misp-circl-feed/feeds/circl/stix-2.1/68cf0b2c-e449-4b2e-a7f7-b2b55cf951b5.json

783 lines
1.5 MiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--68cf0b2c-e449-4b2e-a7f7-b2b55cf951b5",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:54:13.000Z",
"modified": "2023-04-17T13:54:13.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--68cf0b2c-e449-4b2e-a7f7-b2b55cf951b5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:54:13.000Z",
"modified": "2023-04-17T13:54:13.000Z",
"name": "SNOWYAMBER - Malware Analysis Report",
"published": "2023-04-18T07:18:11Z",
"object_refs": [
"observed-data--b85948e6-6b33-426d-bcd2-9917c8c876e1",
"file--b85948e6-6b33-426d-bcd2-9917c8c876e1",
"artifact--b85948e6-6b33-426d-bcd2-9917c8c876e1",
"indicator--2c9097c1-7c12-419f-a80a-8ee7740a006c",
"indicator--9af93eb7-62c1-4284-9f68-085df52485da",
"indicator--931b2bf8-8273-4a00-b720-79ef2cf0197f",
"indicator--0a3912ce-c191-4242-a648-16471e7b22ac",
"indicator--a07de07e-8918-48f9-a7ed-fe224af7debb",
"indicator--9320ff1a-1b4f-4215-a606-fa08d722bc50",
"indicator--b64caea6-1cfb-41bf-8500-44c68a6a4209",
"indicator--6d824e3d-4f47-47a1-bb16-004fbe3f883b",
"indicator--735b8086-30e6-48f0-b41f-176143a0cecd",
"indicator--2370ce17-a271-4cb6-b6eb-f7342ffc6415",
"indicator--4af4ff1a-5174-463c-b3d7-a5ed83251879",
"indicator--d984944c-9e4d-4a17-92df-5629b25f3195",
"indicator--b03218e2-51f5-4f6a-b346-5e3a32ce79e0",
"x-misp-object--443b388e-54ed-4a9d-b628-a6b90807a495",
"indicator--75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca",
"indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"indicator--63cb13b4-f8d5-42eb-819d-7ae6f4c992ed",
"indicator--ba9983ca-8bd7-410c-a9e9-f96fa47fc920",
"indicator--ef951d3f-c15c-43db-ac22-67316faf4dfd",
"indicator--88421de8-4479-4a9c-9433-9d918795a10b",
"indicator--515a4264-5f6e-4690-b9b0-6eb6a31aa972",
"indicator--11702c83-79b9-4a02-9e48-93534a11ed08",
"indicator--2a667d0c-1f7f-41d4-8ba2-2e44d839b432",
"indicator--26da3ae3-4d28-49c3-a4d7-2b86cca4f59a",
"relationship--ace53eab-11cf-4575-9d5c-0dba29f7dc0f",
"relationship--c5a097d4-d08b-4bd9-a21a-aae566c17fd0",
"relationship--e6c20692-596a-4dbb-ac85-4d25f8aebf9a",
"relationship--808dd01e-b886-443a-b03c-fb56c57299eb",
"relationship--1251a2c3-6a8b-4590-8f99-066b5a1b066d",
"relationship--30d52f43-e736-43cb-8639-e62234468d88"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\"",
"tlp:clear",
"misp-galaxy:tool=\"SNOWYAMBER\"",
"misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"",
"misp-galaxy:mitre-attack-pattern=\"Web Services - T1583.006\"",
"misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"",
"misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"",
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"",
"misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
"misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"",
"misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"",
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"",
"misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\"",
"misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"",
"misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\"",
"misp-galaxy:mitre-attack-pattern=\"Right-to-Left Override - T1036.002\"",
"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
"misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\"",
"misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"",
"misp-galaxy:mitre-attack-pattern=\"One-Way Communication - T1102.003\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--b85948e6-6b33-426d-bcd2-9917c8c876e1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T10:13:52.000Z",
"modified": "2023-04-17T10:13:52.000Z",
"first_observed": "2023-04-17T10:13:52Z",
"last_observed": "2023-04-17T10:13:52Z",
"number_observed": 1,
"object_refs": [
"file--b85948e6-6b33-426d-bcd2-9917c8c876e1",
"artifact--b85948e6-6b33-426d-bcd2-9917c8c876e1"
],
"labels": [
"misp:type=\"attachment\"",
"misp:category=\"External analysis\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--b85948e6-6b33-426d-bcd2-9917c8c876e1",
"name": "PhishMailImpers1.png",
"content_ref": "artifact--b85948e6-6b33-426d-bcd2-9917c8c876e1"
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--b85948e6-6b33-426d-bcd2-9917c8c876e1",
"payload_bin": "iVBORw0KGgoAAAANSUhEUgAABGgAAAJcCAYAAAClsZKxAAAABHNCSVQICAgIfAhkiAAAIABJREFUeJzs3Xl8Ddf/P/DXZL3ZiUgIIhEkFQRBEKV2aiuNWJoPbbX4WGopjdqraFVVlZaitVasFWup2neSiJ3crBLZEdn31++P2zsyudls9ft8e56Px33UnTlzzplzZq7O25xzJJKEIAiCIAiCIAiCIAiC8Nrove4KCIIgCIIgCIIgCIIg/NuJAI0gCIIgCIIgCIIgCMJrJgI0giAIgiAIgiAIgiAIr5kI0AiCIAiCIAiCIAiCILxmIkAjCIIgCIIgCIIgCILwmokAjSAIgiAIgiAIgiAIwmsmAjSCIAiCIAiCIAiCIAivmQjQCIIgCIIgCIIgCIIgvGYiQCMIgiAIgiAIgiAIgvCaiQCNIAiCIAiCIAiCIAjCa1apAE2nTp0gSRIkScK+ffteeiV69+4NPT09nDp16pmPzczMhCRJ8Pf3x61btyBJEi5cuKCTbvDgwZAkCWvWrHkZVVa4efMmJEnC2bNnX3re/yvCwsIgSRL++uuvV1rOq+hHGxsbLFiw4KXl909KSUmBJEnYtWvXC+Uzbdo0uLi4AAAGDRqEHj16vIzqPZOAkAyYT1DjYUbhP1ru7fg8mE9Q40J4dqWPGbkxAV2Xxb5w2Q7TI7D4yKMXzgcANpx/AvMJahQUsdLHZOYW4efTqei0NAY1pobDelIYGsyKxLB18Th+N+ul1EsQBEEQBEEQhMqpMECTmJiI06dPy9937tz50itx6dIlTJs2DR07dnzmY01NTSFJEszNzWFubg4A8n+1UlNTsW/fPjRt2hQbN258KXUurlatWli1ahXq169fqfS3bt2Co6PjS68HANja2iIqKuqF01TkVZ5DWV51P/6blbx/St5Dwv89Z9TZaPxFFI7fzcLnvaxxfa4jor+uh4MTasHTSYWPNiVg0o4ksPLxHkEQBEEQBEEQXkCFAZpdu3ahqKgITZo0AQDs27cPubm5L60CqampGDRo0HO/wSBJEkxNTWFubg4zMzMAugEaf39/mJqa4rvvvsP58+cRFhb2wvUurmrVqhgzZgxq1KhRqfRBQUEvtXyt+/fvIzk5+YXTVMarOofyvOp+/DczMzOT75vif66snJwcrFu3DpcvX34V1RNesj9uZmLYunisG14D20fZo3sjM9ha6MNCpYeGdkaY2KUqLkyvi5P3srHqVOrrru7/tNmzZyM6Ovp1V0MQBEEQBEH4H1BhgEb7xsy4cePg6uqKtLQ0HDlyRN4fEREBW1tbeQhURR/tUIzc3FzMmzcPrVq1wq+//gp7e3sMHjwYoaGhivLNzc0hSRIOHDhQZh0//vhjODo6wsLCAiNHjkS1atUU+zds2AAfHx907twZdevWxebNm3XyWLduHRo3bgxTU1PY2Njg3XffRWxsbKX2lxziFBMTAx8fH9jZ2cHExASNGjWSh+TMmzcPI0aMQHR0NCRJwvfffw8ACAwMRLdu3WBjYwNzc3O0bt1aMVxo1apVsLW1xaVLl+Dp6QkrKyvUq1cPv/76KwDg5MmTqFu3LgDAyckJ77zzjs45lpUmNjYWgwcPhrW1NYyNjdGkSRNs2bKlzPYu6xwAzZCz9957DxYWFrCyssLkyZNRWPh0yEpwcDB69OgBGxsbWFpaYuDAgZV+eKmoH7VtdPLkSbi7u8PMzAzu7u64du0aNm7ciIYNG8LS0hJvv/22TpCqoKAAkydPho2NDczMzDBgwAA8fPhQ3l9R/wAvdg1Vtoyff/4ZDg4OMDExgZeXF27duqXTTufOnUOHDh3kwGXnzp1x5coVef+PP/4IOzs77Nu3D3Z2dpg2bRo8PDwwcOBAAEDHjh3RrVu3SvVJfHw8Zs2ahTp16uCbb76BiYkJMnOLYD5BXepnw/knmvYuIqbsTEatz8JRY2o4PtiQgCfZRco+KSIWHXqI5l9Gw2ZKGNznR2HdmSeKNE4zIrDqVCpm7ElBw9mRqDktHIN+jkNiWuEz5VPSkj8fwW5qOK7GlB2MNtAD9l3LQLMvo2E9KQytF0Uj+H6OIs3GC2nwWKjZX8cvAh9uTEBSuu4QrpP3smA+QY1LkcrjbzzIhfkENf66oxludCUqB92/j0X1KWFwmR2JWQEpyC1QvuISlpSPLt/FoNrkMNSfGYktl9IU+5PSCzF2ayI2fVgDXVxNcSkyB12+i4HNlDA0/zIax+9moefyWPx2KQ2rhtnimyOPkF/4tIwN55+g1aJoVJ8SBofpERi2Lh4PUgvk/SkZhfh4cwJc50Si+pQwdFoagzPqp8PHZuxJKfXaaDg7EgBwL0Ez5Oy0OhtD1sbBYXoEnGZE4NOdySgsdonsDEqH1+L7sJsaDofpEfD5OQ6RKfny/nVnnsDx8wicUWejzdf3YftpGNp8fR83HuTit0tpcJ8fhRpTwzFwVRxSKhhW99ulNLRcqLl+PBZGY/NFTZtW5lq/desW6tevD29v73/1MFhBEARBEAShEliO+Ph46unpUU9Pj4mJiZw5cyYB0NfXV06jVqs5YMAAjh49mvr6+vL+iRMncuLEiZQkiQA4bNgwTpw4kSEhISTJvn37EgBtbGzo6+tLd3d3AmC1atV4//59OX8zMzMC4P79+8urapnu3LlDALxw4QJJctasWXRycmJRUZGc5vTp05QkiWvWrGFYWBgvXbrEDh06sG3btpXaf+PGDQLgmTNnSJJdunShl5cXL1++zLCwMP7000/U19fnkSNHmJmZyU8++YR16tRhcnIys7OzmZ2dzWrVqrFPnz68evUqb926xU8++YRmZmaMjY0lSa5du5ZGRkbs3bs3Y2JiWFRUxLlz59LQ0JCxsbHMy8vj9u3bCYDBwcFMS0vTaYvS0uTm5tLV1ZXu7u48deoUQ0NDOXfuXALg3r17S23T0s5BrVYTAJs1a8YVK1YwJCSE33zzDQFw27ZtJMn79+/T0tKSvXr14vXr13nlyhV26NCB9evXZ05Ozgv3o7aNhgwZwsePH/Px48d0cXFhvXr1+P777zMrK4uxsbGsXr06/fz85OOqVavGOnXqcMKECbxy5Qq3b99OS0tLDho0iCQr1T8veg1VtgwAnDJlCu/du8dDhw7Rw8ODALhz506S5L1796hSqThkyBBeu3aN165dY79+/WhhYcGYmBiS5Jo1a2hqasouXbrw0KFDjIiIKLftSxMYGEhfX18aGRnxzTff5J49e1hYWEiSLCoiw5PyFJ8J/om0+zSM6sRckuTXhx+y6kQ1N114wvCkPK49nUrX2RE0Gx/KlPQCkuRnu5NYfYqav136O82ZVFadqOaG80/kejSYFcEGsyK46cIT5hcWMfZxPp1nRHDi9kQ5TUX53IrLpdn4UJ4PyyJJ7rmazioT1TxyK6PM8/9wQzzd5kay38pYng/L4vmwLHp+Fc0WC6LkNFsvpdF8QiiXHHlIdWIuz6iz2PzLKLZfHE3tZVvHL5xfH37IoiKy8bxITtyWqChn/v4UNpgVwcIiMuphHu0+DePozQm8FJnNvSHpdJgezsk7kkiS68+l0uoTNXstj+H+axm8ej+HH2yIp9Unaj54nC/n+cX+FH64IZ4keS0mhzaT1fzqj4d8mFHAixHZbPNVNG2nhPGMWtMeb8yJ4OXIbJLkubAsmk8I5a/nUhmRnMcrUdns/n0MOy/V/GYXFpHtF0ezyReRPHkvk3fjczllRxKrTVbzVpym7x9mFCiujYsR2awxNYyf+GvOPTwpj2bjQ9nmq2hejNCUe+JuJs3Gh3J3ULrm+ovKpvmEUH6xP4X3EnIZGJXNXstj2OaraPk815/T9POI9fFMzSpkalYhm82PYuN5kRy9OYFZeUV88DifdaeHc/be5DL7OuBqOi0/CeWyvx4x+H4OVxx/TPMJodxzNb1S1zqp+f0aNWoUVSoVW7ZsyS1btjAvL6/MMgVBEARBEIR/p3IDNCtWrCAAduzYkSQZHBxMALS0tCz1gdrY2JgAePPmTXmbNmhz9epVedtff/1FANTX1+e9e/dIaoIHzZo1IwB
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2c9097c1-7c12-419f-a80a-8ee7740a006c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:40:35.000Z",
"modified": "2023-04-17T13:40:35.000Z",
"description": "ENVYSCOUT delivering SNOWYAMBER ZIP",
"pattern": "[url:value = 'totalmassasje.no/schedule.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:40:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9af93eb7-62c1-4284-9f68-085df52485da",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:40:35.000Z",
"modified": "2023-04-17T13:40:35.000Z",
"description": "ENVYSCOUT delivering SNOWYAMBER ISO",
"pattern": "[url:value = 'signitivelogics.com/Schedule.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:40:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--931b2bf8-8273-4a00-b720-79ef2cf0197f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:40:35.000Z",
"modified": "2023-04-17T13:40:35.000Z",
"description": "Cobalt Strike Team Server",
"pattern": "[url:value = 'humanecosmetics.com/category/noteworthy/6426-7346-9789']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:40:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0a3912ce-c191-4242-a648-16471e7b22ac",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:40:35.000Z",
"modified": "2023-04-17T13:40:35.000Z",
"description": "ENVYSCOUT delivering SNOWYAMBER ISO",
"pattern": "[url:value = 'signitivelogics.com/BMW.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:40:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a07de07e-8918-48f9-a7ed-fe224af7debb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:40:35.000Z",
"modified": "2023-04-17T13:40:35.000Z",
"description": "BRUTERATEL C2",
"pattern": "[domain-name:value = 'badriatimimi.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:40:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9320ff1a-1b4f-4215-a606-fa08d722bc50",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:40:35.000Z",
"modified": "2023-04-17T13:40:35.000Z",
"description": "ENVYSCOUT delivering SNOWYAMBER ZIP",
"pattern": "[url:value = 'literaturaelsalvador.com/Instructions.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:40:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b64caea6-1cfb-41bf-8500-44c68a6a4209",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:40:35.000Z",
"modified": "2023-04-17T13:40:35.000Z",
"description": "ENVYSCOUT delivering SNOWYAMBER ISO",
"pattern": "[url:value = 'literaturaelsalvador.com/Schedule.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:40:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6d824e3d-4f47-47a1-bb16-004fbe3f883b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:40:35.000Z",
"modified": "2023-04-17T13:40:35.000Z",
"description": "ENVYSCOUT URL",
"pattern": "[url:value = 'parquesanrafael.cl/note.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:40:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--735b8086-30e6-48f0-b41f-176143a0cecd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:40:35.000Z",
"modified": "2023-04-17T13:40:35.000Z",
"description": "ENVYSCOUT URL",
"pattern": "[url:value = 'inovaoftalmologia.com.br/form.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:40:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2370ce17-a271-4cb6-b6eb-f7342ffc6415",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:43:43.000Z",
"modified": "2023-04-17T13:43:43.000Z",
"description": "Used to distribute phishing emails with a link to ENVYSCOUT",
"pattern": "[email-message:from_ref.value = 'miodrag.sekulic@mod.gov.rs']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:43:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4af4ff1a-5174-463c-b3d7-a5ed83251879",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:43:43.000Z",
"modified": "2023-04-17T13:43:43.000Z",
"description": "Used to distribute phishing emails with a link to ENVYSCOUT",
"pattern": "[email-message:from_ref.value = 'bohuslava.kopalova@seznam.cz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:43:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d984944c-9e4d-4a17-92df-5629b25f3195",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:43:43.000Z",
"modified": "2023-04-17T13:43:43.000Z",
"description": "Used to distribute phishing emails with a link to i.php (reconnaissance?)",
"pattern": "[email-message:from_ref.value = 'navratilova.lucie.etnologie@seznam.cz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:43:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b03218e2-51f5-4f6a-b346-5e3a32ce79e0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:43:43.000Z",
"modified": "2023-04-17T13:43:43.000Z",
"description": "Used to distribute phishing emails with a link to ENVYSCOUT",
"pattern": "[email-message:from_ref.value = 'zdenek.holych@seznam.cz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:43:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--443b388e-54ed-4a9d-b628-a6b90807a495",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T10:10:16.000Z",
"modified": "2023-04-17T10:10:16.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d",
"category": "External analysis",
"uuid": "b04589cb-5c03-42fc-b43f-205b9b450aeb"
},
{
"type": "text",
"object_relation": "summary",
"value": "SNOWYAMBER is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. SNOWYAMBER abuses the NOTION collaboration service as a communication channel. It does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, SNOWYAMBER uses several antidetection and obfuscation techniques, including string encryption, dynamic API resolving, EDR/AV unhooking, and direct syscalls.",
"category": "Other",
"uuid": "581fcaf2-9e37-4c87-9b3c-8d19b827bae3"
},
{
"type": "text",
"object_relation": "type",
"value": "Report",
"category": "Other",
"uuid": "ca09fdca-c324-4a9b-a2dd-0040f07675a9"
},
{
"type": "attachment",
"object_relation": "report-file",
"value": "SNOWYAMBER_.pdf",
"category": "External analysis",
"uuid": "746857c1-6069-48a8-ae9f-6e8d68f2e191",
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDEzNSAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDEyOTcgMCBSL1ZpZXdlclByZWZlcmVuY2VzIDEyOTggMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAyNC9LaWRzWyAzIDAgUiAxNSAwIFIgMjQgMCBSIDI2IDAgUiAyOSAwIFIgMzYgMCBSIDM3IDAgUiA0MCAwIFIgNDEgMCBSIDQ0IDAgUiA0NSAwIFIgNDcgMCBSIDQ4IDAgUiA0OSAwIFIgNTEgMCBSIDUyIDAgUiA1NCAwIFIgNTUgMCBSIDU2IDAgUiA1OCAwIFIgNjEgMCBSIDYzIDAgUiAxMjYgMCBSIDEzMCAwIFJdID4+DQplbmRvYmoNCjMgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwvRm9udDw8L0YxIDUgMCBSL0YyIDkgMCBSL0YzIDExIDAgUi9GNCAxMyAwIFI+Pi9FeHRHU3RhdGU8PC9HUzcgNyAwIFIvR1M4IDggMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldID4+L01lZGlhQm94WyAwIDAgNTk1LjMyIDg0MS45Ml0gL0NvbnRlbnRzIDQgMCBSL0dyb3VwPDwvVHlwZS9Hcm91cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3RydWN0UGFyZW50cyAwPj4NCmVuZG9iag0KNCAwIG9iag0KPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCAxMDg2Pj4NCnN0cmVhbQ0KeJy9WNtu2zgQfRfgf+DTQipgmvfLoijguGm3xbrNxgaKRdAHNVFSA66dKmoK//3OyJfKlhRfwq4fCJMcac6cGc6M2OvnxeQ2vS7Iy5e9flGk11+zG3LVG8/vP/fGi/usd5HeTWZpMZnPeqMfXwpc+itLb7L81Sty9npAvnciRhn+nLOcMKK9plIQpzj1guRZJ/r0gsw60dm4E/XecMI5ZYqMbzsRSjPCifCWGkusN/jg+BvIvR1ZcvcAryZ35cytZm870VVMkq6CwVT/fCbj953oHHT804kCYJJcUMmrmEooGwSn6QNZcj4ckF4L7Wfzoph/a2f+zXxehGTeMuqEItJTHt5I0rtA84aDd68JC47ZGoZP7AFdA8JPAyII19SbRiBCU2eOBiLCA2GGquMZkeGASGmo9cQ4Q707GogKzogxlmp1NBB9GhD5BBDlqTwahwmPQzjqj8ZhT8UhG0Fo5xtAjBLO4w8Jl/HHhIv4Ew7/JlzHfRyGOD3D4RxFLvcgdoEQC2soty2I99HmTwOhCHeNtEHC0ysUVGtb7uZ31dlliWuYTn+meUb6s3S6eMASOUls/EAus/t5nsi4eFaxrMETWlGlD4e3N0NXakV3iYwLYd0aECjYRjjdLJTS3EnOcXHr4e2tpUGlM1tUCCg8pqJhS8xIhupg+Wsnun2xpvF3owX6ng931MI6r7OuHPcH2yEEsxXNjGljdrZWdlDHcccxtxoxSoSS1IM246jypUVGlQvKUuXKF0uHrYBWZbjhgvawwCHyNFWm1Rv/lxUY3cHMaPOSqHmJeekPjjZmOJO6YqBy1rjdvcrp0Niak6531MIevF66X9Ppep9Ds+xsmwd+I0Kk/ASIbezK+hngxvBTo0daJWxL9FQzJCLUmggIC1BhFKMKarjhdHn8pYTYIV2+0Sm8olqAjRA4u2mobtS6reLoT6k0tRr6EUWlJQL6NQ9BBX1jmefxHQz3f2J6R3Kflh+t9H3HF0OlREFHpSoFJdjAHYb0rxKyBazSZh329KYAie2uU0sKrrZaU1Nv9t7PJ0lXxDMsfCS9eVzWQ1h5gGLYlfGCfMHZ4s9aVXwWKAXeEqIN1N4aaAJzIxQ19W+UIRJQkjHFofxXpPmCDOY/ZomKiwwah3yCUiV/OJ1ui99lyXLzOkt0TEZZ/liuwzQon1p4CnmgxZC9fNrAfDLf9Kn1R1ibJbRU8DnVomyvzS6szQayDqtTPzhHd1/iMIYwoBA2F38H5sFzdHoLgB0eGqlYt+LYSuNpoAbAcItdPRxQyL3r7Bc9KVHJdxays8NbCLBAlYKSQI03qiXbiUpXe8izGyrq9x9AocMN2fBNwmV5JdaHs3gPnsgn0+UV2a4/ngcBdUNf2QSBYO3Dsje+vooFEzK0aqnxbqHZ+r13LjywE5yiriG9P3KKtLPAtmOrwVqVtpyD/wDS/EKiDQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgNiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyNS9XaWR0aHMgMTI3MyAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREVFRStSYWpkaGFuaS1SZWd1bGFyL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDkzMC9EZXNjZW50IC0zNDYvQ2FwSGVpZ2h0IDkzMC9BdmdXaWR0aCA0NzcvTWF4V2lkdGggMjQzNi9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA0Ny9Gb250QkJveFsgLTQxNiAtMzQ2IDIwMjAgOTMwXSAvRm9udEZpbGUyIDEyNzEgMCBSPj4NCmVuZG9iag0KNyAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvQ0EgMT4+DQplbmRvYmoNCjkgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjIvQmFzZUZvbnQvQkNERkVFK1ZlcmRhbmEtQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTAgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAzMi9XaWR0aHMgMTI3NCAwIFI+Pg0KZW5kb2JqDQoxMCAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RGRUUrVmVyZGFuYS1Cb2xkL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDEwMDUvRGVzY2VudCAtMjA3L0NhcEhlaWdodCA3NjUvQXZnV2lkdGggNTY4L01heFdpZHRoIDIyNTcvRm9udFdlaWdodCA3MDAvWEhlaWdodCAyNTAvU3RlbVYgNTYvRm9udEJCb3hbIC01NTAgLTIwNyAxNzA3IDc2NV0gL0ZvbnRGaWxlMiAxMjc1IDAgUj4+DQplbmRvYmoNCjExIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YzL0Jhc2VGb250L0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTIgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjEvV2lkdGhzIDEyNzkgMCBSPj4NCmVuZG9iag0KMTIgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNER0VFK1JhamRoYW5pLV
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T11:35:13.000Z",
"modified": "2023-04-17T11:35:13.000Z",
"pattern": "[file:name = 'vcruntime140.dll']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T11:35:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T11:34:34.000Z",
"modified": "2023-04-17T11:34:34.000Z",
"pattern": "[file:name = 'schedule.zip']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T11:34:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--63cb13b4-f8d5-42eb-819d-7ae6f4c992ed",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:09:19.000Z",
"modified": "2023-04-17T13:09:19.000Z",
"pattern": "[file:hashes.MD5 = 'd0efe94196b4923eb644ec0b53d226cc' AND file:hashes.SHA1 = 'c938934c0f5304541087313382aee163e0c5239c' AND file:hashes.SHA256 = '381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c' AND file:name = '7za.dll' AND file:size = '270336']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:09:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ba9983ca-8bd7-410c-a9e9-f96fa47fc920",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T11:35:28.000Z",
"modified": "2023-04-17T11:35:28.000Z",
"pattern": "[file:name = 'november_schedulexe.pdf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T11:35:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ef951d3f-c15c-43db-ac22-67316faf4dfd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T11:55:08.000Z",
"modified": "2023-04-17T11:55:08.000Z",
"pattern": "[file:name = 'Instructions.lnk']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T11:55:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--88421de8-4479-4a9c-9433-9d918795a10b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:13:28.000Z",
"modified": "2023-04-17T13:13:28.000Z",
"description": "It seems that the adversary made a mistake while compiling this sample. Internal functions were added to exports (authored by the adversary as well as those from libraries: SysWhispers3, Nlohmann JSON, Obfuscate). While binary itself is stripped, those exported functions have names that can be demangled revealing naming, prototypes and datatypes.",
"pattern": "[file:hashes.MD5 = 'cf36bf564fbb7d5ec4cec9b0f185f6c9' AND file:hashes.SHA1 = '8eb64670c10505322d45f6114bc9f7de0826e3a1' AND file:hashes.SHA256 = 'e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98' AND file:name = 'BugSplatRc64.dll' AND file:size = '271360']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-02-08T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--515a4264-5f6e-4690-b9b0-6eb6a31aa972",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T12:52:58.000Z",
"modified": "2023-04-17T12:52:58.000Z",
"name": "APT29_SNOWYAMBER",
"pattern": "rule APT29_SNOWYAMBER\r\n{\r\nmeta:\r\ndescription = \\\\\"Detects APT29-linked SNOWYAMBER dropper\\\\\"\r\nstrings:\r\n// Payload decryption loop\r\n// Custom algorithm based on XOR\r\n$op_decrypt_payload = {49 8B 45 08 48 ?? ?? ?? 48 39 ?? 76 2B 48 89 C8 31 D2 4C 8B 4C 24 ?? 48 F7 74 24 ?? 49 8B 45\r\n00 41 8A 14 11 32 54 08 10 89 C8 41 0F AF C0 31 C2 88 14 0B 48 FF C1}\r\n// Decryption routine generated by Obfuscate library\r\n$op_decrypt_string = {48 39 D0 74 19 48 89 C1 4D 89 C2 83 E1 07 48 C1 E1 03 49 D3 EA 45 30 14 01 48 FF C0 EB E2}\r\n// Hardcoded inital value used as beaconing counter\r\n$op_initialize_emoji = {C6 [3] A5 66 [4] F0 9F}\r\n// src/json.hpp - string left in binary using nlohmann JSON\r\n$str_nlohmann = {73 72 63 2F 6A 73 6F 6E 2E 68 70 70 00}\r\ncondition:\r\nuint16(0) == 0x5A4D\r\nand\r\nfilesize < 500KB\r\nand\r\n$str_nlohmann\r\nand\r\n$op_decrypt_string\r\nand\r\n($op_initialize_emoji or $op_decrypt_payload)\r\n}",
"pattern_type": "yara",
"valid_from": "2023-04-17T12:52:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--11702c83-79b9-4a02-9e48-93534a11ed08",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:23:23.000Z",
"modified": "2023-04-17T13:23:23.000Z",
"pattern": "[file:hashes.MD5 = '82ecb8474efe5fedcb8f57b8aafa93d2' AND file:hashes.SHA1 = '3fd43de3c9f7609c52da71c1fc4c01ce0b5ac74c' AND file:hashes.SHA256 = '4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b' AND file:name = 'BugSplatRc64.dll' AND file:size = '301056']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:23:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2a667d0c-1f7f-41d4-8ba2-2e44d839b432",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:33:33.000Z",
"modified": "2023-04-17T13:33:33.000Z",
"description": "2nd stage - CobaltStrike beacon (decrypted)",
"pattern": "[file:hashes.MD5 = '800db035f9b6f1e86a7f446a8a8e3947' AND file:hashes.SHA1 = 'aaf973a56b17a0a82cf1b3a49ff68da1c50283d4' AND file:hashes.SHA256 = '032855b043108967a6c2de154624c16b70a0b7d0d0a0e93064b387f59537cc1e' AND file:name = 'hXaIk1725.pdf' AND file:size = '261635']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:33:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--26da3ae3-4d28-49c3-a4d7-2b86cca4f59a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-17T13:35:25.000Z",
"modified": "2023-04-17T13:35:25.000Z",
"description": "2nd stage \u2013 BruteRatel stageless badger (decrypted)",
"pattern": "[file:hashes.MD5 = '0e594576bb36b025e80eab7c35dc885e' AND file:hashes.SHA1 = 'a8a82a7da2979b128cbeddf4e70f9d5725ef666b' AND file:hashes.SHA256 = 'ec687a447ca036b10c28c1f9e1e9cef9f2078fdbc2ffdb4d8dd32e834b310c0d' AND file:name = 'hXaIk1314.pdf' AND file:size = '347837']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-17T13:35:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ace53eab-11cf-4575-9d5c-0dba29f7dc0f",
"created": "2023-04-17T11:35:13.000Z",
"modified": "2023-04-17T11:35:13.000Z",
"relationship_type": "contained-within",
"source_ref": "indicator--75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca",
"target_ref": "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c5a097d4-d08b-4bd9-a21a-aae566c17fd0",
"created": "2023-04-17T11:33:58.000Z",
"modified": "2023-04-17T11:33:58.000Z",
"relationship_type": "contains",
"source_ref": "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"target_ref": "indicator--63cb13b4-f8d5-42eb-819d-7ae6f4c992ed"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e6c20692-596a-4dbb-ac85-4d25f8aebf9a",
"created": "2023-04-17T11:34:12.000Z",
"modified": "2023-04-17T11:34:12.000Z",
"relationship_type": "contains",
"source_ref": "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"target_ref": "indicator--ba9983ca-8bd7-410c-a9e9-f96fa47fc920"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--808dd01e-b886-443a-b03c-fb56c57299eb",
"created": "2023-04-17T11:34:34.000Z",
"modified": "2023-04-17T11:34:34.000Z",
"relationship_type": "contains",
"source_ref": "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"target_ref": "indicator--75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1251a2c3-6a8b-4590-8f99-066b5a1b066d",
"created": "2023-04-17T11:35:38.000Z",
"modified": "2023-04-17T11:35:38.000Z",
"relationship_type": "contained-within",
"source_ref": "indicator--63cb13b4-f8d5-42eb-819d-7ae6f4c992ed",
"target_ref": "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--30d52f43-e736-43cb-8639-e62234468d88",
"created": "2023-04-17T11:35:28.000Z",
"modified": "2023-04-17T11:35:28.000Z",
"relationship_type": "contained-within",
"source_ref": "indicator--ba9983ca-8bd7-410c-a9e9-f96fa47fc920",
"target_ref": "indicator--af58c5b3-e47e-4e9e-b841-c80cfa4cc91a"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}