misp-circl-feed/feeds/circl/stix-2.1/57c52bbb-6a08-4121-951c-417c950d210f.json

359 lines
16 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--57c52bbb-6a08-4121-951c-417c950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:56:19.000Z",
"modified": "2016-08-30T06:56:19.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57c52bbb-6a08-4121-951c-417c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:56:19.000Z",
"modified": "2016-08-30T06:56:19.000Z",
"name": "OSINT - German Speakers Targeted by SPAM Leading to Ozone RAT",
"published": "2016-08-30T06:58:12Z",
"object_refs": [
"observed-data--57c52bf1-4f04-4466-9c0e-4404950d210f",
"url--57c52bf1-4f04-4466-9c0e-4404950d210f",
"x-misp-attribute--57c52c07-b4c0-4e66-82f0-4cce950d210f",
"indicator--57c52c28-a71c-4e6e-820c-47c7950d210f",
"indicator--57c52c29-5318-4609-a82d-45d2950d210f",
"x-misp-attribute--57c52c82-fc9c-4129-9ee1-411b950d210f",
"indicator--57c52cd7-b104-4683-befc-493902de0b81",
"indicator--57c52cd8-e704-4998-9eac-465602de0b81",
"observed-data--57c52cd8-d17c-41eb-99e3-462902de0b81",
"url--57c52cd8-d17c-41eb-99e3-462902de0b81",
"indicator--57c52cd8-13bc-4cd7-b5c1-451d02de0b81",
"indicator--57c52cd8-d148-4252-897d-453f02de0b81",
"observed-data--57c52cd9-b02c-4f91-b14e-407a02de0b81",
"url--57c52cd9-b02c-4f91-b14e-407a02de0b81",
"x-misp-attribute--57c52dca-2844-4603-828f-4905950d210f",
"x-misp-attribute--57c52df9-af58-4f21-917b-4379950d210f",
"x-misp-attribute--57c52e13-6bd8-4b73-96f2-46c7950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:incident-classification=\"malware\"",
"ms-caro-malware:malware-type=\"RemoteAccess\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c52bf1-4f04-4466-9c0e-4404950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:47:13.000Z",
"modified": "2016-08-30T06:47:13.000Z",
"first_observed": "2016-08-30T06:47:13Z",
"last_observed": "2016-08-30T06:47:13Z",
"number_observed": 1,
"object_refs": [
"url--57c52bf1-4f04-4466-9c0e-4404950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c52bf1-4f04-4466-9c0e-4404950d210f",
"value": "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57c52c07-b4c0-4e66-82f0-4cce950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:47:35.000Z",
"modified": "2016-08-30T06:47:35.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Remote Administration Tools (RAT) have been around for a long time. They provide users and administrators with the convenience of being able to take full control of their systems without needing to be physically in front of a device. In this age of global operations, that\u00e2\u20ac\u2122s a huge deal. From troubleshooting machines across countries to observing employees across rooms, RAT solutions have become widely used tools for remote maintenance and monitoring.\r\n\r\nUnfortunately, malware authors often utilize these same capabilities to compromise systems. Full remote access capabilities is a dream tool for the black hat community, and are highly sought after.\r\n\r\nAs a case in point, we recently discovered a SPAM campaign targeting German-speaking users that involves a relatively new commercialized RAT called Ozone."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c52c28-a71c-4e6e-820c-47c7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:48:08.000Z",
"modified": "2016-08-30T06:48:08.000Z",
"description": "W32/OzoneRAT.A!tr",
"pattern": "[file:hashes.SHA256 = '70ece9b44f54fa5ac525908da412bf707ce7fae08a8f2b8134f34133df43e982']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-30T06:48:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c52c29-5318-4609-a82d-45d2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:48:09.000Z",
"modified": "2016-08-30T06:48:09.000Z",
"description": "-JS/Nemucod.C060!tr.dldr",
"pattern": "[file:hashes.SHA256 = '71f1073d0b8aabaf0a2481e9b7c1cd0ca906fee719b45f7d4722d01884c75a17']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-30T06:48:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57c52c82-fc9c-4129-9ee1-411b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:49:38.000Z",
"modified": "2016-08-30T06:49:38.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"Antivirus detection\""
],
"x_misp_category": "Antivirus detection",
"x_misp_type": "text",
"x_misp_value": "W32/OzoneRAT"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c52cd7-b104-4683-befc-493902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:51:03.000Z",
"modified": "2016-08-30T06:51:03.000Z",
"description": "-JS/Nemucod.C060!tr.dldr - Xchecked via VT: 71f1073d0b8aabaf0a2481e9b7c1cd0ca906fee719b45f7d4722d01884c75a17",
"pattern": "[file:hashes.SHA1 = 'e118c60fbe73cdf3144ecadf97e8a79d3e3f2d4f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-30T06:51:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c52cd8-e704-4998-9eac-465602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:51:04.000Z",
"modified": "2016-08-30T06:51:04.000Z",
"description": "-JS/Nemucod.C060!tr.dldr - Xchecked via VT: 71f1073d0b8aabaf0a2481e9b7c1cd0ca906fee719b45f7d4722d01884c75a17",
"pattern": "[file:hashes.MD5 = 'e49ae5faaf3b2cdef6d55481f55c3819']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-30T06:51:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c52cd8-d17c-41eb-99e3-462902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:51:04.000Z",
"modified": "2016-08-30T06:51:04.000Z",
"first_observed": "2016-08-30T06:51:04Z",
"last_observed": "2016-08-30T06:51:04Z",
"number_observed": 1,
"object_refs": [
"url--57c52cd8-d17c-41eb-99e3-462902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c52cd8-d17c-41eb-99e3-462902de0b81",
"value": "https://www.virustotal.com/file/71f1073d0b8aabaf0a2481e9b7c1cd0ca906fee719b45f7d4722d01884c75a17/analysis/1471782216/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c52cd8-13bc-4cd7-b5c1-451d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:51:04.000Z",
"modified": "2016-08-30T06:51:04.000Z",
"description": "W32/OzoneRAT.A!tr - Xchecked via VT: 70ece9b44f54fa5ac525908da412bf707ce7fae08a8f2b8134f34133df43e982",
"pattern": "[file:hashes.SHA1 = '9723f64aa74b32ffe86cef380f3e8397fe754c9e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-30T06:51:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c52cd8-d148-4252-897d-453f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:51:04.000Z",
"modified": "2016-08-30T06:51:04.000Z",
"description": "W32/OzoneRAT.A!tr - Xchecked via VT: 70ece9b44f54fa5ac525908da412bf707ce7fae08a8f2b8134f34133df43e982",
"pattern": "[file:hashes.MD5 = '01e438effb7eb350308ffc0c2d0a60b4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-30T06:51:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c52cd9-b02c-4f91-b14e-407a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:51:05.000Z",
"modified": "2016-08-30T06:51:05.000Z",
"first_observed": "2016-08-30T06:51:05Z",
"last_observed": "2016-08-30T06:51:05Z",
"number_observed": 1,
"object_refs": [
"url--57c52cd9-b02c-4f91-b14e-407a02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c52cd9-b02c-4f91-b14e-407a02de0b81",
"value": "https://www.virustotal.com/file/70ece9b44f54fa5ac525908da412bf707ce7fae08a8f2b8134f34133df43e982/analysis/1471603833/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57c52dca-2844-4603-828f-4905950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:55:06.000Z",
"modified": "2016-08-30T06:55:06.000Z",
"labels": [
"misp:type=\"threat-actor\"",
"misp:category=\"Attribution\""
],
"x_misp_category": "Attribution",
"x_misp_comment": "ciboryn (Skype account)",
"x_misp_type": "threat-actor",
"x_misp_value": "ciboryn"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57c52df9-af58-4f21-917b-4379950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:55:53.000Z",
"modified": "2016-08-30T06:55:53.000Z",
"labels": [
"misp:type=\"threat-actor\"",
"misp:category=\"Attribution\""
],
"x_misp_category": "Attribution",
"x_misp_comment": "XMPP account of the RAT seller",
"x_misp_type": "threat-actor",
"x_misp_value": "cibor@jabbim.com"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57c52e13-6bd8-4b73-96f2-46c7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-30T06:56:19.000Z",
"modified": "2016-08-30T06:56:19.000Z",
"labels": [
"misp:type=\"threat-actor\"",
"misp:category=\"Attribution\""
],
"x_misp_category": "Attribution",
"x_misp_comment": "Email of the RAT seller",
"x_misp_type": "threat-actor",
"x_misp_value": "cibosales@gmail.com"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}