misp-circl-feed/feeds/circl/stix-2.1/58a0ae18-4554-4af8-a66b-459802de0b81.json

810 lines
35 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--58a0ae18-4554-4af8-a66b-459802de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:56:30.000Z",
"modified": "2017-02-12T18:56:30.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58a0ae18-4554-4af8-a66b-459802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:56:30.000Z",
"modified": "2017-02-12T18:56:30.000Z",
"name": "OSINT - Attackers target dozens of global banks with new malware",
"published": "2017-02-12T18:57:18Z",
"object_refs": [
"observed-data--58a0ae24-bedc-4399-8c2d-4fa002de0b81",
"url--58a0ae24-bedc-4399-8c2d-4fa002de0b81",
"x-misp-attribute--58a0ae39-1e30-42d6-b78a-20e102de0b81",
"indicator--58a0ae50-a948-465d-8e9f-20e102de0b81",
"indicator--58a0ae6f-1010-4e03-ac4b-419802de0b81",
"indicator--58a0ae8a-1364-42e1-82af-4ce102de0b81",
"indicator--58a0ae8a-f9ac-4c37-8975-41c102de0b81",
"indicator--58a0ae8b-c33c-4d49-b603-4ae702de0b81",
"indicator--58a0ae8c-95e0-4ce6-b163-44c302de0b81",
"indicator--58a0ae8d-56dc-4075-91bc-473902de0b81",
"indicator--58a0aea4-1d00-407f-9c35-20e102de0b81",
"indicator--58a0aea5-e9ac-4674-984b-20e102de0b81",
"indicator--58a0af48-a1d4-4fa4-8a25-4c9602de0b81",
"indicator--58a0af49-97c0-483e-9932-47b602de0b81",
"observed-data--58a0af4a-9fc0-4b59-a45f-4c4102de0b81",
"url--58a0af4a-9fc0-4b59-a45f-4c4102de0b81",
"indicator--58a0af4b-69ac-4337-8996-400402de0b81",
"indicator--58a0af4b-4d18-4453-9182-4de602de0b81",
"observed-data--58a0af4c-9a04-4f4a-af0e-445802de0b81",
"url--58a0af4c-9a04-4f4a-af0e-445802de0b81",
"indicator--58a0af4d-b688-4c75-812b-403802de0b81",
"indicator--58a0af4e-4d6c-4b97-8c12-476a02de0b81",
"observed-data--58a0af4e-a2a8-422f-9ab8-40d902de0b81",
"url--58a0af4e-a2a8-422f-9ab8-40d902de0b81",
"indicator--58a0af4f-6ad4-4e25-a3f1-4c8302de0b81",
"indicator--58a0af50-a848-4477-8bb7-464202de0b81",
"observed-data--58a0af51-cfe0-4a6c-a672-4f1202de0b81",
"url--58a0af51-cfe0-4a6c-a672-4f1202de0b81",
"indicator--58a0af51-c974-4bb5-abeb-40cf02de0b81",
"indicator--58a0af52-e68c-47d2-8f47-497a02de0b81",
"observed-data--58a0af53-5434-4242-a959-44b602de0b81",
"url--58a0af53-5434-4242-a959-44b602de0b81",
"indicator--58a0af54-453c-46fb-989c-4af002de0b81",
"indicator--58a0af55-442c-4726-bad9-4dd702de0b81",
"observed-data--58a0af55-8fb4-4e48-bec2-464b02de0b81",
"url--58a0af55-8fb4-4e48-bec2-464b02de0b81",
"observed-data--58a0afdd-1758-47f9-a269-447902de0b81",
"network-traffic--58a0afdd-1758-47f9-a269-447902de0b81",
"ipv4-addr--58a0afdd-1758-47f9-a269-447902de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:threat-actor=\"Lazarus Group\"",
"circl:topic=\"finance\"",
"veris:action:social:target=\"Finance\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58a0ae24-bedc-4399-8c2d-4fa002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"first_observed": "2017-02-12T18:53:51Z",
"last_observed": "2017-02-12T18:53:51Z",
"number_observed": 1,
"object_refs": [
"url--58a0ae24-bedc-4399-8c2d-4fa002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"b\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58a0ae24-bedc-4399-8c2d-4fa002de0b81",
"value": "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58a0ae39-1e30-42d6-b78a-20e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or \u00e2\u20ac\u0153watering holes\u00e2\u20ac\u009d to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.\r\n\r\nThe attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers. The bank then shared indicators of compromise (IOCs) with other institutions and a number of other institutions confirmed that they too had been compromised.\r\n\r\nAs reported, the source of the attack appears to have been the website of the Polish financial regulator. The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.\r\n\r\nSymantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0ae50-a948-465d-8e9f-20e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"description": "Backdoor.Destover",
"pattern": "[file:hashes.SHA256 = '4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0ae6f-1010-4e03-ac4b-419802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"description": "Hacktool",
"pattern": "[file:hashes.SHA256 = 'efa57ca7aa5f42578ab83c9d510393fcf4e981a3eb422197973c65b7415863e7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0ae8a-1364-42e1-82af-4ce102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"description": "Downloader.Ratankba",
"pattern": "[file:hashes.SHA256 = '99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0ae8a-f9ac-4c37-8975-41c102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"description": "Downloader.Ratankba",
"pattern": "[file:hashes.SHA256 = '825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0ae8b-c33c-4d49-b603-4ae702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"description": "Downloader.Ratankba",
"pattern": "[file:hashes.SHA256 = '200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0ae8c-95e0-4ce6-b163-44c302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"description": "Downloader.Ratankba",
"pattern": "[file:hashes.SHA256 = '95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0ae8d-56dc-4075-91bc-473902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"description": "Downloader.Ratankba",
"pattern": "[file:hashes.SHA256 = '7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0aea4-1d00-407f-9c35-20e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"description": "Command and control infrastructure",
"pattern": "[domain-name:value = 'eye-watch.in']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0aea5-e9ac-4674-984b-20e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:53:51.000Z",
"modified": "2017-02-12T18:53:51.000Z",
"description": "Command and control infrastructure",
"pattern": "[domain-name:value = 'sap.misapor.ch']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:53:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af48-a1d4-4fa4-8a25-4c9602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:00.000Z",
"modified": "2017-02-12T18:54:00.000Z",
"description": "Backdoor.Destover - Xchecked via VT: 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b",
"pattern": "[file:hashes.SHA1 = '9876f8650d75938f8a2e4fb4df4321cc819d0f58']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af49-97c0-483e-9932-47b602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:01.000Z",
"modified": "2017-02-12T18:54:01.000Z",
"description": "Backdoor.Destover - Xchecked via VT: 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b",
"pattern": "[file:hashes.MD5 = '7fe80cee04003fed91c02e3a372f4b01']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58a0af4a-9fc0-4b59-a45f-4c4102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:02.000Z",
"modified": "2017-02-12T18:54:02.000Z",
"first_observed": "2017-02-12T18:54:02Z",
"last_observed": "2017-02-12T18:54:02Z",
"number_observed": 1,
"object_refs": [
"url--58a0af4a-9fc0-4b59-a45f-4c4102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58a0af4a-9fc0-4b59-a45f-4c4102de0b81",
"value": "https://www.virustotal.com/file/4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b/analysis/1486115878/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af4b-69ac-4337-8996-400402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:03.000Z",
"modified": "2017-02-12T18:54:03.000Z",
"description": "Downloader.Ratankba - Xchecked via VT: 99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d",
"pattern": "[file:hashes.SHA1 = '178994ab2d4fc0a32a328e97d7d220c8bbb9150c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af4b-4d18-4453-9182-4de602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:03.000Z",
"modified": "2017-02-12T18:54:03.000Z",
"description": "Downloader.Ratankba - Xchecked via VT: 99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d",
"pattern": "[file:hashes.MD5 = '1f7897b041a812f96f1925138ea38c46']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58a0af4c-9a04-4f4a-af0e-445802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:04.000Z",
"modified": "2017-02-12T18:54:04.000Z",
"first_observed": "2017-02-12T18:54:04Z",
"last_observed": "2017-02-12T18:54:04Z",
"number_observed": 1,
"object_refs": [
"url--58a0af4c-9a04-4f4a-af0e-445802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58a0af4c-9a04-4f4a-af0e-445802de0b81",
"value": "https://www.virustotal.com/file/99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d/analysis/1486354947/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af4d-b688-4c75-812b-403802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:05.000Z",
"modified": "2017-02-12T18:54:05.000Z",
"description": "Downloader.Ratankba - Xchecked via VT: 825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc",
"pattern": "[file:hashes.SHA1 = '09c1756064f15fcdd29ff8f239b3d5dcc22ac492']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af4e-4d6c-4b97-8c12-476a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:06.000Z",
"modified": "2017-02-12T18:54:06.000Z",
"description": "Downloader.Ratankba - Xchecked via VT: 825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc",
"pattern": "[file:hashes.MD5 = '911de8d67af652a87415f8c0a30688b2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58a0af4e-a2a8-422f-9ab8-40d902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:06.000Z",
"modified": "2017-02-12T18:54:06.000Z",
"first_observed": "2017-02-12T18:54:06Z",
"last_observed": "2017-02-12T18:54:06Z",
"number_observed": 1,
"object_refs": [
"url--58a0af4e-a2a8-422f-9ab8-40d902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58a0af4e-a2a8-422f-9ab8-40d902de0b81",
"value": "https://www.virustotal.com/file/825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc/analysis/1486355454/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af4f-6ad4-4e25-a3f1-4c8302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:07.000Z",
"modified": "2017-02-12T18:54:07.000Z",
"description": "Downloader.Ratankba - Xchecked via VT: 200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22",
"pattern": "[file:hashes.SHA1 = '97a3698ffffdb63df79faeaf58169f9755db1f90']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af50-a848-4477-8bb7-464202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:08.000Z",
"modified": "2017-02-12T18:54:08.000Z",
"description": "Downloader.Ratankba - Xchecked via VT: 200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22",
"pattern": "[file:hashes.MD5 = '1507e7a741367745425e0530e23768e6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58a0af51-cfe0-4a6c-a672-4f1202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:09.000Z",
"modified": "2017-02-12T18:54:09.000Z",
"first_observed": "2017-02-12T18:54:09Z",
"last_observed": "2017-02-12T18:54:09Z",
"number_observed": 1,
"object_refs": [
"url--58a0af51-cfe0-4a6c-a672-4f1202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58a0af51-cfe0-4a6c-a672-4f1202de0b81",
"value": "https://www.virustotal.com/file/200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22/analysis/1486354903/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af51-c974-4bb5-abeb-40cf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:09.000Z",
"modified": "2017-02-12T18:54:09.000Z",
"description": "Downloader.Ratankba - Xchecked via VT: 95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2",
"pattern": "[file:hashes.SHA1 = '2c6c244b3858ce06a0b646ae386f65e69ae5c046']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af52-e68c-47d2-8f47-497a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:10.000Z",
"modified": "2017-02-12T18:54:10.000Z",
"description": "Downloader.Ratankba - Xchecked via VT: 95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2",
"pattern": "[file:hashes.MD5 = 'cb52c013f7af0219d45953bae663c9a2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58a0af53-5434-4242-a959-44b602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:11.000Z",
"modified": "2017-02-12T18:54:11.000Z",
"first_observed": "2017-02-12T18:54:11Z",
"last_observed": "2017-02-12T18:54:11Z",
"number_observed": 1,
"object_refs": [
"url--58a0af53-5434-4242-a959-44b602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58a0af53-5434-4242-a959-44b602de0b81",
"value": "https://www.virustotal.com/file/95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2/analysis/1486356061/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af54-453c-46fb-989c-4af002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:12.000Z",
"modified": "2017-02-12T18:54:12.000Z",
"description": "Downloader.Ratankba - Xchecked via VT: 7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836",
"pattern": "[file:hashes.SHA1 = 'da967dc59a7b61aeaeaee380b2c147c5bb1b3bc5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58a0af55-442c-4726-bad9-4dd702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:13.000Z",
"modified": "2017-02-12T18:54:13.000Z",
"description": "Downloader.Ratankba - Xchecked via VT: 7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836",
"pattern": "[file:hashes.MD5 = '18a451d70f96a1335623b385f0993bcc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-12T18:54:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58a0af55-8fb4-4e48-bec2-464b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:54:13.000Z",
"modified": "2017-02-12T18:54:13.000Z",
"first_observed": "2017-02-12T18:54:13Z",
"last_observed": "2017-02-12T18:54:13Z",
"number_observed": 1,
"object_refs": [
"url--58a0af55-8fb4-4e48-bec2-464b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58a0af55-8fb4-4e48-bec2-464b02de0b81",
"value": "https://www.virustotal.com/file/7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836/analysis/1486760308/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58a0afdd-1758-47f9-a269-447902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-12T18:56:29.000Z",
"modified": "2017-02-12T18:56:29.000Z",
"first_observed": "2017-02-12T18:56:29Z",
"last_observed": "2017-02-12T18:56:29Z",
"number_observed": 1,
"object_refs": [
"network-traffic--58a0afdd-1758-47f9-a269-447902de0b81",
"ipv4-addr--58a0afdd-1758-47f9-a269-447902de0b81"
],
"labels": [
"misp:type=\"ip-src\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--58a0afdd-1758-47f9-a269-447902de0b81",
"src_ref": "ipv4-addr--58a0afdd-1758-47f9-a269-447902de0b81",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--58a0afdd-1758-47f9-a269-447902de0b81",
"value": "54.235.197.176"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}