misp-circl-feed/feeds/circl/stix-2.1/0733f160-8e52-4548-a4c8-19a1cfb41d0d.json

{
    "type": "bundle",
    "id": "bundle--0733f160-8e52-4548-a4c8-19a1cfb41d0d",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
            "created": "2021-02-04T21:50:11.000Z",
            "modified": "2021-02-04T21:50:11.000Z",
            "name": "Centre for Cyber security Belgium",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--0733f160-8e52-4548-a4c8-19a1cfb41d0d",
            "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
            "created": "2021-02-04T21:50:11.000Z",
            "modified": "2021-02-04T21:50:11.000Z",
            "name": "zloader: VBA, R1C1 References, and Other Tomfoolery",
            "published": "2023-02-22T14:12:11Z",
            "object_refs": [
                "indicator--9c87b754-6bc2-414d-82e9-0d07f2130be7",
                "x-misp-object--5ef34e5a-b2a8-4ca8-8a0e-44f6ac13a7a7",
                "x-misp-object--5ef34e3c-f70c-4526-9abb-44f6ac13a7a7"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "zloader",
                "inthreat:event-src=\"feed-osint\"",
                "admiralty-scale:information-credibility=\"2\"",
                "admiralty-scale:source-reliability=\"b\"",
                "workflow:state=\"complete\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--9c87b754-6bc2-414d-82e9-0d07f2130be7",
            "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
            "created": "2020-06-24T10:50:40.000Z",
            "modified": "2020-06-24T10:50:40.000Z",
            "pattern": "[file:hashes.SHA256 = 'b29c145d4b78daed34dea28a0a11bab857d5583dc6a00578a877511d0d01d3d2']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2020-06-24T10:50:40Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--5ef34e5a-b2a8-4ca8-8a0e-44f6ac13a7a7",
            "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
            "created": "2020-06-24T13:00:10.000Z",
            "modified": "2020-06-24T13:00:10.000Z",
            "labels": [
                "misp:name=\"whois\"",
                "misp:meta-category=\"network\""
            ],
            "x_misp_attributes": [
                {
                    "type": "domain",
                    "object_relation": "domain",
                    "value": "procacardenla.ga",
                    "category": "Network activity",
                    "to_ids": true,
                    "uuid": "5ef34e5a-6d34-4a50-87a8-44f6ac13a7a7"
                },
                {
                    "type": "domain",
                    "object_relation": "domain",
                    "value": "datalibacbi.ml",
                    "category": "Network activity",
                    "to_ids": true,
                    "uuid": "5ef34e5b-ac9c-41e2-91a5-44f6ac13a7a7"
                },
                {
                    "type": "domain",
                    "object_relation": "domain",
                    "value": "wireborg.com",
                    "category": "Network activity",
                    "to_ids": true,
                    "uuid": "5ef34e5b-a1b0-4af0-8636-44f6ac13a7a7"
                },
                {
                    "type": "domain",
                    "object_relation": "domain",
                    "value": "zmedia.shwetech.com",
                    "category": "Network activity",
                    "to_ids": true,
                    "uuid": "5ef34e5b-6df8-49d5-9b09-44f6ac13a7a7"
                }
            ],
            "x_misp_comment": "Domains",
            "x_misp_meta_category": "network",
            "x_misp_name": "whois"
        },
        {
            "type": "x-misp-object",
            "spec_version": "2.1",
            "id": "x-misp-object--5ef34e3c-f70c-4526-9abb-44f6ac13a7a7",
            "created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
            "created": "2020-06-24T12:59:40.000Z",
            "modified": "2020-06-24T12:59:40.000Z",
            "labels": [
                "misp:name=\"annotation\"",
                "misp:meta-category=\"misc\""
            ],
            "x_misp_attributes": [
                {
                    "type": "link",
                    "object_relation": "ref",
                    "value": "https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/",
                    "category": "External analysis",
                    "uuid": "5ef34e3c-3620-41b8-a096-44f6ac13a7a7"
                },
                {
                    "type": "link",
                    "object_relation": "ref",
                    "value": "https://twitter.com/abuse_ch",
                    "category": "External analysis",
                    "uuid": "5ef34e3c-3110-40af-8f22-44f6ac13a7a7"
                },
                {
                    "type": "text",
                    "object_relation": "text",
                    "value": "zloader: VBA, R1C1 References, and Other Tomfoolery\r\nJune 19, 2020 ~ Jamie\t\r\n\r\nThe other day, @reecDeep tweeted about new behavior from zloader documents. Another document from the same campaign crossed my path and I decided to take a crack at it.",
                    "category": "External analysis",
                    "uuid": "5ef34e3c-d9e4-4ca8-957b-44f6ac13a7a7"
                }
            ],
            "x_misp_comment": "External Analysis",
            "x_misp_meta_category": "misc",
            "x_misp_name": "annotation"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}
chg: [misp-stix] STIX 2.1 export added 2023-04-21 14:44:17 +00:00			`{`
			`"type": "bundle",`
			`"id": "bundle--0733f160-8e52-4548-a4c8-19a1cfb41d0d",`
			`"objects": [`
			`{`
			`"type": "identity",`
			`"spec_version": "2.1",`
			`"id": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",`
			`"created": "2021-02-04T21:50:11.000Z",`
			`"modified": "2021-02-04T21:50:11.000Z",`
			`"name": "Centre for Cyber security Belgium",`
			`"identity_class": "organization"`
			`},`
			`{`
			`"type": "report",`
			`"spec_version": "2.1",`
			`"id": "report--0733f160-8e52-4548-a4c8-19a1cfb41d0d",`
			`"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",`
			`"created": "2021-02-04T21:50:11.000Z",`
			`"modified": "2021-02-04T21:50:11.000Z",`
			`"name": "zloader: VBA, R1C1 References, and Other Tomfoolery",`
			`"published": "2023-02-22T14:12:11Z",`
			`"object_refs": [`
			`"indicator--9c87b754-6bc2-414d-82e9-0d07f2130be7",`
			`"x-misp-object--5ef34e5a-b2a8-4ca8-8a0e-44f6ac13a7a7",`
			`"x-misp-object--5ef34e3c-f70c-4526-9abb-44f6ac13a7a7"`
			`],`
			`"labels": [`
			`"Threat-Report",`
			`"misp:tool=\"MISP-STIX-Converter\"",`
			`"zloader",`
			`"inthreat:event-src=\"feed-osint\"",`
			`"admiralty-scale:information-credibility=\"2\"",`
			`"admiralty-scale:source-reliability=\"b\"",`
			`"workflow:state=\"complete\""`
			`],`
			`"object_marking_refs": [`
			`"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"`
			`]`
			`},`
			`{`
			`"type": "indicator",`
			`"spec_version": "2.1",`
			`"id": "indicator--9c87b754-6bc2-414d-82e9-0d07f2130be7",`
			`"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",`
			`"created": "2020-06-24T10:50:40.000Z",`
			`"modified": "2020-06-24T10:50:40.000Z",`
			`"pattern": "[file:hashes.SHA256 = 'b29c145d4b78daed34dea28a0a11bab857d5583dc6a00578a877511d0d01d3d2']",`
			`"pattern_type": "stix",`
			`"pattern_version": "2.1",`
			`"valid_from": "2020-06-24T10:50:40Z",`
			`"kill_chain_phases": [`
			`{`
			`"kill_chain_name": "misp-category",`
			`"phase_name": "Payload delivery"`
			`}`
			`],`
			`"labels": [`
			`"misp:type=\"sha256\"",`
			`"misp:category=\"Payload delivery\"",`
			`"misp:to_ids=\"True\""`
			`]`
			`},`
			`{`
			`"type": "x-misp-object",`
			`"spec_version": "2.1",`
			`"id": "x-misp-object--5ef34e5a-b2a8-4ca8-8a0e-44f6ac13a7a7",`
			`"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",`
			`"created": "2020-06-24T13:00:10.000Z",`
			`"modified": "2020-06-24T13:00:10.000Z",`
			`"labels": [`
			`"misp:name=\"whois\"",`
			`"misp:meta-category=\"network\""`
			`],`
			`"x_misp_attributes": [`
			`{`
			`"type": "domain",`
			`"object_relation": "domain",`
			`"value": "procacardenla.ga",`
			`"category": "Network activity",`
			`"to_ids": true,`
			`"uuid": "5ef34e5a-6d34-4a50-87a8-44f6ac13a7a7"`
			`},`
			`{`
			`"type": "domain",`
			`"object_relation": "domain",`
			`"value": "datalibacbi.ml",`
			`"category": "Network activity",`
			`"to_ids": true,`
			`"uuid": "5ef34e5b-ac9c-41e2-91a5-44f6ac13a7a7"`
			`},`
			`{`
			`"type": "domain",`
			`"object_relation": "domain",`
			`"value": "wireborg.com",`
			`"category": "Network activity",`
			`"to_ids": true,`
			`"uuid": "5ef34e5b-a1b0-4af0-8636-44f6ac13a7a7"`
			`},`
			`{`
			`"type": "domain",`
			`"object_relation": "domain",`
			`"value": "zmedia.shwetech.com",`
			`"category": "Network activity",`
			`"to_ids": true,`
			`"uuid": "5ef34e5b-6df8-49d5-9b09-44f6ac13a7a7"`
			`}`
			`],`
			`"x_misp_comment": "Domains",`
			`"x_misp_meta_category": "network",`
			`"x_misp_name": "whois"`
			`},`
			`{`
			`"type": "x-misp-object",`
			`"spec_version": "2.1",`
			`"id": "x-misp-object--5ef34e3c-f70c-4526-9abb-44f6ac13a7a7",`
			`"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",`
			`"created": "2020-06-24T12:59:40.000Z",`
			`"modified": "2020-06-24T12:59:40.000Z",`
			`"labels": [`
			`"misp:name=\"annotation\"",`
			`"misp:meta-category=\"misc\""`
			`],`
			`"x_misp_attributes": [`
			`{`
			`"type": "link",`
			`"object_relation": "ref",`
			`"value": "https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/",`
			`"category": "External analysis",`
			`"uuid": "5ef34e3c-3620-41b8-a096-44f6ac13a7a7"`
			`},`
			`{`
			`"type": "link",`
			`"object_relation": "ref",`
			`"value": "https://twitter.com/abuse_ch",`
			`"category": "External analysis",`
			`"uuid": "5ef34e3c-3110-40af-8f22-44f6ac13a7a7"`
			`},`
			`{`
			`"type": "text",`
			`"object_relation": "text",`
			`"value": "zloader: VBA, R1C1 References, and Other Tomfoolery\r\nJune 19, 2020 ~ Jamie\t\r\n\r\nThe other day, @reecDeep tweeted about new behavior from zloader documents. Another document from the same campaign crossed my path and I decided to take a crack at it.",`
			`"category": "External analysis",`
			`"uuid": "5ef34e3c-d9e4-4ca8-957b-44f6ac13a7a7"`
			`}`
			`],`
			`"x_misp_comment": "External Analysis",`
			`"x_misp_meta_category": "misc",`
			`"x_misp_name": "annotation"`
			`},`
			`{`
			`"type": "marking-definition",`
			`"spec_version": "2.1",`
			`"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",`
			`"created": "2017-01-20T00:00:00.000Z",`
			`"definition_type": "tlp",`
			`"name": "TLP:WHITE",`
			`"definition": {`
			`"tlp": "white"`
			`}`
			`}`
			`]`
			`}`