2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-06-14 17:31:25 +00:00
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--58e73aab-3530-44d8-94b7-4cbf950d210f",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "identity",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:39.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:39.000Z",
|
|
|
|
"name": "CIRCL",
|
|
|
|
"identity_class": "organization"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "report",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "report--58e73aab-3530-44d8-94b7-4cbf950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:39.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:39.000Z",
|
|
|
|
"name": "OSINT - High-Volume Dridex Campaigns Return, First to Hit Millions Since June 2016",
|
|
|
|
"published": "2017-04-07T10:15:39Z",
|
|
|
|
"object_refs": [
|
|
|
|
"indicator--58e73b5f-bd3c-4749-b338-4683950d210f",
|
|
|
|
"indicator--58e73b60-9508-41a5-b5d4-4076950d210f",
|
|
|
|
"indicator--58e73b61-5820-4259-bf31-47ad950d210f",
|
|
|
|
"observed-data--58e73b73-775c-4c97-a655-4120950d210f",
|
|
|
|
"url--58e73b73-775c-4c97-a655-4120950d210f",
|
|
|
|
"indicator--58e73cbd-d934-4c4f-9673-4aed950d210f",
|
|
|
|
"indicator--58e73cbe-0a68-4d90-9596-450a950d210f",
|
|
|
|
"indicator--58e73cbf-c770-4e6d-97b8-4004950d210f",
|
|
|
|
"indicator--58e73cc0-08cc-4ade-84b3-44fa950d210f",
|
|
|
|
"indicator--58e73cc1-ce74-4efe-b509-483d950d210f",
|
|
|
|
"indicator--58e73cc2-0044-43f2-8a9f-4cd3950d210f",
|
|
|
|
"indicator--58e73cc3-5ad8-48e1-ae5e-4e5f950d210f",
|
|
|
|
"indicator--58e73d58-13c4-4a30-8f9b-4072950d210f",
|
|
|
|
"indicator--58e73d59-2f14-4f5d-8b44-4275950d210f",
|
|
|
|
"indicator--58e73d5a-3b5c-4902-a0c9-4608950d210f",
|
|
|
|
"indicator--58e73d5b-aab0-4ab1-85b4-4007950d210f",
|
|
|
|
"indicator--58e73da3-cf44-49cc-9c82-4fd1950d210f",
|
|
|
|
"indicator--58e73da4-a844-4319-851a-491c950d210f",
|
|
|
|
"indicator--58e73de0-26d0-4e32-b380-47e4950d210f",
|
|
|
|
"indicator--58e73de1-26f8-4352-862a-4204950d210f",
|
|
|
|
"indicator--58e73de2-9c50-4fe6-99d3-431e950d210f",
|
|
|
|
"indicator--58e73de3-cee8-4425-9217-43c2950d210f",
|
|
|
|
"indicator--58e73de5-d9c8-48b4-91ce-40cf950d210f",
|
|
|
|
"indicator--58e73de6-1c44-421f-b169-465c950d210f",
|
|
|
|
"x-misp-attribute--58e73e57-0c84-41fe-a209-491d950d210f",
|
|
|
|
"indicator--58e73fc0-6d00-4fcd-9200-4af8950d210f",
|
|
|
|
"indicator--58e73fc2-fbf8-4eb2-b55e-47f9950d210f",
|
|
|
|
"indicator--58e73fc4-5f60-4ad3-b30c-42bf950d210f",
|
|
|
|
"indicator--58e73fc6-f0a0-4574-89c8-4dee950d210f",
|
|
|
|
"indicator--58e73fc8-4d50-453a-af40-4238950d210f",
|
|
|
|
"indicator--58e73fca-7608-49de-8ecf-4130950d210f",
|
|
|
|
"indicator--58e73fcc-4910-4c8e-817e-4be1950d210f",
|
|
|
|
"indicator--58e73fce-f480-4d25-be75-4505950d210f",
|
|
|
|
"indicator--58e73ff3-8c9c-4cd0-b98b-4e5d950d210f",
|
|
|
|
"indicator--58e73ff4-ecfc-48fd-9970-4075950d210f",
|
|
|
|
"indicator--58e73ff5-1f6c-4567-bb07-4a94950d210f",
|
|
|
|
"indicator--58e76654-0f90-4af3-9d77-499302de0b81",
|
|
|
|
"indicator--58e76655-1eb0-46f4-b791-413602de0b81",
|
|
|
|
"observed-data--58e76656-b394-4f3d-8498-40ac02de0b81",
|
|
|
|
"url--58e76656-b394-4f3d-8498-40ac02de0b81",
|
|
|
|
"indicator--58e76657-0cf8-48f2-9e77-45eb02de0b81",
|
|
|
|
"indicator--58e76658-8684-4696-9e23-4c7402de0b81",
|
|
|
|
"observed-data--58e76659-b41c-4a12-afdf-41af02de0b81",
|
|
|
|
"url--58e76659-b41c-4a12-afdf-41af02de0b81",
|
|
|
|
"indicator--58e7665a-89dc-48f5-a69e-4d3b02de0b81",
|
|
|
|
"indicator--58e7665b-d364-4005-b2c2-406902de0b81",
|
|
|
|
"observed-data--58e7665c-5394-4250-9d8c-49f302de0b81",
|
|
|
|
"url--58e7665c-5394-4250-9d8c-49f302de0b81",
|
|
|
|
"indicator--58e7665d-3844-4f1f-9fa8-40e202de0b81",
|
|
|
|
"indicator--58e7665e-9778-483d-9712-4e2202de0b81",
|
|
|
|
"observed-data--58e7665f-c77c-4b35-acd9-4f0302de0b81",
|
|
|
|
"url--58e7665f-c77c-4b35-acd9-4f0302de0b81",
|
|
|
|
"indicator--58e76660-f4ec-4ac7-96c6-4e9202de0b81",
|
|
|
|
"indicator--58e76660-28a0-4837-b925-405202de0b81",
|
|
|
|
"observed-data--58e76661-edf0-4e21-945d-4df102de0b81",
|
|
|
|
"url--58e76661-edf0-4e21-945d-4df102de0b81",
|
|
|
|
"indicator--58e76662-6f30-4eeb-987b-441602de0b81",
|
|
|
|
"indicator--58e76663-b798-454f-887a-460502de0b81",
|
|
|
|
"observed-data--58e76664-e204-4ed7-8ab0-439c02de0b81",
|
|
|
|
"url--58e76664-e204-4ed7-8ab0-439c02de0b81",
|
|
|
|
"indicator--58e76665-f120-4ccd-a42c-4e7502de0b81",
|
|
|
|
"indicator--58e76666-87b4-420b-92f6-433c02de0b81",
|
|
|
|
"observed-data--58e76667-b1b0-43d3-bacd-413102de0b81",
|
|
|
|
"url--58e76667-b1b0-43d3-bacd-413102de0b81",
|
|
|
|
"indicator--58e76668-dbac-41b1-84c0-41fc02de0b81",
|
|
|
|
"indicator--58e76669-a3c0-454b-8635-43ea02de0b81",
|
|
|
|
"observed-data--58e7666a-9bb8-40ac-a37a-4e9402de0b81",
|
|
|
|
"url--58e7666a-9bb8-40ac-a37a-4e9402de0b81",
|
|
|
|
"indicator--58e7666b-5a48-4cf6-a3f5-4cb502de0b81",
|
|
|
|
"indicator--58e7666c-7810-4fa4-9361-4e4d02de0b81",
|
|
|
|
"observed-data--58e7666d-4628-4053-a1a9-4bb602de0b81",
|
|
|
|
"url--58e7666d-4628-4053-a1a9-4bb602de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"Threat-Report",
|
|
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
|
|
"misp-galaxy:tool=\"Dridex\"",
|
|
|
|
"osint:source-type=\"blog-post\"",
|
|
|
|
"type:OSINT"
|
|
|
|
],
|
|
|
|
"object_marking_refs": [
|
|
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73b5f-bd3c-4749-b338-4683950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "VBS Downloader Example",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '84c9028a1d25e5f171c170179f2f1ea3e1eab9514812ab9e4b617de822b46e69']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73b60-9508-41a5-b5d4-4076950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Macro Document",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '1ac8931791374c156c8e619b4ca66fdcbd31a56203fa3a429d981e20955099c8']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73b61-5820-4259-bf31-47ad950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Macro Document",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '743f6538c1dc1b224e443356f9bf3ae3954f2dea2c3b6e7986a5bc410b8dda20']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e73b73-775c-4c97-a655-4120950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:15.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:15.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:13:15Z",
|
|
|
|
"last_observed": "2017-04-07T10:13:15Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e73b73-775c-4c97-a655-4120950d210f"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\"",
|
|
|
|
"osint:source-type=\"blog-post\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e73b73-775c-4c97-a655-4120950d210f",
|
|
|
|
"value": "https://www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73cbd-d934-4c4f-9673-4aed950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Document Payload",
|
|
|
|
"pattern": "[url:value = 'http://meyermuehltal.de/0h656jk']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73cbe-0a68-4d90-9596-450a950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Document Payload",
|
|
|
|
"pattern": "[url:value = 'http://technologyservice.eu/0h656jk']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73cbf-c770-4e6d-97b8-4004950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Document Payload",
|
|
|
|
"pattern": "[url:value = 'http://tspars.com/0h656jk']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73cc0-08cc-4ade-84b3-44fa950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Document Payload",
|
|
|
|
"pattern": "[url:value = 'http://thaipowertools.com/0h656jk']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73cc1-ce74-4efe-b509-483d950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Document Payload",
|
|
|
|
"pattern": "[url:value = 'http://www.movimentodiesel.gr/0h656jk']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73cc2-0044-43f2-8a9f-4cd3950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Document Payload",
|
|
|
|
"pattern": "[url:value = 'http://lhgarden.org/0h656jk']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73cc3-5ad8-48e1-ae5e-4e5f950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Document Payload",
|
|
|
|
"pattern": "[url:value = 'http://www.soulcube.com/0h656jk']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73d58-13c4-4a30-8f9b-4072950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "VBS Payload",
|
|
|
|
"pattern": "[url:value = 'http://roylgrafix.com/76gbce?']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73d59-2f14-4f5d-8b44-4275950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "VBS Payload",
|
|
|
|
"pattern": "[url:value = 'http://signwaves.net/76gbce?']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73d5a-3b5c-4902-a0c9-4608950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "VBS Payload",
|
|
|
|
"pattern": "[url:value = 'http://testsite.prosun.com/76gbce?']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73d5b-aab0-4ab1-85b4-4007950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "VBS Payload",
|
|
|
|
"pattern": "[url:value = 'http://omurongen.com/76gbce?']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73da3-cf44-49cc-9c82-4fd1950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Smoke Loader Payload",
|
|
|
|
"pattern": "[url:value = 'http://pastasmolinero.es/76gf33']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73da4-a844-4319-851a-491c950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Quant Loader Payload",
|
|
|
|
"pattern": "[url:value = 'http://nzhat.net/9jgtyft6']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73de0-26d0-4e32-b380-47e4950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Botnet 7500 Loader",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'dfd99e050505ec41bc41fbaf51fee908fcda8c17a1bc92623748d34915c5bc0a']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73de1-26f8-4352-862a-4204950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Botnet 7500 Loader",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '20b61b6ce821f8011f2cb1a409e6221b7bc1ae3a0cde56d66b025d12d640ee81']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73de2-9c50-4fe6-99d3-431e950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Smoke Loader",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '4d76f25637f4193457b124290f878a47b5b9361ff486b79dc48a2d5c3648de02']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73de3-cee8-4425-9217-43c2950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Botnet 7200 Loader",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '379466fd81787399f7da3bfaab288c4b67ba3518c0225d1deabf9bc833dcaa22']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73de5-d9c8-48b4-91ce-40cf950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Botnet 7200 Loader",
|
|
|
|
"pattern": "[file:hashes.SHA256 = '6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73de6-1c44-421f-b169-465c950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Quant Loader",
|
|
|
|
"pattern": "[file:hashes.SHA256 = 'ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha256\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "x-misp-attribute",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "x-misp-attribute--58e73e57-0c84-41fe-a209-491d950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"other\"",
|
|
|
|
"misp:category=\"Payload delivery\""
|
|
|
|
],
|
|
|
|
"x_misp_category": "Payload delivery",
|
|
|
|
"x_misp_comment": "Dridex Botnet 7200 Loader",
|
|
|
|
"x_misp_type": "other",
|
|
|
|
"x_misp_value": "5054518c52e70f86a6e42641b094e9b64df96bd65C&C9ab0d21e810dcf14c87b5|SHA256|Dridex Botnet 7200 Loader"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73fc0-6d00-4fcd-9200-4af8950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Loader C&C",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '8.8.247.36' AND network-traffic:dst_port = '443']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73fc2-fbf8-4eb2-b55e-47f9950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Loader C&C",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.12.229.190' AND network-traffic:dst_port = '8043']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73fc4-5f60-4ad3-b30c-42bf950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Loader C&C",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.170.0.14' AND network-traffic:dst_port = '8043']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73fc6-f0a0-4574-89c8-4dee950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Loader C&C",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.120.172.171' AND network-traffic:dst_port = '4143']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73fc8-4d50-453a-af40-4238950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Loader C&C",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.219.28.55' AND network-traffic:dst_port = '443']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73fca-7608-49de-8ecf-4130950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Loader C&C",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.32.255.130' AND network-traffic:dst_port = '44343']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73fcc-4910-4c8e-817e-4be1950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Loader C&C",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.197.39.1' AND network-traffic:dst_port = '8443']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73fce-f480-4d25-be75-4505950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Dridex Loader C&C",
|
|
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.88.209.221' AND network-traffic:dst_port = '4413']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"ip-dst|port\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73ff3-8c9c-4cd0-b98b-4e5d950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Smoke Loader C&C",
|
|
|
|
"pattern": "[url:value = 'http://justjohnwilhertthet.ws/m/']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73ff4-ecfc-48fd-9970-4075950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Quant Loader C&C",
|
|
|
|
"pattern": "[url:value = 'http://jusevengwassresbet.ws/q/index.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e73ff5-1f6c-4567-bb07-4a94950d210f",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:12:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:12:57.000Z",
|
|
|
|
"description": "Quant Loader C&C",
|
|
|
|
"pattern": "[url:value = 'http://sinmanarattot.ws/q/index.php']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:12:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Network activity"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"url\"",
|
|
|
|
"misp:category=\"Network activity\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76654-0f90-4af3-9d77-499302de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:40.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:40.000Z",
|
|
|
|
"description": "Quant Loader - Xchecked via VT: ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '155863bcd4ea677986beb13b1e519f3f71cf2183']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:40Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76655-1eb0-46f4-b791-413602de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:41.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:41.000Z",
|
|
|
|
"description": "Quant Loader - Xchecked via VT: ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1",
|
|
|
|
"pattern": "[file:hashes.MD5 = '3ede7214e1fe848aefd67e8d11beec00']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:41Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e76656-b394-4f3d-8498-40ac02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:42.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:42.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:13:42Z",
|
|
|
|
"last_observed": "2017-04-07T10:13:42Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e76656-b394-4f3d-8498-40ac02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e76656-b394-4f3d-8498-40ac02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1/analysis/1491538426/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76657-0cf8-48f2-9e77-45eb02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:43.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:43.000Z",
|
|
|
|
"description": "Dridex Botnet 7200 Loader - Xchecked via VT: 6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '694266450ffedf4008f0cf0e5573c63c56f2e5d0']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:43Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76658-8684-4696-9e23-4c7402de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:44.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:44.000Z",
|
|
|
|
"description": "Dridex Botnet 7200 Loader - Xchecked via VT: 6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'f4e11acef79702561dea6070d4dbba45']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:44Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e76659-b41c-4a12-afdf-41af02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:45.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:45.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:13:45Z",
|
|
|
|
"last_observed": "2017-04-07T10:13:45Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e76659-b41c-4a12-afdf-41af02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e76659-b41c-4a12-afdf-41af02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd/analysis/1491294800/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e7665a-89dc-48f5-a69e-4d3b02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:46.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:46.000Z",
|
|
|
|
"description": "Dridex Botnet 7200 Loader - Xchecked via VT: 379466fd81787399f7da3bfaab288c4b67ba3518c0225d1deabf9bc833dcaa22",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '44bbd62533c8b1257a02f11756b39ebca77eda78']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:46Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e7665b-d364-4005-b2c2-406902de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:47.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:47.000Z",
|
|
|
|
"description": "Dridex Botnet 7200 Loader - Xchecked via VT: 379466fd81787399f7da3bfaab288c4b67ba3518c0225d1deabf9bc833dcaa22",
|
|
|
|
"pattern": "[file:hashes.MD5 = '0243c9bb903d6f89d7eeadae882cf591']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:47Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e7665c-5394-4250-9d8c-49f302de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:48.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:48.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:13:48Z",
|
|
|
|
"last_observed": "2017-04-07T10:13:48Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e7665c-5394-4250-9d8c-49f302de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e7665c-5394-4250-9d8c-49f302de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/379466fd81787399f7da3bfaab288c4b67ba3518c0225d1deabf9bc833dcaa22/analysis/1491192423/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e7665d-3844-4f1f-9fa8-40e202de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:49.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:49.000Z",
|
|
|
|
"description": "Smoke Loader - Xchecked via VT: 4d76f25637f4193457b124290f878a47b5b9361ff486b79dc48a2d5c3648de02",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'a6cc5c3aedf9eba6ff3f18b76430e3f8efb90f57']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:49Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e7665e-9778-483d-9712-4e2202de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:50.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:50.000Z",
|
|
|
|
"description": "Smoke Loader - Xchecked via VT: 4d76f25637f4193457b124290f878a47b5b9361ff486b79dc48a2d5c3648de02",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'c738746c751e3f4465cdf20959ed7115']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:50Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e7665f-c77c-4b35-acd9-4f0302de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:51.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:51.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:13:51Z",
|
|
|
|
"last_observed": "2017-04-07T10:13:51Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e7665f-c77c-4b35-acd9-4f0302de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e7665f-c77c-4b35-acd9-4f0302de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/4d76f25637f4193457b124290f878a47b5b9361ff486b79dc48a2d5c3648de02/analysis/1491540064/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76660-f4ec-4ac7-96c6-4e9202de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:52.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:52.000Z",
|
|
|
|
"description": "Dridex Botnet 7500 Loader - Xchecked via VT: 20b61b6ce821f8011f2cb1a409e6221b7bc1ae3a0cde56d66b025d12d640ee81",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '6812c5b94ea2452b794e8e735428eddd415e1bb6']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:52Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76660-28a0-4837-b925-405202de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:52.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:52.000Z",
|
|
|
|
"description": "Dridex Botnet 7500 Loader - Xchecked via VT: 20b61b6ce821f8011f2cb1a409e6221b7bc1ae3a0cde56d66b025d12d640ee81",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'e50522bf1817a8f5698b740e5225c34f']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:52Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e76661-edf0-4e21-945d-4df102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:53.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:53.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:13:53Z",
|
|
|
|
"last_observed": "2017-04-07T10:13:53Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e76661-edf0-4e21-945d-4df102de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e76661-edf0-4e21-945d-4df102de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/20b61b6ce821f8011f2cb1a409e6221b7bc1ae3a0cde56d66b025d12d640ee81/analysis/1491282981/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76662-6f30-4eeb-987b-441602de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:54.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:54.000Z",
|
|
|
|
"description": "Dridex Botnet 7500 Loader - Xchecked via VT: dfd99e050505ec41bc41fbaf51fee908fcda8c17a1bc92623748d34915c5bc0a",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '7eb1ab6a19b3ab9fc8dd96f73e5a696571a72400']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:54Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76663-b798-454f-887a-460502de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:55.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:55.000Z",
|
|
|
|
"description": "Dridex Botnet 7500 Loader - Xchecked via VT: dfd99e050505ec41bc41fbaf51fee908fcda8c17a1bc92623748d34915c5bc0a",
|
|
|
|
"pattern": "[file:hashes.MD5 = '41a5b1d50947452adb663abcb6ecb829']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:55Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e76664-e204-4ed7-8ab0-439c02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:56.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:56.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:13:56Z",
|
|
|
|
"last_observed": "2017-04-07T10:13:56Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e76664-e204-4ed7-8ab0-439c02de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e76664-e204-4ed7-8ab0-439c02de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/dfd99e050505ec41bc41fbaf51fee908fcda8c17a1bc92623748d34915c5bc0a/analysis/1491188391/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76665-f120-4ccd-a42c-4e7502de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:57.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:57.000Z",
|
|
|
|
"description": "Macro Document - Xchecked via VT: 743f6538c1dc1b224e443356f9bf3ae3954f2dea2c3b6e7986a5bc410b8dda20",
|
|
|
|
"pattern": "[file:hashes.SHA1 = 'f40791fd456f4e9429cbcc231e5550bfe8fcb906']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:57Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76666-87b4-420b-92f6-433c02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:58.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:58.000Z",
|
|
|
|
"description": "Macro Document - Xchecked via VT: 743f6538c1dc1b224e443356f9bf3ae3954f2dea2c3b6e7986a5bc410b8dda20",
|
|
|
|
"pattern": "[file:hashes.MD5 = '130b76fcf04f44433fa075c3cc596d03']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:13:58Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e76667-b1b0-43d3-bacd-413102de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:13:59.000Z",
|
|
|
|
"modified": "2017-04-07T10:13:59.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:13:59Z",
|
|
|
|
"last_observed": "2017-04-07T10:13:59Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e76667-b1b0-43d3-bacd-413102de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e76667-b1b0-43d3-bacd-413102de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/743f6538c1dc1b224e443356f9bf3ae3954f2dea2c3b6e7986a5bc410b8dda20/analysis/1491287540/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76668-dbac-41b1-84c0-41fc02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:14:00.000Z",
|
|
|
|
"modified": "2017-04-07T10:14:00.000Z",
|
|
|
|
"description": "Macro Document - Xchecked via VT: 1ac8931791374c156c8e619b4ca66fdcbd31a56203fa3a429d981e20955099c8",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '49858617e73d5a56894140d90f0d75fe59496b1e']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:14:00Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e76669-a3c0-454b-8635-43ea02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:14:01.000Z",
|
|
|
|
"modified": "2017-04-07T10:14:01.000Z",
|
|
|
|
"description": "Macro Document - Xchecked via VT: 1ac8931791374c156c8e619b4ca66fdcbd31a56203fa3a429d981e20955099c8",
|
|
|
|
"pattern": "[file:hashes.MD5 = '6c8104146ba1bb6e1a4c3b8b6f6a1fa9']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:14:01Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e7666a-9bb8-40ac-a37a-4e9402de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:14:02.000Z",
|
|
|
|
"modified": "2017-04-07T10:14:02.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:14:02Z",
|
|
|
|
"last_observed": "2017-04-07T10:14:02Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e7666a-9bb8-40ac-a37a-4e9402de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e7666a-9bb8-40ac-a37a-4e9402de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/1ac8931791374c156c8e619b4ca66fdcbd31a56203fa3a429d981e20955099c8/analysis/1491436931/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e7666b-5a48-4cf6-a3f5-4cb502de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:14:03.000Z",
|
|
|
|
"modified": "2017-04-07T10:14:03.000Z",
|
|
|
|
"description": "VBS Downloader Example - Xchecked via VT: 84c9028a1d25e5f171c170179f2f1ea3e1eab9514812ab9e4b617de822b46e69",
|
|
|
|
"pattern": "[file:hashes.SHA1 = '71792564c59392c6f875c18bb62b7f501ba48a5d']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:14:03Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"sha1\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--58e7666c-7810-4fa4-9361-4e4d02de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:14:04.000Z",
|
|
|
|
"modified": "2017-04-07T10:14:04.000Z",
|
|
|
|
"description": "VBS Downloader Example - Xchecked via VT: 84c9028a1d25e5f171c170179f2f1ea3e1eab9514812ab9e4b617de822b46e69",
|
|
|
|
"pattern": "[file:hashes.MD5 = '1cdecc032262cc06375296dd7d907968']",
|
|
|
|
"pattern_type": "stix",
|
|
|
|
"pattern_version": "2.1",
|
|
|
|
"valid_from": "2017-04-07T10:14:04Z",
|
|
|
|
"kill_chain_phases": [
|
|
|
|
{
|
|
|
|
"kill_chain_name": "misp-category",
|
|
|
|
"phase_name": "Payload delivery"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"md5\"",
|
|
|
|
"misp:category=\"Payload delivery\"",
|
|
|
|
"misp:to_ids=\"True\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "observed-data",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "observed-data--58e7666d-4628-4053-a1a9-4bb602de0b81",
|
|
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
|
|
"created": "2017-04-07T10:14:05.000Z",
|
|
|
|
"modified": "2017-04-07T10:14:05.000Z",
|
|
|
|
"first_observed": "2017-04-07T10:14:05Z",
|
|
|
|
"last_observed": "2017-04-07T10:14:05Z",
|
|
|
|
"number_observed": 1,
|
|
|
|
"object_refs": [
|
|
|
|
"url--58e7666d-4628-4053-a1a9-4bb602de0b81"
|
|
|
|
],
|
|
|
|
"labels": [
|
|
|
|
"misp:type=\"link\"",
|
|
|
|
"misp:category=\"External analysis\""
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "url",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "url--58e7666d-4628-4053-a1a9-4bb602de0b81",
|
|
|
|
"value": "https://www.virustotal.com/file/84c9028a1d25e5f171c170179f2f1ea3e1eab9514812ab9e4b617de822b46e69/analysis/1491200234/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "marking-definition",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
|
|
"definition_type": "tlp",
|
|
|
|
"name": "TLP:WHITE",
|
|
|
|
"definition": {
|
|
|
|
"tlp": "white"
|
|
|
|
}
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
|
|
|
}
|