "osint:certainty=\"50\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--176f9db1-1f95-4ea1-998a-7d0253d6d45f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T08:58:34.000Z",
            "modified": "2021-02-04T08:58:34.000Z",
            "description": "This machine hosts malicious files used in the campaign and receives the collected data to this C2.\r\nHosted files: TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig, xmrig.so, ziggy, xmr3.assi",
            "pattern": "[domain-name:value = 'the.borg.wtf' AND domain-name:resolves_to_refs[*].value = '45.9.150.36']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T08:58:34Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "network"
                }
            ],
            "labels": [
                "misp:name=\"domain-ip\"",
                "misp:meta-category=\"network\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--ea90cee2-3338-459b-bf2e-8f84edd9c74d",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T08:59:13.000Z",
            "modified": "2021-02-04T08:59:13.000Z",
            "description": "The malware connects to this IP to obtain the victim host\u2019s public IP.\r\n",
            "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '147.75.47.199')]",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T08:59:13Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "network"
                }
            ],
            "labels": [
                "misp:name=\"ip-port\"",
                "misp:meta-category=\"network\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--4f61af6e-155f-46bd-ad05-8ef20e4ca408",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:00:11.000Z",
            "modified": "2021-02-04T09:00:11.000Z",
            "description": "This host hosts malicious scripts and binaries.\r\nHosted files: pei.sh, pei64.",
            "pattern": "[domain-name:value = 'teamtnt.red' AND domain-name:resolves_to_refs[*].value = '45.9.148.108']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:00:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "network"
                }
            ],
            "labels": [
                "misp:name=\"domain-ip\"",
                "misp:meta-category=\"network\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--740ba33d-f828-4737-a56f-303cfcd290f5",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:00:59.000Z",
            "modified": "2021-02-04T09:00:59.000Z",
            "description": "This host hosts malicious scripts and binaries.\r\nHosted files: aws2.sh",
            "pattern": "[domain-name:value = 'borg.wtf' AND domain-name:resolves_to_refs[*].value = '45.9.148.108']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:00:59Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "network"
                }
            ],
            "labels": [
                "misp:name=\"domain-ip\"",
                "misp:meta-category=\"network\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--2062baa3-04a0-4feb-9623-842a1aafec3c",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:01:53.000Z",
            "modified": "2021-02-04T09:01:53.000Z",
            "description": "This host is one of the C2s. It runs an IRC server on port 6667.\r\n",
            "pattern": "[domain-name:value = 'irc.borg.wtf' AND domain-name:resolves_to_refs[*].value = '123.245.9.147']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:01:53Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "network"
                }
            ],
            "labels": [
                "misp:name=\"domain-ip\"",
                "misp:meta-category=\"network\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--d335ffab-1b09-4ece-a139-43524c9a871a",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:02:43.000Z",
            "modified": "2021-02-04T09:02:43.000Z",
            "description": "This host is one of the C2s. It runs an IRC server on port 6667.\r\n",
            "pattern": "[domain-name:value = 'sampwn.anondns.net' AND domain-name:resolves_to_refs[*].value = '13.245.9.147']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:02:43Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "network"
                }
            ],
            "labels": [
                "misp:name=\"domain-ip\"",
                "misp:meta-category=\"network\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--ccd37fe0-a473-4e9c-acb0-55f7dc917a66",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:03:16.000Z",
            "modified": "2021-02-04T09:03:16.000Z",
            "description": "This host is one of the C2s. It runs an IRC server on port 6667.\r\n",
            "pattern": "[domain-name:resolves_to_refs[*].value = '164.68.106.96']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:03:16Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "network"
                }
            ],
            "labels": [
                "misp:name=\"domain-ip\"",
                "misp:meta-category=\"network\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--85a67a9c-b76a-424c-8fd7-fd2f413deafd",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:03:47.000Z",
            "modified": "2021-02-04T09:03:47.000Z",
            "description": "This host is one of the C2s. It runs an IRC server on port 6667.\r\n",
            "pattern": "[domain-name:resolves_to_refs[*].value = '62.234.121.105']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:03:47Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "network"
                }
            ],
            "labels": [
                "misp:name=\"domain-ip\"",
                "misp:meta-category=\"network\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--282fc55b-627c-4d5e-9342-1af5184ddb5a",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:06.000Z",
            "modified": "2021-02-04T09:59:06.000Z",
            "pattern": "[file:hashes.SHA256 = '2c1528253656ac09c7473911b24b243f083e60b98a19ba1bbb050979a1f38a0f' AND file:name = 'TDGGi' AND file:x_misp_text = 'script\tThis script downloads and executes tt.sh.']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:06Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--bdeca9c5-acfc-482a-973f-80386ddc837f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:06.000Z",
            "modified": "2021-02-04T09:59:06.000Z",
            "pattern": "[file:hashes.SHA256 = '2cde98579162ab165623241719b2ab33ac40f0b5d0a8ba7e7067c7aebc530172' AND file:name = 'tt.sh' AND file:x_misp_text = 'script\tThis script downloads and runs tmate. It collects system information from the victim\u2019s host and sends the collected data to C2(45.9.150[.]36)']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:06Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5d9e3240-96da-40be-866a-ea3fc431a40e",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:07.000Z",
            "modified": "2021-02-04T09:59:07.000Z",
            "pattern": "[file:hashes.SHA256 = 'b34df4b273b3bedaab531be46a0780d97b87588e93c1818158a47f7add8c7204' AND file:name = 'api.key' AND file:x_misp_text = 'text\tThe API key is used for creating a named tmate session from the compromised containers.']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--afa6e590-1959-4c42-b77e-1fd4a9896826",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:07.000Z",
            "modified": "2021-02-04T09:59:07.000Z",
            "pattern": "[file:hashes.SHA256 = 'd2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f' AND file:name = 'tmate' AND file:x_misp_text = 'ELF\ttmate v2.4.0']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--a5e1d11b-0f73-4cf4-b3ef-b8e723e6d30a",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:07.000Z",
            "modified": "2021-02-04T09:59:07.000Z",
            "pattern": "[file:hashes.SHA256 = '74e3ccaea4df277e1a9c458a671db74aa47630928a7825f75994756512b09d64' AND file:name = 'sGAU.sh' AND file:x_misp_text = 'script\tThis script downloads and installs masscan. It scans Kubernetes\u2019 internal IP Kubelets running on port 10250. If masscan finds an exploitable Kubelet']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--2c26666d-b912-4e8a-9f68-803f0b824429",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:07.000Z",
            "modified": "2021-02-04T09:59:07.000Z",
            "pattern": "[file:hashes.SHA256 = '8e33496ea00218c07145396c6bcf3e25f4e38a1061f807d2d3653497a291348c' AND file:name = 'kshell' AND file:x_misp_text = 'script\tThe script performs remote code execution in containers via Kubelet\u2019s API. It also downloads and executes xmr.sh in a target container.']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--c939eb92-cd87-408a-b2c1-5c25430c0470",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:07.000Z",
            "modified": "2021-02-04T09:59:07.000Z",
            "pattern": "[file:hashes.SHA256 = '518a19aa2c3c9f895efa0d130e6355af5b5d7edf28e2a2d9b944aa358c23d887' AND file:name = 'install_monerod.bash' AND file:x_misp_text = 'script\tThe script is hosted in this Github repo. It pulls and builds the official monero project. It then creates a user named \u201cmonerodaemon\u201d and starts the monero service.']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--33821510-4992-4ecb-84e9-1d320038a927",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:07.000Z",
            "modified": "2021-02-04T09:59:07.000Z",
            "pattern": "[file:hashes.SHA256 = '5923f20010cb7c1d59aab36ba41c84cd20c25c6e64aace65dc8243ea827b537b' AND file:name = 'setup_moneroocean_miner.sh' AND file:x_misp_text = 'script\tThe script is hosted in this Github repo. It pulls and runs the MoneroOcean advanced version of xmrig.']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5ecf50d7-0d07-4c15-844a-6d2954367bc3",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:07.000Z",
            "modified": "2021-02-04T09:59:07.000Z",
            "pattern": "[file:hashes.SHA256 = 'a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9' AND file:name = 'xmrig' AND file:x_misp_text = '(oneroocean)\tELF\txmrig 6.7.2-mo3. This binary is hosted in MoneroOcean/xmrig Github repo.']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--06a70163-a39c-4f54-bbdb-a87a814f1c99",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:07.000Z",
            "modified": "2021-02-04T09:59:07.000Z",
            "pattern": "[file:hashes.SHA256 = 'ee6dbbf85a3bb301a2e448c7fddaa4c1c6f234a8c75597ee766c66f52540d015' AND file:name = 'pei.sh' AND file:x_misp_text = 'script\tThis script downloads and executes pei64 or pei32']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:07Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--49958838-8ef3-42ca-8053-92baf705789a",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:08.000Z",
            "modified": "2021-02-04T09:59:08.000Z",
            "pattern": "[file:hashes.SHA256 = '937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d' AND file:name = 'pei64' AND file:x_misp_text = 'ELF\tThis is a Kubernetes penetration tool from the peirates project. The tool is capable of escalating privilege and pivoting through the Kubernetes cluster.']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--e309ca78-38e1-4c9a-ab77-b42459ff8396",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:08.000Z",
            "modified": "2021-02-04T09:59:08.000Z",
            "pattern": "[file:hashes.SHA256 = '72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742' AND file:name = 'pei32' AND file:x_misp_text = 'ELF\tSame as pei64']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--778de61f-d6d7-4c20-9eb1-c75d829a3c4c",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:08.000Z",
            "modified": "2021-02-04T09:59:08.000Z",
            "pattern": "[file:hashes.SHA256 = '12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3' AND file:name = 'xmr3.assi' AND file:x_misp_text = 'script\tThe script downloads and runs aws2.sh']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--72ed2178-2db5-4c4f-a3b6-ec0f2dfe8855",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:08.000Z",
            "modified": "2021-02-04T09:59:08.000Z",
            "pattern": "[file:hashes.SHA256 = '053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e' AND file:name = 'aws2.sh' AND file:x_misp_text = 'script\tThe script searches for cloud credentials and sends the identified credentials to C2 (the.borg[.]wtf).']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--e3c384cd-1c89-4a4b-a874-1652562a02b8",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:08.000Z",
            "modified": "2021-02-04T09:59:08.000Z",
            "pattern": "[file:hashes.SHA256 = 'e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7' AND file:name = 't.sh' AND file:x_misp_text = 'script\tThe script downloads x86_64.so and tmate from C2. It modifies ld.so.preload and starts a tmate named session. It then sends back the victim\u2019s system info and tmate session to C2.']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--6020f6d1-af71-4e4a-8a12-225c0242d370",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:08.000Z",
            "modified": "2021-02-04T09:59:08.000Z",
            "pattern": "[file:hashes.SHA256 = '77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8' AND file:name = 'x86_64.so' AND file:x_misp_text = 'ELF\tThis shared object replaces the existing /etc/ld.so.preload file. It uses the LD_PRELOAD trick to hide the tmate process.']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--dfb15087-2708-4da2-9b47-298071b8304d",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:08.000Z",
            "modified": "2021-02-04T09:59:08.000Z",
            "pattern": "[file:hashes.SHA256 = '78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983' AND file:name = 'xmrig' AND file:x_misp_text = 'ELF\txmrig v6.7.0']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--a086e984-6da5-4f73-8030-469f98c3227c",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T09:59:08.000Z",
            "modified": "2021-02-04T09:59:08.000Z",
            "pattern": "[file:hashes.SHA256 = '3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f' AND file:name = 'xmrig.so' AND file:x_misp_text = 'ELF\tThis shared object replaces the existing /etc/ld.so.preload.']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T09:59:08Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--94c1c886-20de-4707-b937-40b85b53bd3f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:00:58.000Z",
            "modified": "2021-02-04T10:00:58.000Z",
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\""
            ],
            "x_misp_attributes": [
                {
                    "type": "attachment",
                    "object_relation": "attachment",
                    "value": "word-image.png",
                    "category": "External analysis",
                    "uuid": "2b389dc5-f633-400f-ab9b-660fe5041103",
                    "data": "iVBORw0KGgoAAAANSUhEUgAABPgAAAQgCAYAAAB7KuLYAAAgAElEQVR4AexdCZgUxdmuyOL/axINLCbRmJg7RhPZxfwmJiaaaDzYxXjt7rCiKOIRVCIiooKKys4sIKAgN8olt8juzgy73HIfciiXKIKI4O+VmEh+j4DW/7y9W2NNb8/OzG73dPfMu8+zT/d0V1dVv/X211+9/VWVEPwjAkSACBABIuADBLpU1J1cPjB8TkkofGVZqKZHIBQeUFYRHVUajMwurYgsCgSjL3aujL5WHoq+XV4Z/TAQin4cCEX/EwhGPy8LRiT/iQE5QA6QA+QAOUAOkAPkQNZwIBT9oiwUORoIRT4NhCKHy0PR98tD0f2dB0W3B4LRlaWhBdVlocik0srIkLKKaJ/yYPS60lDkos7B8Omdxm063gfuP6tIBIgAESACRIAI+BWBqyrmndw5tOBPZaFIj9Jg+MmyYCR6bSiypywU+Y+VM9b18UVHbhu57Mjd41d9cf+UDfLhGZvkwDlb5eB52+TQqh1yeHinHBHZJUdG8f8K/4kBOUAOkAPkADlADpAD5ECWcGCXfCKySw6r3iGHzN8uK+e+JB+dtVk+OG2j7PPMWtlzzIqj3YcvOdJlUK3lx+5AZeSDslBkfSAUmVYSrHkoMDBcdnVF9Vklc+a08mtfgvUmAkSACBABIkAEXECgfPCin5RVRAJlofBgRODhq6Mu4nUZUnf0b2NXHn14+ibDcXl66V45d/0huXD7B3Lt64fly2//h//EgBwgB8gBcoAcIAfIAXKAHEjCgU1vfiKXv/JPWbPlXTl91ZtydO1uGZq7VfadtFbe/MSSI7oPXhaKfhEIRXaUB8NTAxXRXp2DNecz4s+FzhKLJAJEgAgQASLgVQQCwarflwWj92G4QOfKBR8oRyJQGf3irrGrPg/O2SonLH5dVr34jly1hwIeBUwKuOQAOUAOkAPkADlADpADmeDAlgOfykXb/y5nrD4gnwzvlP2mbpTdhy+OE/4CochLZRWRUdcMDF9bUrn4e17tc7BeRIAIEAEiQASIgM0IBAZGf1VaEelbVhGpCwSjnylB769PLTsKMW/Ssn1GNF4mnBaWQeeYHCAHyAFygBwgB8gBcoAcSI8Da/celvPWHzKmu7l/8jqJETbKp7+2MrKntCIytrSiprRkWF1bm7sSzI4IEAEiQASIABFwC4Hrhiz8Kl7wZcHwM4FQ9F318r999IqjQ57fLmevPSjX7f03h1AkGUJBxzM9x5N4ES9ygBwgB8gBcoAcIAcyx4G6bR/ICYv2GHP96YIfFvYoD0YeCISqC93qj7BcIkAEiAARIAJEoJkIdBoQblcWinYvDUVrlKDX9fG6o4/M3Cynrtwv13CuPAqaFDTJAXKAHCAHyAFygBwgB7KWA+Gt7xkRfr3Gr44t5tG5Mvo6Vu8tGVhzXjO7GbyMCBABIkAEiAARcBqBkmFrjysNRrqWBcNhJerdOmLpEaxaW7353ax1XvhlOHNfhok1sSYHyAFygBwgB8gBcsB/HFj1+mFjGp5+UzdI1U8oD0X3lw2MDsL0PU73U5g/ESACRIAIEAEikAICpZWRS8pC0SmBUPQ/eGFD1Bse3ilrX36foh6/SpMD5AA5QA6QA+QAOUAOkAPkQIwDG/d/Ip9duV/2n7YxJvZhoY5AMHJPYED1KSl0P5iECBABIkAEiAARsAuBawctOLU0GO3fubJ2L0S964fUHR303EuyZgsj9fhV2X9fldlmbDNygBwgB8gBcoAcIAcyz4H1+/4tn1m6V/aeuDom9pUGI3PLgtFiu/otzIcIEAEiQASIABGwQODaQeELy4KRmSq0/r4p6+T0VW/GvsjRMcq8Y0TMiTk5QA6QA+QAOUAOkAPkgN85sGTH3+Ww6h2y29BFR9DXwGq8ZRXRPkWhSBuLbgkPEQEiQASIABEgAs1BoCwYvTEQim40ovUerzuKl+/SXR9S2ONwC3KAHCAHyAFygBwgB8gBcoAcsJUDM1YfkH0nra2P6gtFjpZVREaVVEZ/2Zx+DK8hAkSACBABIpDzCNwwafl/46tZ51D0IIS9v41deXTSsn22vrz9/qWR9efXcnKAHCAHyAFygBwgB8gBcsAZDtRt+0CG5m6NG77bOVhzfs531AgAESACRIAIEIFUECipnHNioCI8oDwU/QjC3v1TNsi56w9R2OOXWXKAHCAHyAFygBwgB8gBcoAcyDgH1u49LEdGd8muj9cdRf8kEIzUllbWXpJK34ZpiAARIAJEgAjkHAIlo5Z/LRAKDwiEoh/jxfnw9E0yuvW9jL/A+QXUmS+gxJW4kgPkADlADpAD5AA5QA74mQNbD34mxy3aI7sPX2zM01cajCwqCy24OOc6brxhIkAEiAARIAKJECgLRu9TEXsDZmyStdvep7DHr7PkADlADpAD5AA5QA6QA+QAOeBJDkxc/LrsPnyJIfSVBcPhkoE15yXq6/A4ESACRIAIEIGsR6AkFLlFzbH34LMvygUvU9jz81dN1p1f5ckBcoAcIAfIAXKAHCAHcokDiOi7sWHl3UAoMq1zMHx61nfieINEgAgQASJABBQCpcFwR7Uqbp9n1sqqF9/x5Je5XHJOeK90xskBcoAcIAfIAXKAHCAHyIH0ObDlwKfGHH2ByugXmGqobGB0UKdxm45XfR9uiQARIAJEgAhkHQLlgxf9pCwYmYkX320jlx2ZvupNCnscdkEOkAPkADngew4s3/mefDq6ST41d5V8dvHLMvrim/KlQ5/5/r7Y0U+/o0/MiBk5kLscWL3no9iqu+Wh6PsYrZR1HTreEBEgAkSACBCB0mC0v7HqVGX0i1G1u9npYYeeHMhhDqzf+5E89TdXx/1f3bMyISe2HPhEXnlHKC69ur78nmEJr2tuJ+u8sl7yB3/oHPu/ZcA428tobt14nXc6jjOX7ZSXdOtv8CS/oEia/8GhrveNkOGN+xPyZ/jM5Y14vWQbo9rJc+/wnG3BtiAH0udA5KX3ZN9JayX6PqXByLKSYPhc9gaJABEgAkSACPgegdLKyCVloeg2vOAemblZrnjtXwk7OnQg0ncgiBkx8yMH1u75ZyMx5LKbHrS0DYiC6tx7aKP0EFP+2KWv3LjvsOV1LcHl5xffEFceym9Jfrl67Yxl2+W1fYbH/rv0ecKR9so0vpv2/5/sMfDpOI6YxT3z715DpllG9FVOrmuUz8ItBz3Lt8FTF8XaE22L+8o0/iyP7z1ygBzwCwemrHhDdmuYn6+0MjKkZM6cVr7v3PEGiAARIAJEIPcQKBm29riyisgoNRx3zjrvdlj84iSwnnRos4UD6Qh83R8c00gAcVLcA8YU+Ox51qzEq5WvfOBrQejFN/4tf3VFD0tOmkU982+rSFArjLws8AXufjzu3jt0us3X7ZktNpX3YY/NIo7E0QkObHrzEzl43jYjmq+8snZvWWXNX3KvZ8g7JgJEgAgQAd8iUBIKXxkIRQ9A3BtWvYPOfw4PxXTCUWKe/nfAUxX4/jZoSpyYoAQTpyL3FLco8NnDMSvxyu8CX89Ka04qbmLouNq32j7+7JK4d6IVRhT47OGfep65JZ7kADngBQ5gUcGeY1YcNYbtVkTGdhoQ5iIcvu3tsuJEgAgQgRxAYMCA5Xkqaq/nmJWf12x5N64j44WXK+tAJ48ccJ8DqQh8/Z+aZymUnF/ex/FhnhT47OGIlXjlZ4EPc+lZiXY//dN1cmzVOrnm1Q+Nd96qVz6QAydGLNOCW5vf/Dj2brTCiAKfPfyjrSeO5AA54EUOPBneWR/NF4ruLwtGi3Ogi8hbJAJEgAgQAb8hUF4R+WPnyuhufJUaHt4Z67x48cXKOtHhIwfc5UAygS80qdZSHGlK3MNCHGOeXyNHa/+RBIsbTIpujks3b+WrcTYrkcCHekPIufWRCbJb/1GGiDP7hV1y68FP46634hfqh3IhXGJOPywactegqUZ+WIHV6hocw2qs+j1hhVYch0gUnFQrb3zgKXlNz0ExcWlq3VY5Ibwh9r90e/2CDVXr9sq7Bk8zysbCJCgbeKWy0uvq1z
                }
            ],
            "x_misp_meta_category": "file",
            "x_misp_name": "file"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--d5ed01ea-338f-445b-90e6-e5344378aa83",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:24.000Z",
            "modified": "2021-02-04T10:14:24.000Z",
            "pattern": "[file:hashes.MD5 = 'fe9d149dec9cd182254ace576a332f56' AND file:hashes.SHA1 = '66f858f47aebad049a58d416ca5f7916bf3ec524' AND file:hashes.SHA256 = '3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T10:14:24Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--62edf8d4-05c9-4862-8d42-f8a4806a36bc",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:24.000Z",
            "modified": "2021-02-04T10:14:24.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2021-02-03T19:27:51+00:00",
                    "category": "Other",
                    "uuid": "7cce5fc0-9644-441d-8697-37e733ef44f5"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/gui/file/3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f/detection/f-3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f-1612380471",
                    "category": "Payload delivery",
                    "uuid": "7d3b53ae-687b-416c-b654-f25154c2070d"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "36/62",
                    "category": "Payload delivery",
                    "uuid": "70d081db-33dd-49a8-970b-038e2fd244b2"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--387943cb-ee93-42dd-98b0-2c27066365df",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:24.000Z",
            "modified": "2021-02-04T10:14:24.000Z",
            "pattern": "[file:hashes.MD5 = '92490c9b9d3bb59aca5f106e401dfcaa' AND file:hashes.SHA1 = 'ca46d7e629475ec4dce991221d9c9f3abf4f6ad3' AND file:hashes.SHA256 = 'e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T10:14:24Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--10416647-701f-4247-93af-3e201abed9b2",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:24.000Z",
            "modified": "2021-02-04T10:14:24.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2021-02-03T19:40:43+00:00",
                    "category": "Other",
                    "uuid": "d4cd28b1-b60e-44b4-9c64-7e7c4f45b5b6"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/gui/file/e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7/detection/f-e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7-1612381243",
                    "category": "Payload delivery",
                    "uuid": "6852adda-7ef4-4745-8c2b-fb5da0102746"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "8/60",
                    "category": "Payload delivery",
                    "uuid": "563c3788-bd32-4dcc-a076-af2cdfff1e33"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--13c55aeb-731f-4f9f-bed7-54bc16691ee0",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:24.000Z",
            "modified": "2021-02-04T10:14:24.000Z",
            "pattern": "[file:hashes.MD5 = '9f98db93197c6dfb27475075ae14e8ae' AND file:hashes.SHA1 = 'd849ca5d8fea568c2ccc56719d9b1bc145c64c9e' AND file:hashes.SHA256 = '053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T10:14:24Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--663a8f21-2bf4-499e-9f5c-ba6bd04faa87",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:24.000Z",
            "modified": "2021-02-04T10:14:24.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2021-02-03T19:41:02+00:00",
                    "category": "Other",
                    "uuid": "c032bbff-bca2-49ee-b17d-319677f87a00"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/gui/file/053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e/detection/f-053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e-1612381262",
                    "category": "Payload delivery",
                    "uuid": "a7ed5250-91ef-4cdd-9361-a9cb14637692"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "4/59",
                    "category": "Payload delivery",
                    "uuid": "28f8e57c-6ea4-4b49-8f71-7ef6d0ee00dd"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--1cc03dbc-d46a-4ee2-aef9-82cc7ef7c97a",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:24.000Z",
            "modified": "2021-02-04T10:14:24.000Z",
            "pattern": "[file:hashes.MD5 = '63248ffca814fec285379d27aaccf2e9' AND file:hashes.SHA1 = '661a178188ce87332779fd4e842674dd39425496' AND file:hashes.SHA256 = '72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T10:14:24Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--1247892f-3395-4415-933b-581bc19ca772",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:24.000Z",
            "modified": "2021-02-04T10:14:24.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2021-02-04T06:36:23+00:00",
                    "category": "Other",
                    "uuid": "e482ad3f-ea53-4783-a5fc-a9df32a22e68"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/gui/file/72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742/detection/f-72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742-1612420583",
                    "category": "Payload delivery",
                    "uuid": "a7245756-6000-46a0-83d0-a8f046c7e488"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "3/61",
                    "category": "Payload delivery",
                    "uuid": "0154047d-9659-4470-bb33-127abbfd3c46"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--0c47742b-164b-4df9-8c71-ef7acafe77cc",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:24.000Z",
            "modified": "2021-02-04T10:14:24.000Z",
            "pattern": "[file:hashes.MD5 = '35ac482fafb1453f993cb7c447fb9525' AND file:hashes.SHA1 = '59e538c2a3b5a4ccf49b30b88e5571a27931aa4c' AND file:hashes.SHA256 = 'a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T10:14:24Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--7454fe7f-f8e1-45bc-acb5-b270c3d9d93d",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2021-02-03T19:34:55+00:00",
                    "category": "Other",
                    "uuid": "f7f0be32-b20e-47e9-bff2-c3b6857999ef"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/gui/file/a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9/detection/f-a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9-1612380895",
                    "category": "Payload delivery",
                    "uuid": "3b209465-79f6-4244-b8f0-8d2e1f99f5b7"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "24/62",
                    "category": "Payload delivery",
                    "uuid": "4282e0ac-e3ea-4f2e-8d1c-244e51aa67ae"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--b7657286-0c79-4c4e-9e45-b5c47795b70e",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "pattern": "[file:hashes.MD5 = '1aeb95215a633400d90ad8cbca9bc300' AND file:hashes.SHA1 = '31381d57d93b0c0738d2e92bce0014b69371f958' AND file:hashes.SHA256 = 'd2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T10:14:25Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--16f3ee0a-c011-439f-8bf5-2f88b5671de2",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2021-02-03T20:11:13+00:00",
                    "category": "Other",
                    "uuid": "14744553-4167-424e-a9ea-86c40d3ade68"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/gui/file/d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f/detection/f-d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f-1612383073",
                    "category": "Payload delivery",
                    "uuid": "949d6755-855d-4624-8c90-f2e9ece4f101"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "2/62",
                    "category": "Payload delivery",
                    "uuid": "37edadcb-4036-45d7-a086-11f69ac56b2b"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--cd4e86bb-5672-428e-ad55-00bd5ec27323",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "pattern": "[file:hashes.MD5 = '80c202ced80965521adf1d63ba6be712' AND file:hashes.SHA1 = '9481e349e3b3942edd2346fa823611e16a375ae4' AND file:hashes.SHA256 = '77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T10:14:25Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--31ac78bf-1fb8-40f3-8c88-a6f5c1c1ed9c",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2021-02-03T19:31:29+00:00",
                    "category": "Other",
                    "uuid": "0bb828f3-37c1-453e-bbec-e3c7504adb9f"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/gui/file/77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8/detection/f-77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8-1612380689",
                    "category": "Payload delivery",
                    "uuid": "cb9b754b-9665-477f-b519-e868e5469128"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "26/63",
                    "category": "Payload delivery",
                    "uuid": "2b4e5d30-c772-4b53-b4be-bf6970b9f8d6"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--172dce95-5a65-4cf0-b710-277a5832b326",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "pattern": "[file:hashes.MD5 = '70330c23a9027ba0d2d6dd552818d97b' AND file:hashes.SHA1 = 'e94aeaeae1a3df5e3778c37f7a77be43da627c7e' AND file:hashes.SHA256 = '78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T10:14:25Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--cd6c16c4-35f5-474c-b49d-e5d213880efc",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2021-02-03T19:38:56+00:00",
                    "category": "Other",
                    "uuid": "58d5b530-df03-43b3-a0bc-1958ed931ce3"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/gui/file/78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983/detection/f-78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983-1612381136",
                    "category": "Payload delivery",
                    "uuid": "f2e6fa65-0bcd-4147-8988-6fa1244279ab"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "30/62",
                    "category": "Payload delivery",
                    "uuid": "01a178ee-c1e2-4b87-bfca-f6c9b1c4e6f6"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--de8d5991-babe-4c5d-9343-0a1bd17eaba9",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "pattern": "[file:hashes.MD5 = 'e10e607751f00516c86b35a6a3b76517' AND file:hashes.SHA1 = '841e188fb08de785a7cd43cb9ce3550ba84c21ef' AND file:hashes.SHA256 = '12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T10:14:25Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--a38d8b07-b456-42ae-b58a-036d656a2a25",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2021-02-03T19:38:17+00:00",
                    "category": "Other",
                    "uuid": "75e9f292-c358-4b12-897a-66c78643e7ec"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/gui/file/12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3/detection/f-12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3-1612381097",
                    "category": "Payload delivery",
                    "uuid": "70cd68f7-0a97-44d5-8a20-9e48050e725e"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "25/60",
                    "category": "Payload delivery",
                    "uuid": "ee1c3b33-7bae-4e3c-ba79-09d0275c372c"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--3b265851-d607-41db-883a-3cdf383f8c65",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "pattern": "[file:hashes.MD5 = '018d88b8203bdea0fe4dc5b4baa930c4' AND file:hashes.SHA1 = '4ea685a7fc013cf3476ad13e9dcf6f08d06af85a' AND file:hashes.SHA256 = '937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2021-02-04T10:14:25Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "file"
                }
            ],
            "labels": [
                "misp:name=\"file\"",
                "misp:meta-category=\"file\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--383195f4-cd06-40ad-b1f9-8a3f078d3c81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T10:14:25.000Z",
            "modified": "2021-02-04T10:14:25.000Z",
            "labels": [
                "misp:name=\"virustotal-report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "datetime",
                    "object_relation": "last-submission",
                    "value": "2021-02-04T06:37:14+00:00",
                    "category": "Other",
                    "uuid": "d6fb239f-65d1-4aaa-b4a2-081e712bebaa"
                },
                {
                    "type": "link",
                    "object_relation": "permalink",
                    "value": "https://www.virustotal.com/gui/file/937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d/detection/f-937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d-1612420634",
                    "category": "Payload delivery",
                    "uuid": "5639436e-48e6-4452-a771-d4475af5fe82"
                },
                {
                    "type": "text",
                    "object_relation": "detection-ratio",
                    "value": "1/60",
                    "category": "Payload delivery",
                    "uuid": "7a643205-b7cc-437b-b564-d722e30939ed"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "virustotal-report"
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--4a242786-2019-442c-a76c-a9b208d7a3c3",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2021-02-04T11:20:59.000Z",
            "modified": "2021-02-04T11:20:59.000Z",
            "labels": [
                "misp:name=\"report\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "link",
                    "object_relation": "link",
                    "value": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
                    "category": "External analysis",
                    "uuid": "1765b652-f97a-46d0-b72d-148a81e51f13"
                },
                {
                    "type": "text",
                    "object_relation": "summary",
                    "value": "In January 2021, Unit 42 researchers detected a new malware campaign targeting Kubernetes clusters. The attackers gained initial access via a misconfigured kubelet that allowed anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT. We refer to this new malware as Hildegard, the username of the tmate account that the malware used.\r\n\r\nTeamTNT is known for exploiting unsecured Docker daemons and deploying malicious container images, as documented in previous research (Cetus, Black-T and TeamTNT DDoS). However, this is the first time we found TeamTNT targeting Kubernetes environments. In addition to the same tools and domains identified in TeamTNT\u2019s previous campaigns, this new malware carries multiple new capabilities that make it more stealthy and persistent. In particular, we found that TeamTNT\u2019s Hildegard malware:\r\n\r\nUses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel.\r\nUses a known Linux process name (bioset) to disguise the malicious process.\r\nUses a library injection technique based on LD_PRELOAD to hide the malicious processes.\r\nEncrypts the malicious payload inside a binary to make automated static analysis more difficult.\r\nWe believe that this new malware campaign is still under development due to its seemingly incomplete codebase and infrastructure. At the time of writing, most of Hildegard\u2019s infrastructure has been online for only a month. The C2 domain borg[.]wtf was registered on Dec. 24, 2020, the IRC server went online on Jan. 9, 2021, and some malicious scripts have been updated frequently. The malware campaign has ~25.05 KH/s hashing power, and there is 11 XMR (~$1,500) in the wallet.\r\n\r\nThere has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponization stage. However, knowing this malware\u2019s capabilities and target environments, we have good reason to believe that the group will soon launch a larger-scale attack. The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters.",
                    "category": "Other",
                    "uuid": "9e0c3854-65ec-491c-9338-42613794b6e4"
                }
            ],
            "x_misp_meta_category": "misc",
            "x_misp_name": "report"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--f478518f-6d94-4bc5-aaec-be0fe6974266",
            "created": "1970-01-01T00:00:00.000Z",
            "modified": "1970-01-01T00:00:00.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--d5ed01ea-338f-445b-90e6-e5344378aa83",
            "target_ref": "x-misp-object--62edf8d4-05c9-4862-8d42-f8a4806a36bc"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--931aefcf-a87c-4f16-8e41-4b67d4753a09",
            "created": "1970-01-01T00:00:00.000Z",
            "modified": "1970-01-01T00:00:00.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--387943cb-ee93-42dd-98b0-2c27066365df",
            "target_ref": "x-misp-object--10416647-701f-4247-93af-3e201abed9b2"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--c00ebd3d-f26b-4b7c-8a14-a310be7392f9",
            "created": "1970-01-01T00:00:00.000Z",
            "modified": "1970-01-01T00:00:00.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--13c55aeb-731f-4f9f-bed7-54bc16691ee0",
            "target_ref": "x-misp-object--663a8f21-2bf4-499e-9f5c-ba6bd04faa87"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--1d70f5a0-2ea0-4ad0-a70f-ec4e6cb0c95f",
            "created": "1970-01-01T00:00:00.000Z",
            "modified": "1970-01-01T00:00:00.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--1cc03dbc-d46a-4ee2-aef9-82cc7ef7c97a",
            "target_ref": "x-misp-object--1247892f-3395-4415-933b-581bc19ca772"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--ac1bf525-825a-40fe-ae35-5db89c4e798a",
            "created": "1970-01-01T00:00:00.000Z",
            "modified": "1970-01-01T00:00:00.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--0c47742b-164b-4df9-8c71-ef7acafe77cc",
            "target_ref": "x-misp-object--7454fe7f-f8e1-45bc-acb5-b270c3d9d93d"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--44db2a3d-0cb3-43fb-aaaf-63e9a7c4eda3",
            "created": "1970-01-01T00:00:00.000Z",
            "modified": "1970-01-01T00:00:00.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--b7657286-0c79-4c4e-9e45-b5c47795b70e",
            "target_ref": "x-misp-object--16f3ee0a-c011-439f-8bf5-2f88b5671de2"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--3a516f66-39c8-4393-9cd3-3d4f5e772fd6",
            "created": "1970-01-01T00:00:00.000Z",
            "modified": "1970-01-01T00:00:00.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--cd4e86bb-5672-428e-ad55-00bd5ec27323",
            "target_ref": "x-misp-object--31ac78bf-1fb8-40f3-8c88-a6f5c1c1ed9c"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--4f63dc74-146a-4773-8788-5164aadd475a",
            "created": "1970-01-01T00:00:00.000Z",
            "modified": "1970-01-01T00:00:00.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--172dce95-5a65-4cf0-b710-277a5832b326",
            "target_ref": "x-misp-object--cd6c16c4-35f5-474c-b49d-e5d213880efc"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--f3bff403-34a5-4b57-8e11-b20aec7213aa",
            "created": "1970-01-01T00:00:00.000Z",
            "modified": "1970-01-01T00:00:00.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--de8d5991-babe-4c5d-9343-0a1bd17eaba9",
            "target_ref": "x-misp-object--a38d8b07-b456-42ae-b58a-036d656a2a25"
        },
        {
            "type": "relationship",
            "spec_version": "2.1",
            "id": "relationship--1e5a4650-7294-47ee-8112-f8dd7915f298",
            "created": "1970-01-01T00:00:00.000Z",
            "modified": "1970-01-01T00:00:00.000Z",
            "relationship_type": "analysed-with",
            "source_ref": "indicator--3b265851-d607-41db-883a-3cdf383f8c65",
            "target_ref": "x-misp-object--383195f4-cd06-40ad-b1f9-8a3f078d3c81"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}