6548 lines
290 KiB
JSON
6548 lines
290 KiB
JSON
|
{
|
||
|
"type": "bundle",
|
||
|
"id": "bundle--58d3f093-d6f4-44d1-93ac-3449950d210f",
|
||
|
"objects": [
|
||
|
{
|
||
|
"type": "identity",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"name": "CIRCL",
|
||
|
"identity_class": "organization"
|
||
|
},
|
||
|
{
|
||
|
"type": "report",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "report--58d3f093-d6f4-44d1-93ac-3449950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"name": "OSINT - How Malformed RTF Defeats Security Engines",
|
||
|
"published": "2017-03-23T16:22:03Z",
|
||
|
"object_refs": [
|
||
|
"observed-data--58d3f0a2-7ec0-46c6-b8fb-3450950d210f",
|
||
|
"url--58d3f0a2-7ec0-46c6-b8fb-3450950d210f",
|
||
|
"x-misp-attribute--58d3f194-baf0-4e4d-8d20-4ad3950d210f",
|
||
|
"vulnerability--58d3f1b9-9c30-40d1-be38-4cbb950d210f",
|
||
|
"indicator--58d3f1d4-7d90-432f-bce8-9f00950d210f",
|
||
|
"indicator--58d3f215-52e4-4921-9c65-4148950d210f",
|
||
|
"indicator--58d3f216-fa90-473d-a5ad-4317950d210f",
|
||
|
"indicator--58d3f216-2680-420b-b4a5-4c3e950d210f",
|
||
|
"indicator--58d3f31e-584c-4e36-b11b-9f05950d210f",
|
||
|
"indicator--58d3f31f-77c0-471c-964e-9f05950d210f",
|
||
|
"indicator--58d3f320-b490-472a-8d6e-9f05950d210f",
|
||
|
"indicator--58d3f321-af4c-4e22-95dc-9f05950d210f",
|
||
|
"indicator--58d3f322-7a70-486b-832c-9f05950d210f",
|
||
|
"indicator--58d3f323-c51c-4588-88f0-9f05950d210f",
|
||
|
"indicator--58d3f324-92bc-4e9e-a8a2-9f05950d210f",
|
||
|
"indicator--58d3f325-399c-49a9-86f8-9f05950d210f",
|
||
|
"indicator--58d3f326-9274-450a-9c6e-9f05950d210f",
|
||
|
"indicator--58d3f327-7164-44cd-b6ad-9f05950d210f",
|
||
|
"indicator--58d3f328-4a48-4753-863b-9f05950d210f",
|
||
|
"indicator--58d3f329-1314-4c6e-80d7-9f05950d210f",
|
||
|
"indicator--58d3f32a-d554-4ab3-9424-9f05950d210f",
|
||
|
"indicator--58d3f32b-5c40-4ab8-8f75-9f05950d210f",
|
||
|
"indicator--58d3f32c-10f4-4610-9776-9f05950d210f",
|
||
|
"indicator--58d3f32c-c590-47d0-853a-9f05950d210f",
|
||
|
"indicator--58d3f32d-0d48-4d6b-9a69-9f05950d210f",
|
||
|
"indicator--58d3f32e-88ec-418f-8291-9f05950d210f",
|
||
|
"indicator--58d3f32f-0fd8-483a-b0c8-9f05950d210f",
|
||
|
"indicator--58d3f330-f0d8-4ff5-9a7b-9f05950d210f",
|
||
|
"indicator--58d3f331-270c-4dc5-a268-9f05950d210f",
|
||
|
"indicator--58d3f333-b78c-4a9f-8901-9f05950d210f",
|
||
|
"indicator--58d3f334-7b70-40ea-88f1-9f05950d210f",
|
||
|
"indicator--58d3f335-54d8-458e-9c35-9f05950d210f",
|
||
|
"indicator--58d3f336-8900-4a80-8725-9f05950d210f",
|
||
|
"indicator--58d3f337-f6b0-44b3-8f57-9f05950d210f",
|
||
|
"indicator--58d3f338-ac9c-4a92-9639-9f05950d210f",
|
||
|
"indicator--58d3f339-dfa0-445a-9326-9f05950d210f",
|
||
|
"indicator--58d3f33a-2da4-4c6d-bcfc-9f05950d210f",
|
||
|
"indicator--58d3f33b-b164-45b0-a296-9f05950d210f",
|
||
|
"indicator--58d3f33c-ceb0-4254-80f9-9f05950d210f",
|
||
|
"indicator--58d3f33d-747c-4cb7-b239-9f05950d210f",
|
||
|
"indicator--58d3f33e-2bd4-4888-9b1d-9f05950d210f",
|
||
|
"indicator--58d3f33e-13fc-4eaa-8585-9f05950d210f",
|
||
|
"indicator--58d3f340-22d0-4aa9-a348-9f05950d210f",
|
||
|
"indicator--58d3f341-ad58-491e-9823-9f05950d210f",
|
||
|
"indicator--58d3f342-1444-4e2b-8894-9f05950d210f",
|
||
|
"indicator--58d3f342-08e4-4880-994b-9f05950d210f",
|
||
|
"indicator--58d3f343-f908-4d8a-b069-9f05950d210f",
|
||
|
"indicator--58d3f344-5248-41b7-913e-9f05950d210f",
|
||
|
"indicator--58d3f345-d110-465c-9157-9f05950d210f",
|
||
|
"indicator--58d3f346-e8f0-4a49-bf46-9f05950d210f",
|
||
|
"indicator--58d3f347-9aec-48a4-9925-9f05950d210f",
|
||
|
"indicator--58d3f349-6d20-48eb-a4d3-9f05950d210f",
|
||
|
"indicator--58d3f34a-f088-4db4-a896-9f05950d210f",
|
||
|
"indicator--58d3f34b-b0fc-4ff5-9292-9f05950d210f",
|
||
|
"indicator--58d3f34c-94f0-42c0-ad4c-9f05950d210f",
|
||
|
"indicator--58d3f34d-41c8-468a-aed2-9f05950d210f",
|
||
|
"indicator--58d3f34e-c8b0-4027-8e04-9f05950d210f",
|
||
|
"indicator--58d3f34f-ff70-4a64-af22-9f05950d210f",
|
||
|
"indicator--58d3f350-76c8-4773-853d-9f05950d210f",
|
||
|
"indicator--58d3f351-0488-455f-8212-9f05950d210f",
|
||
|
"indicator--58d3f352-0284-4377-813c-9f05950d210f",
|
||
|
"indicator--58d3f353-6c24-4733-907a-9f05950d210f",
|
||
|
"indicator--58d3f354-7cf4-43bd-9dda-9f05950d210f",
|
||
|
"indicator--58d3f355-ae80-4eac-a39a-9f05950d210f",
|
||
|
"indicator--58d3f356-c4f4-4131-911e-9f05950d210f",
|
||
|
"indicator--58d3f357-1054-4699-9347-9f05950d210f",
|
||
|
"indicator--58d3f358-8c9c-44eb-b43d-9f05950d210f",
|
||
|
"indicator--58d3f359-94f0-479e-81ef-9f05950d210f",
|
||
|
"indicator--58d3f359-c348-4414-96d1-9f05950d210f",
|
||
|
"indicator--58d3f35a-b1e8-4ea8-85b1-9f05950d210f",
|
||
|
"indicator--58d3f473-41a8-43cb-b70e-9f0702de0b81",
|
||
|
"indicator--58d3f474-4948-431f-a3ab-9f0702de0b81",
|
||
|
"observed-data--58d3f475-09c4-4aec-8cd9-9f0702de0b81",
|
||
|
"url--58d3f475-09c4-4aec-8cd9-9f0702de0b81",
|
||
|
"indicator--58d3f476-cce8-4fca-ad70-9f0702de0b81",
|
||
|
"indicator--58d3f477-1068-4f6c-9653-9f0702de0b81",
|
||
|
"observed-data--58d3f477-bcdc-472e-8af9-9f0702de0b81",
|
||
|
"url--58d3f477-bcdc-472e-8af9-9f0702de0b81",
|
||
|
"indicator--58d3f478-906c-4c70-95aa-9f0702de0b81",
|
||
|
"indicator--58d3f479-e5f0-48e0-b87a-9f0702de0b81",
|
||
|
"observed-data--58d3f47a-5340-4d5c-b014-9f0702de0b81",
|
||
|
"url--58d3f47a-5340-4d5c-b014-9f0702de0b81",
|
||
|
"indicator--58d3f47b-7af0-404e-aa7e-9f0702de0b81",
|
||
|
"indicator--58d3f47c-e300-4575-8384-9f0702de0b81",
|
||
|
"observed-data--58d3f47d-06b8-4e6d-8e5c-9f0702de0b81",
|
||
|
"url--58d3f47d-06b8-4e6d-8e5c-9f0702de0b81",
|
||
|
"indicator--58d3f47e-46dc-4f6d-ab77-9f0702de0b81",
|
||
|
"indicator--58d3f47f-edac-4091-80a4-9f0702de0b81",
|
||
|
"observed-data--58d3f47f-02e8-4528-9d5d-9f0702de0b81",
|
||
|
"url--58d3f47f-02e8-4528-9d5d-9f0702de0b81",
|
||
|
"indicator--58d3f480-fd5c-492b-b65c-9f0702de0b81",
|
||
|
"indicator--58d3f481-5c70-4976-9427-9f0702de0b81",
|
||
|
"observed-data--58d3f482-95dc-4161-99f9-9f0702de0b81",
|
||
|
"url--58d3f482-95dc-4161-99f9-9f0702de0b81",
|
||
|
"indicator--58d3f483-15d4-47ba-9207-9f0702de0b81",
|
||
|
"indicator--58d3f484-fe38-437e-9200-9f0702de0b81",
|
||
|
"observed-data--58d3f485-6e70-4db3-9ed5-9f0702de0b81",
|
||
|
"url--58d3f485-6e70-4db3-9ed5-9f0702de0b81",
|
||
|
"indicator--58d3f486-dfa4-4833-ba6a-9f0702de0b81",
|
||
|
"indicator--58d3f487-3070-48cd-a586-9f0702de0b81",
|
||
|
"observed-data--58d3f488-91b4-4fbd-a83b-9f0702de0b81",
|
||
|
"url--58d3f488-91b4-4fbd-a83b-9f0702de0b81",
|
||
|
"indicator--58d3f489-c2d8-4596-815a-9f0702de0b81",
|
||
|
"indicator--58d3f489-a69c-4247-bcc0-9f0702de0b81",
|
||
|
"observed-data--58d3f48a-2f20-4536-8866-9f0702de0b81",
|
||
|
"url--58d3f48a-2f20-4536-8866-9f0702de0b81",
|
||
|
"indicator--58d3f48b-d194-42c9-af6d-9f0702de0b81",
|
||
|
"indicator--58d3f48c-bc18-45fe-b514-9f0702de0b81",
|
||
|
"observed-data--58d3f48d-ed58-4832-b2c9-9f0702de0b81",
|
||
|
"url--58d3f48d-ed58-4832-b2c9-9f0702de0b81",
|
||
|
"indicator--58d3f48e-a8d0-4a80-bb64-9f0702de0b81",
|
||
|
"indicator--58d3f48f-2188-4f91-a5ae-9f0702de0b81",
|
||
|
"observed-data--58d3f490-4c58-4735-bad2-9f0702de0b81",
|
||
|
"url--58d3f490-4c58-4735-bad2-9f0702de0b81",
|
||
|
"indicator--58d3f491-4ddc-4653-8342-9f0702de0b81",
|
||
|
"indicator--58d3f491-950c-4e31-98dd-9f0702de0b81",
|
||
|
"observed-data--58d3f492-19dc-486e-a83e-9f0702de0b81",
|
||
|
"url--58d3f492-19dc-486e-a83e-9f0702de0b81",
|
||
|
"indicator--58d3f493-ba20-472a-8e83-9f0702de0b81",
|
||
|
"indicator--58d3f494-2564-475f-8b0d-9f0702de0b81",
|
||
|
"observed-data--58d3f495-2b6c-40b4-9246-9f0702de0b81",
|
||
|
"url--58d3f495-2b6c-40b4-9246-9f0702de0b81",
|
||
|
"indicator--58d3f496-3e7c-470a-a837-9f0702de0b81",
|
||
|
"indicator--58d3f497-6fa0-46b6-9633-9f0702de0b81",
|
||
|
"observed-data--58d3f498-3080-4592-84bb-9f0702de0b81",
|
||
|
"url--58d3f498-3080-4592-84bb-9f0702de0b81",
|
||
|
"indicator--58d3f499-82e8-4f8c-8f08-9f0702de0b81",
|
||
|
"indicator--58d3f49a-881c-4000-9b66-9f0702de0b81",
|
||
|
"observed-data--58d3f49a-4320-40bb-9485-9f0702de0b81",
|
||
|
"url--58d3f49a-4320-40bb-9485-9f0702de0b81",
|
||
|
"indicator--58d3f49b-83b8-4712-8b2f-9f0702de0b81",
|
||
|
"indicator--58d3f49c-0310-4f19-81c5-9f0702de0b81",
|
||
|
"observed-data--58d3f49d-b5a0-4e7f-960b-9f0702de0b81",
|
||
|
"url--58d3f49d-b5a0-4e7f-960b-9f0702de0b81",
|
||
|
"indicator--58d3f49e-dcb8-4253-ad25-9f0702de0b81",
|
||
|
"indicator--58d3f49f-141c-4677-ba9b-9f0702de0b81",
|
||
|
"observed-data--58d3f4a0-b594-48ef-aaab-9f0702de0b81",
|
||
|
"url--58d3f4a0-b594-48ef-aaab-9f0702de0b81",
|
||
|
"indicator--58d3f4a1-63a8-4fc4-b21b-9f0702de0b81",
|
||
|
"indicator--58d3f4a2-9eb8-4698-bcbb-9f0702de0b81",
|
||
|
"observed-data--58d3f4a3-fa88-4ee5-b387-9f0702de0b81",
|
||
|
"url--58d3f4a3-fa88-4ee5-b387-9f0702de0b81",
|
||
|
"indicator--58d3f4a4-2408-4323-b129-9f0702de0b81",
|
||
|
"indicator--58d3f4a5-64e0-4c3d-9349-9f0702de0b81",
|
||
|
"observed-data--58d3f4a5-e470-42e1-b47d-9f0702de0b81",
|
||
|
"url--58d3f4a5-e470-42e1-b47d-9f0702de0b81",
|
||
|
"indicator--58d3f4a6-ba10-4ebc-afaf-9f0702de0b81",
|
||
|
"indicator--58d3f4a7-18cc-4ead-ba97-9f0702de0b81",
|
||
|
"observed-data--58d3f4a8-c578-407a-b8c7-9f0702de0b81",
|
||
|
"url--58d3f4a8-c578-407a-b8c7-9f0702de0b81",
|
||
|
"indicator--58d3f4a9-c780-4a64-9fd3-9f0702de0b81",
|
||
|
"indicator--58d3f4aa-e0cc-42f0-9616-9f0702de0b81",
|
||
|
"observed-data--58d3f4ab-4168-4134-95c5-9f0702de0b81",
|
||
|
"url--58d3f4ab-4168-4134-95c5-9f0702de0b81",
|
||
|
"indicator--58d3f4ac-c624-4a96-979d-9f0702de0b81",
|
||
|
"indicator--58d3f4ad-8f60-44ab-ae9b-9f0702de0b81",
|
||
|
"observed-data--58d3f4ae-20a0-473a-a4dd-9f0702de0b81",
|
||
|
"url--58d3f4ae-20a0-473a-a4dd-9f0702de0b81",
|
||
|
"indicator--58d3f4af-b314-4f41-818d-9f0702de0b81",
|
||
|
"indicator--58d3f4af-1274-4b40-941e-9f0702de0b81",
|
||
|
"observed-data--58d3f4b0-6334-4fce-9704-9f0702de0b81",
|
||
|
"url--58d3f4b0-6334-4fce-9704-9f0702de0b81",
|
||
|
"indicator--58d3f4b1-ba78-4b17-b845-9f0702de0b81",
|
||
|
"indicator--58d3f4b2-a248-4911-8f00-9f0702de0b81",
|
||
|
"observed-data--58d3f4b3-44bc-420e-a5d9-9f0702de0b81",
|
||
|
"url--58d3f4b3-44bc-420e-a5d9-9f0702de0b81",
|
||
|
"indicator--58d3f4b4-f8e4-4f2b-bf75-9f0702de0b81",
|
||
|
"indicator--58d3f4b5-9f10-4dc4-868c-9f0702de0b81",
|
||
|
"observed-data--58d3f4b6-6eac-4220-8615-9f0702de0b81",
|
||
|
"url--58d3f4b6-6eac-4220-8615-9f0702de0b81",
|
||
|
"indicator--58d3f4b7-2258-49ec-a7a8-9f0702de0b81",
|
||
|
"indicator--58d3f4b8-87cc-41aa-8300-9f0702de0b81",
|
||
|
"observed-data--58d3f4b8-42f8-4743-b13a-9f0702de0b81",
|
||
|
"url--58d3f4b8-42f8-4743-b13a-9f0702de0b81",
|
||
|
"indicator--58d3f4b9-c48c-460a-8ae7-9f0702de0b81",
|
||
|
"indicator--58d3f4ba-7820-495f-9320-9f0702de0b81",
|
||
|
"observed-data--58d3f4bb-d08c-4568-8ae9-9f0702de0b81",
|
||
|
"url--58d3f4bb-d08c-4568-8ae9-9f0702de0b81",
|
||
|
"indicator--58d3f4bc-a700-4b97-b45f-9f0702de0b81",
|
||
|
"indicator--58d3f4bd-e1bc-47c6-a589-9f0702de0b81",
|
||
|
"observed-data--58d3f4be-7f68-4a67-9d7d-9f0702de0b81",
|
||
|
"url--58d3f4be-7f68-4a67-9d7d-9f0702de0b81",
|
||
|
"indicator--58d3f4bf-fcf8-40cb-8b69-9f0702de0b81",
|
||
|
"indicator--58d3f4c0-2198-424d-b375-9f0702de0b81",
|
||
|
"observed-data--58d3f4c1-4074-453b-ab12-9f0702de0b81",
|
||
|
"url--58d3f4c1-4074-453b-ab12-9f0702de0b81",
|
||
|
"indicator--58d3f4c1-d398-4488-8c7a-9f0702de0b81",
|
||
|
"indicator--58d3f4c2-1f0c-4b35-b40e-9f0702de0b81",
|
||
|
"observed-data--58d3f4c3-d014-4bb3-9961-9f0702de0b81",
|
||
|
"url--58d3f4c3-d014-4bb3-9961-9f0702de0b81",
|
||
|
"indicator--58d3f4c4-ef20-4174-affe-9f0702de0b81",
|
||
|
"indicator--58d3f4c5-5984-466b-835e-9f0702de0b81",
|
||
|
"observed-data--58d3f4c6-301c-4652-88c8-9f0702de0b81",
|
||
|
"url--58d3f4c6-301c-4652-88c8-9f0702de0b81",
|
||
|
"indicator--58d3f4c7-5ed0-493a-b5d4-9f0702de0b81",
|
||
|
"indicator--58d3f4c8-78f0-4e7e-8900-9f0702de0b81",
|
||
|
"observed-data--58d3f4c9-8ea4-4eff-b81c-9f0702de0b81",
|
||
|
"url--58d3f4c9-8ea4-4eff-b81c-9f0702de0b81",
|
||
|
"indicator--58d3f4c9-987c-4761-8c25-9f0702de0b81",
|
||
|
"indicator--58d3f4ca-9818-4277-9a2e-9f0702de0b81",
|
||
|
"observed-data--58d3f4cb-0944-496d-95f3-9f0702de0b81",
|
||
|
"url--58d3f4cb-0944-496d-95f3-9f0702de0b81",
|
||
|
"indicator--58d3f4cc-bb1c-4496-ac1d-9f0702de0b81",
|
||
|
"indicator--58d3f4cd-bba4-4e73-b121-9f0702de0b81",
|
||
|
"observed-data--58d3f4ce-f8f0-485e-9bf2-9f0702de0b81",
|
||
|
"url--58d3f4ce-f8f0-485e-9bf2-9f0702de0b81",
|
||
|
"indicator--58d3f4cf-75bc-426d-966d-9f0702de0b81",
|
||
|
"indicator--58d3f4d0-5580-4826-a76c-9f0702de0b81",
|
||
|
"observed-data--58d3f4d1-5b1c-47c3-b2cd-9f0702de0b81",
|
||
|
"url--58d3f4d1-5b1c-47c3-b2cd-9f0702de0b81",
|
||
|
"indicator--58d3f4d2-9d24-427b-a00c-9f0702de0b81",
|
||
|
"indicator--58d3f4d2-9570-4a5e-bf21-9f0702de0b81",
|
||
|
"observed-data--58d3f4d3-357c-4605-8899-9f0702de0b81",
|
||
|
"url--58d3f4d3-357c-4605-8899-9f0702de0b81",
|
||
|
"indicator--58d3f4d4-34a4-4d48-a27e-9f0702de0b81",
|
||
|
"indicator--58d3f4d5-6c54-46fe-8da0-9f0702de0b81",
|
||
|
"observed-data--58d3f4d6-5dbc-4b36-8b92-9f0702de0b81",
|
||
|
"url--58d3f4d6-5dbc-4b36-8b92-9f0702de0b81",
|
||
|
"indicator--58d3f4d7-6668-4ec1-b0c8-9f0702de0b81",
|
||
|
"indicator--58d3f4d8-cd78-4ddc-b420-9f0702de0b81",
|
||
|
"observed-data--58d3f4d9-36f8-4b3a-8da1-9f0702de0b81",
|
||
|
"url--58d3f4d9-36f8-4b3a-8da1-9f0702de0b81",
|
||
|
"indicator--58d3f4da-f654-4570-b92e-9f0702de0b81",
|
||
|
"indicator--58d3f4da-9464-4464-960e-9f0702de0b81",
|
||
|
"observed-data--58d3f4db-4fa4-4638-ae46-9f0702de0b81",
|
||
|
"url--58d3f4db-4fa4-4638-ae46-9f0702de0b81",
|
||
|
"indicator--58d3f4dc-b564-4558-a522-9f0702de0b81",
|
||
|
"indicator--58d3f4dd-5b30-4672-983f-9f0702de0b81",
|
||
|
"observed-data--58d3f4de-675c-49be-bced-9f0702de0b81",
|
||
|
"url--58d3f4de-675c-49be-bced-9f0702de0b81",
|
||
|
"indicator--58d3f4df-d2ac-4989-8f5f-9f0702de0b81",
|
||
|
"indicator--58d3f4e0-144c-428b-97b6-9f0702de0b81",
|
||
|
"observed-data--58d3f4e1-e650-4b87-8236-9f0702de0b81",
|
||
|
"url--58d3f4e1-e650-4b87-8236-9f0702de0b81",
|
||
|
"indicator--58d3f4e2-2764-40dc-b738-9f0702de0b81",
|
||
|
"indicator--58d3f4e3-ac74-476c-88d7-9f0702de0b81",
|
||
|
"observed-data--58d3f4e3-f2b4-4df3-bd6e-9f0702de0b81",
|
||
|
"url--58d3f4e3-f2b4-4df3-bd6e-9f0702de0b81",
|
||
|
"indicator--58d3f4e4-f018-471c-a801-9f0702de0b81",
|
||
|
"indicator--58d3f4e5-d3f4-4911-869f-9f0702de0b81",
|
||
|
"observed-data--58d3f4e6-bf80-47f8-8c5c-9f0702de0b81",
|
||
|
"url--58d3f4e6-bf80-47f8-8c5c-9f0702de0b81",
|
||
|
"indicator--58d3f4e7-b39c-41b3-aa8d-9f0702de0b81",
|
||
|
"indicator--58d3f4e8-26c4-4601-b9e6-9f0702de0b81",
|
||
|
"observed-data--58d3f4e9-b10c-4c7f-9fd2-9f0702de0b81",
|
||
|
"url--58d3f4e9-b10c-4c7f-9fd2-9f0702de0b81",
|
||
|
"indicator--58d3f4ea-da6c-4472-a666-9f0702de0b81",
|
||
|
"indicator--58d3f4eb-893c-4586-b9a4-9f0702de0b81",
|
||
|
"observed-data--58d3f4eb-5e8c-44d4-be1a-9f0702de0b81",
|
||
|
"url--58d3f4eb-5e8c-44d4-be1a-9f0702de0b81",
|
||
|
"indicator--58d3f4ec-7f6c-41b6-acf8-9f0702de0b81",
|
||
|
"indicator--58d3f4ed-5990-40e4-a4eb-9f0702de0b81",
|
||
|
"observed-data--58d3f4ee-ef48-4469-b86b-9f0702de0b81",
|
||
|
"url--58d3f4ee-ef48-4469-b86b-9f0702de0b81",
|
||
|
"indicator--58d3f4ef-0ea0-4202-ae79-9f0702de0b81",
|
||
|
"indicator--58d3f4f0-39c4-4a31-bfd1-9f0702de0b81",
|
||
|
"observed-data--58d3f4f1-139c-435a-8449-9f0702de0b81",
|
||
|
"url--58d3f4f1-139c-435a-8449-9f0702de0b81",
|
||
|
"indicator--58d3f4f2-10ec-4801-b454-9f0702de0b81",
|
||
|
"indicator--58d3f4f3-7c50-4e58-b7b8-9f0702de0b81",
|
||
|
"observed-data--58d3f4f3-64f4-4432-b3f2-9f0702de0b81",
|
||
|
"url--58d3f4f3-64f4-4432-b3f2-9f0702de0b81",
|
||
|
"indicator--58d3f4f4-ce20-4e35-8a8a-9f0702de0b81",
|
||
|
"indicator--58d3f4f5-a34c-4abe-b6b1-9f0702de0b81",
|
||
|
"observed-data--58d3f4f6-d2e4-4f6c-b80a-9f0702de0b81",
|
||
|
"url--58d3f4f6-d2e4-4f6c-b80a-9f0702de0b81",
|
||
|
"indicator--58d3f4f7-ded4-4b80-b9bd-9f0702de0b81",
|
||
|
"indicator--58d3f4f8-295c-4535-b5ba-9f0702de0b81",
|
||
|
"observed-data--58d3f4f9-6a74-491b-b612-9f0702de0b81",
|
||
|
"url--58d3f4f9-6a74-491b-b612-9f0702de0b81",
|
||
|
"indicator--58d3f4fa-d49c-4cf7-a12c-9f0702de0b81",
|
||
|
"indicator--58d3f4fb-940c-43f8-a8d0-9f0702de0b81",
|
||
|
"observed-data--58d3f4fc-2318-4024-8936-9f0702de0b81",
|
||
|
"url--58d3f4fc-2318-4024-8936-9f0702de0b81",
|
||
|
"indicator--58d3f4fc-71d4-4903-b449-9f0702de0b81",
|
||
|
"indicator--58d3f4fd-f1b8-4e6a-9127-9f0702de0b81",
|
||
|
"observed-data--58d3f4fe-3c20-47e9-84f6-9f0702de0b81",
|
||
|
"url--58d3f4fe-3c20-47e9-84f6-9f0702de0b81",
|
||
|
"indicator--58d3f4ff-a5e0-4591-a3aa-9f0702de0b81",
|
||
|
"indicator--58d3f501-5324-4530-9b4e-9f0702de0b81",
|
||
|
"observed-data--58d3f501-ccc0-4b1a-b1e1-9f0702de0b81",
|
||
|
"url--58d3f501-ccc0-4b1a-b1e1-9f0702de0b81",
|
||
|
"indicator--58d3f502-0cac-478f-8b4f-9f0702de0b81",
|
||
|
"indicator--58d3f503-e688-4a36-8c4d-9f0702de0b81",
|
||
|
"observed-data--58d3f504-b188-4f0b-9c62-9f0702de0b81",
|
||
|
"url--58d3f504-b188-4f0b-9c62-9f0702de0b81",
|
||
|
"indicator--58d3f505-2ad4-47e3-b8a3-9f0702de0b81",
|
||
|
"indicator--58d3f506-1874-4fc6-84ab-9f0702de0b81",
|
||
|
"observed-data--58d3f507-5540-4cb3-8caa-9f0702de0b81",
|
||
|
"url--58d3f507-5540-4cb3-8caa-9f0702de0b81",
|
||
|
"indicator--58d3f508-819c-4057-bcae-9f0702de0b81",
|
||
|
"indicator--58d3f509-5704-4fc4-9282-9f0702de0b81",
|
||
|
"observed-data--58d3f509-33c8-4d34-91d4-9f0702de0b81",
|
||
|
"url--58d3f509-33c8-4d34-91d4-9f0702de0b81",
|
||
|
"indicator--58d3f50a-058c-45da-9e00-9f0702de0b81",
|
||
|
"indicator--58d3f50b-81e8-4afc-8781-9f0702de0b81",
|
||
|
"observed-data--58d3f50c-75c4-4850-87d5-9f0702de0b81",
|
||
|
"url--58d3f50c-75c4-4850-87d5-9f0702de0b81",
|
||
|
"indicator--58d3f50d-1954-46db-8799-9f0702de0b81",
|
||
|
"indicator--58d3f50e-d3b8-4dd0-b191-9f0702de0b81",
|
||
|
"observed-data--58d3f50f-9e10-4588-956b-9f0702de0b81",
|
||
|
"url--58d3f50f-9e10-4588-956b-9f0702de0b81",
|
||
|
"indicator--58d3f510-2d88-45fc-8e3c-9f0702de0b81",
|
||
|
"indicator--58d3f511-233c-45a7-8baa-9f0702de0b81",
|
||
|
"observed-data--58d3f511-5498-4ea5-ab36-9f0702de0b81",
|
||
|
"url--58d3f511-5498-4ea5-ab36-9f0702de0b81",
|
||
|
"indicator--58d3f512-ece8-4295-a27c-9f0702de0b81",
|
||
|
"indicator--58d3f513-7240-4980-b6f8-9f0702de0b81",
|
||
|
"observed-data--58d3f514-d40c-4065-b661-9f0702de0b81",
|
||
|
"url--58d3f514-d40c-4065-b661-9f0702de0b81",
|
||
|
"indicator--58d3f515-e7c0-45bc-91c2-9f0702de0b81",
|
||
|
"indicator--58d3f516-836c-442c-a32f-9f0702de0b81",
|
||
|
"observed-data--58d3f517-1164-4ebb-b531-9f0702de0b81",
|
||
|
"url--58d3f517-1164-4ebb-b531-9f0702de0b81",
|
||
|
"indicator--58d3f518-ae40-4b54-8a05-9f0702de0b81",
|
||
|
"indicator--58d3f519-f824-448b-bfbf-9f0702de0b81",
|
||
|
"observed-data--58d3f519-8b20-4235-ae02-9f0702de0b81",
|
||
|
"url--58d3f519-8b20-4235-ae02-9f0702de0b81",
|
||
|
"indicator--58d3f51a-de34-4885-885f-9f0702de0b81",
|
||
|
"indicator--58d3f51b-6944-4b48-99ea-9f0702de0b81",
|
||
|
"observed-data--58d3f51c-7490-49b5-9a64-9f0702de0b81",
|
||
|
"url--58d3f51c-7490-49b5-9a64-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"Threat-Report",
|
||
|
"misp:tool=\"MISP-STIX-Converter\""
|
||
|
],
|
||
|
"object_marking_refs": [
|
||
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f0a2-7ec0-46c6-b8fb-3450950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"first_observed": "2017-03-23T16:13:41Z",
|
||
|
"last_observed": "2017-03-23T16:13:41Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f0a2-7ec0-46c6-b8fb-3450950d210f"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"admiralty-scale:source-reliability=\"b\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f0a2-7ec0-46c6-b8fb-3450950d210f",
|
||
|
"value": "http://blog.talosintelligence.com/2017/03/how-malformed-rtf-defeats-security.html"
|
||
|
},
|
||
|
{
|
||
|
"type": "x-misp-attribute",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "x-misp-attribute--58d3f194-baf0-4e4d-8d20-4ad3950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"labels": [
|
||
|
"misp:type=\"text\"",
|
||
|
"misp:category=\"External analysis\"",
|
||
|
"osint:source-type=\"blog-post\"",
|
||
|
"admiralty-scale:source-reliability=\"b\""
|
||
|
],
|
||
|
"x_misp_category": "External analysis",
|
||
|
"x_misp_type": "text",
|
||
|
"x_misp_value": "Talos has discovered a new spam campaign used to infect targets with the well known Loki Bot stealer. The infection vector is an RTF document abusing an old exploit (CVE-2012-1856), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers. The attacker has gone out of their way to attempt to evade content inspection devices like AV or network security devices. According to VirusTotal, the initial detection rate of a malicious RTF document recovered from a recent spam campaign is only 3 out of 45 available engines.\r\n\r\nDespite the known vulnerability, many security products fail to identify the exploit because they are unable to correctly classify the RTF file format and scan the embedded OLE document within in the RTF. Even open-source parsers such as rtfobj.py from oletools have difficulties extracting the embedded OLE:"
|
||
|
},
|
||
|
{
|
||
|
"type": "vulnerability",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "vulnerability--58d3f1b9-9c30-40d1-be38-4cbb950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"name": "CVE-2012-1856",
|
||
|
"labels": [
|
||
|
"misp:type=\"vulnerability\"",
|
||
|
"misp:category=\"Payload delivery\""
|
||
|
],
|
||
|
"external_references": [
|
||
|
{
|
||
|
"source_name": "cve",
|
||
|
"external_id": "CVE-2012-1856"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f1d4-7d90-432f-bce8-9f00950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"pattern": "[url:value = 'http://paneltestghelp.xyz:80/eval/server/readonly/fre.php']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"url\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f215-52e4-4921-9c65-4148950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "dropped executables",
|
||
|
"pattern": "[file:hashes.SHA256 = 'da1a6747a3329c3a317d4bd7ecf029e89bd76192075f84834563103a54bac968']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f216-fa90-473d-a5ad-4317950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "dropped executables",
|
||
|
"pattern": "[file:hashes.SHA256 = '2e65f8fc7901505dd4225ec66cca0ef308f2b6fbe48d37f5055775854bf7a5f8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f216-2680-420b-b4a5-4c3e950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "dropped executables",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a3c3abcd461d00e1f928e375770e39e3a33f719d7287a2fee661d82ce8de1c56']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f31e-584c-4e36-b11b-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '7b684ad97bb9f5093e5cfb100352ad2f0ec3dfce63232207daf0aa736d6438c9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f31f-77c0-471c-964e-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '14a6e04a60b1bb5f4d0fb3fffa240b7b34bf9c0b8504da19caeb31182510c139']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f320-b490-472a-8d6e-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '1ae6aa92ce8ee9a2ab78631663fa5a9bdcc14490c4c5fe799b41d26455b5b696']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f321-af4c-4e22-95dc-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '4f2c10b64d4f4b56d56b5a271331c92484b6ddf8c4eb9f56669ed60545a4c06d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f322-7a70-486b-832c-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b1da2cb4fcee52cdc94c06325c339ac11a3fb1e399e1ed5a2a55107f5f64867f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f323-c51c-4588-88f0-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '41c4483cfcc0b5a10504aa137ec3824d139663b7ec318d5e1fb6c9f5db8af8f9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f324-92bc-4e9e-a8a2-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f07f87ab68482d329eeac5525ea5f189bcd720d2b2d149db61ab81ae04be957a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f325-399c-49a9-86f8-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'be81741ae3c7c2c5000785a2573c901068a2906054690ac22119ac794aa9e8e2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f326-9274-450a-9c6e-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cd16e420fbc39b63de93198cdb1265c1bfe83119c7d4d75d5501465cdd0847f1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f327-7164-44cd-b6ad-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'b330fadeb337e9fb5aa9f8046462e3d1d418946fd6237bc252a80a2d4fb2fff7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f328-4a48-4753-863b-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '629d1afbedd7cc082549d5c3fc3926b6b4e55abc3c07f8d994a791893a2fd530']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f329-1314-4c6e-80d7-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '9f48ce01ac99033c03e9aa983c09fa273eae0e168e55de8cc364311ae4fc88b9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f32a-d554-4ab3-9424-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'dd783bcdbc81bc605cf07545a01273596d4e51b198874253815069cd6708b2fa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f32b-5c40-4ab8-8f75-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '59011fa80db84cea54bc6ec7f7bc689d916f04e8df9950b259ad524142225731']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f32c-10f4-4610-9776-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '7aa0abedd75c46680ac65814d9433a04bb9f6bc6f094d66cc33a918f32dcb2fa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f32c-c590-47d0-853a-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ad3af8a7ab469fa930d0873475214c3160f52b17c06f296d6ce9cc6fc92e8a79']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f32d-0d48-4d6b-9a69-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '89a1264bd7facf02d48aff46724a0215c2fb1974d06451cebefdb2ea7ea9a71a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f32e-88ec-418f-8291-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c53bf11adb48a00393c30a0902716e0088f650750349f5966ba3b60a0fa17487']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f32f-0fd8-483a-b0c8-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '4a7d6c770c5fdbb32534b535efe0324e3bc25a8bcd3551b7fe0ff3610ee81299']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f330-f0d8-4ff5-9a7b-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '6077c3ed4dc67526f89b2c59fc16b389530a73b326f63fff17ae7c824b7770fd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f331-270c-4dc5-a268-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '11836837753c754997adf8ccf4fa8ba824e57725f56fbcd3b0d903e1fa30ac5b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f333-b78c-4a9f-8901-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '737d1468b20dc39300bc2be38285b6482940d2be9ae59b7dc984cf4dc6d82053']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f334-7b70-40ea-88f1-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '415b9e72811cd7c50366d9c9038df02fe3bbfc6446ef42b099d85ea576fbd35d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f335-54d8-458e-9c35-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '84a2ded87681e65be35994ea26f4b2287e52438bbeebaac784c291196a6f94c6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f336-8900-4a80-8725-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '9c62f4947a572356f43f71fb55f2b702b78c2e1688c67eff89c36da50137ed21']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f337-f6b0-44b3-8f57-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c201e4bb7b68b4655ab7ac85c8a7c93abe2238ec3d24914d86e8a543b6c6abbd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f338-ac9c-4a92-9639-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '17ae8d128938131ebc944f5d77be7009fd05c8831f88ef3558cc9c00f0633f97']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f339-dfa0-445a-9326-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'dbc97df1e5036ac572d8a247a6b073ab1f1dabd20676443598135c6743534028']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f33a-2da4-4c6d-bcfc-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '79316e4c2601a5721d5d6ada0f152790ad44aa9ac5badf17e12c7825fb1f46aa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f33b-b164-45b0-a296-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a406f0208c914ff28f8e30eda539acb6abd23bbdecf704be4b77615a27f62e8d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f33c-ceb0-4254-80f9-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '552fe8b5fd175822d4479552078331dbfb16881fea9514377a802f3cce87ac02']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f33d-747c-4cb7-b239-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '27290fd934092cf1ca2a242e6847665a16771376af8f5c81ef1c851463e77709']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f33e-2bd4-4888-9b1d-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '66de8e2f1d5ebbf3f8c511d5cd6394e24be3c694e78d614dfe703f8aa198906f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f33e-13fc-4eaa-8585-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a0e529ed847b78fd68a871688a7e99e6abc87295c671a3e2d02a61a1e04f5ce9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f340-22d0-4aa9-a348-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '5c1db6ce5989645bbc8cb8489dee2fb99eba7b4093eaad96cd5a6c692a53c245']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f341-ad58-491e-9823-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'c343e92d30c1374c631efa8cf612faf5567e8bd66330e1ff58ac9296c3373304']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f342-1444-4e2b-8894-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'ecc9526b380bd109dbcb3d9c4635c1866234d302658758d6ecf4e927a12af9a1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f342-08e4-4880-994b-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '450b2d6741a452d3bff491fb3a40ec8e29cbaf24fb1b400863efe1a7f920543e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f343-f908-4d8a-b069-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '99a3939d654e4c424dcf33fbc18c7568d1030981ad1ae8f2a6da2966efbff669']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f344-5248-41b7-913e-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e7fc4527e4cb65e05069b871e06226ce9c9669649ed9cfbad2dcb41cdd9fe94c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f345-d110-465c-9157-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '1d73428619f69cbdfc5158f1682cc304ba6af2a0b425244bcd8c2c432d4a50d7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f346-e8f0-4a49-bf46-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'cbb58841ef2179e52fcfb918d085503ccf4482014fa1f0714e11fd667de974a0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f347-9aec-48a4-9925-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '44583aca68ce734bccc79d28f666bdc81a1436c257f035875df15a82f35e6910']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f349-6d20-48eb-a4d3-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '5872ec86add4892f061cc1fd2478da098645876d0b13d3ce3e789f526c5b8ec8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f34a-f088-4db4-a896-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '9eb85367bd59854ccd7b8e13a22deec92bbe746a5de83820d7265055f96da40f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f34b-b0fc-4ff5-9292-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '6d33cd5b7cfcc4a55583adbf75f578d71d6aa572e93c5a7392ece4dc8204d0f8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f34c-94f0-42c0-ad4c-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '4d46087599b246cd297883341859561b3b1794419c704b167a28c7891ff5d7b1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f34d-41c8-468a-aed2-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '7c5337250b6a1ede2472e4acc74366e8a425eaf2c36e3805d36200ad560d0feb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f34e-c8b0-4027-8e04-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'bc4f30177538628f93d57ae1e59859c50409afefe133956ec801c040ab9253f5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f34f-ff70-4a64-af22-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '726f170f13b9a24d409c0c4fbf0a14aff0f3cd1662762230bfaf7a8822257880']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f350-76c8-4773-853d-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '885877989df73bafd087f7c689eedfa5e2fe3620ab62d6ff57a3394702761751']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f351-0488-455f-8212-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '9f40662ebbd3a848219aa47c149c174c292cea5e62dcc0bd26f12e1bf5ba7d7c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f352-0284-4377-813c-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '0882c8a38ca485fe9763b0c0c7c5a22c330cebe86101a9e1ffa5a70c4f58faac']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f353-6c24-4733-907a-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '156cbbb25240e246a2340e1bca1692b7110277bac30f76dcacd48dd5f2042caa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f354-7cf4-43bd-9dda-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'a28c3c075ecfb982e6e3cb237c0eab1308f023e7bcf207d0fd1f2b4f29791074']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f355-ae80-4eac-a39a-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'e5de4a14367d1a7b599d7afae07aa66c63941238ff25f4f17dea54db6d8ac350']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f356-c4f4-4131-911e-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '5d6b52287f4fdefe0621d9fadd83b0531f56811937b023ce49e426e320b372f5']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f357-1054-4699-9347-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '599a60601345bf8fc05f27d35f3c3f2ed80b6e7890d5f33a57f75c09a089356a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f358-8c9c-44eb-b43d-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '194549b3fd0be8a701b8433db1b2cff396a4492c342632fa22d6af89570eff46']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f359-94f0-479e-81ef-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '673f9469ff150c8c821ea3b5b1cda8175d09719fbd7d1359d334dbf17f74adbe']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f359-c348-4414-96d1-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = 'f81be30a7d6792e59f5a0ade225472042c9eb9bf59b03f67e85b0642c16e59ce']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f35a-b1e8-4ea8-85b1-9f05950d210f",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:13:41.000Z",
|
||
|
"modified": "2017-03-23T16:13:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format:",
|
||
|
"pattern": "[file:hashes.SHA256 = '5957fe5e38f2b2530569e21f040a92b1fb36816b6d5187d8a0ecf0ba84f36519']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:13:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha256\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f473-41a8-43cb-b70e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:43.000Z",
|
||
|
"modified": "2017-03-23T16:14:43.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 5957fe5e38f2b2530569e21f040a92b1fb36816b6d5187d8a0ecf0ba84f36519",
|
||
|
"pattern": "[file:hashes.SHA1 = '8f7850d8bfe42451aaf632e36734d2f06e42ca51']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f474-4948-431f-a3ab-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:44.000Z",
|
||
|
"modified": "2017-03-23T16:14:44.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 5957fe5e38f2b2530569e21f040a92b1fb36816b6d5187d8a0ecf0ba84f36519",
|
||
|
"pattern": "[file:hashes.MD5 = '9e204cd2ff089fb2e9d4cbdc013168f6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f475-09c4-4aec-8cd9-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:45.000Z",
|
||
|
"modified": "2017-03-23T16:14:45.000Z",
|
||
|
"first_observed": "2017-03-23T16:14:45Z",
|
||
|
"last_observed": "2017-03-23T16:14:45Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f475-09c4-4aec-8cd9-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f475-09c4-4aec-8cd9-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5957fe5e38f2b2530569e21f040a92b1fb36816b6d5187d8a0ecf0ba84f36519/analysis/1487240495/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f476-cce8-4fca-ad70-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:46.000Z",
|
||
|
"modified": "2017-03-23T16:14:46.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: f81be30a7d6792e59f5a0ade225472042c9eb9bf59b03f67e85b0642c16e59ce",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b74554d4b0dd17d4b6f752303c606c6db7d491ef']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f477-1068-4f6c-9653-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:47.000Z",
|
||
|
"modified": "2017-03-23T16:14:47.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: f81be30a7d6792e59f5a0ade225472042c9eb9bf59b03f67e85b0642c16e59ce",
|
||
|
"pattern": "[file:hashes.MD5 = '2ddc4bcef5703502ee4732ccb0fcc6b8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f477-bcdc-472e-8af9-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:47.000Z",
|
||
|
"modified": "2017-03-23T16:14:47.000Z",
|
||
|
"first_observed": "2017-03-23T16:14:47Z",
|
||
|
"last_observed": "2017-03-23T16:14:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f477-bcdc-472e-8af9-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f477-bcdc-472e-8af9-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f81be30a7d6792e59f5a0ade225472042c9eb9bf59b03f67e85b0642c16e59ce/analysis/1490260467/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f478-906c-4c70-95aa-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:48.000Z",
|
||
|
"modified": "2017-03-23T16:14:48.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 194549b3fd0be8a701b8433db1b2cff396a4492c342632fa22d6af89570eff46",
|
||
|
"pattern": "[file:hashes.SHA1 = 'a414e57a7f6dc810634cd74e31523c897cebcade']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f479-e5f0-48e0-b87a-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:49.000Z",
|
||
|
"modified": "2017-03-23T16:14:49.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 194549b3fd0be8a701b8433db1b2cff396a4492c342632fa22d6af89570eff46",
|
||
|
"pattern": "[file:hashes.MD5 = 'b83a4559bc8f56ba70e54854f7151833']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f47a-5340-4d5c-b014-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:50.000Z",
|
||
|
"modified": "2017-03-23T16:14:50.000Z",
|
||
|
"first_observed": "2017-03-23T16:14:50Z",
|
||
|
"last_observed": "2017-03-23T16:14:50Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f47a-5340-4d5c-b014-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f47a-5340-4d5c-b014-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/194549b3fd0be8a701b8433db1b2cff396a4492c342632fa22d6af89570eff46/analysis/1489752432/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f47b-7af0-404e-aa7e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:51.000Z",
|
||
|
"modified": "2017-03-23T16:14:51.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 599a60601345bf8fc05f27d35f3c3f2ed80b6e7890d5f33a57f75c09a089356a",
|
||
|
"pattern": "[file:hashes.SHA1 = '9acb08a11da72f26f9411685ae68681689ddf0ac']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f47c-e300-4575-8384-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:52.000Z",
|
||
|
"modified": "2017-03-23T16:14:52.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 599a60601345bf8fc05f27d35f3c3f2ed80b6e7890d5f33a57f75c09a089356a",
|
||
|
"pattern": "[file:hashes.MD5 = 'ce581d3b871320a9fad4105baffc1d6d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f47d-06b8-4e6d-8e5c-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:53.000Z",
|
||
|
"modified": "2017-03-23T16:14:53.000Z",
|
||
|
"first_observed": "2017-03-23T16:14:53Z",
|
||
|
"last_observed": "2017-03-23T16:14:53Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f47d-06b8-4e6d-8e5c-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f47d-06b8-4e6d-8e5c-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/599a60601345bf8fc05f27d35f3c3f2ed80b6e7890d5f33a57f75c09a089356a/analysis/1488980041/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f47e-46dc-4f6d-ab77-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:54.000Z",
|
||
|
"modified": "2017-03-23T16:14:54.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 5d6b52287f4fdefe0621d9fadd83b0531f56811937b023ce49e426e320b372f5",
|
||
|
"pattern": "[file:hashes.SHA1 = '4b58c0437799f442f22a162cad2989eace61b8ee']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f47f-edac-4091-80a4-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:55.000Z",
|
||
|
"modified": "2017-03-23T16:14:55.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 5d6b52287f4fdefe0621d9fadd83b0531f56811937b023ce49e426e320b372f5",
|
||
|
"pattern": "[file:hashes.MD5 = 'efb3eb8e8c4c0061b3aa41f059376d0e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f47f-02e8-4528-9d5d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:55.000Z",
|
||
|
"modified": "2017-03-23T16:14:55.000Z",
|
||
|
"first_observed": "2017-03-23T16:14:55Z",
|
||
|
"last_observed": "2017-03-23T16:14:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f47f-02e8-4528-9d5d-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f47f-02e8-4528-9d5d-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5d6b52287f4fdefe0621d9fadd83b0531f56811937b023ce49e426e320b372f5/analysis/1489722634/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f480-fd5c-492b-b65c-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:56.000Z",
|
||
|
"modified": "2017-03-23T16:14:56.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: e5de4a14367d1a7b599d7afae07aa66c63941238ff25f4f17dea54db6d8ac350",
|
||
|
"pattern": "[file:hashes.SHA1 = '3b730baed16931a4f3734755d3c235ea941d93fa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f481-5c70-4976-9427-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:57.000Z",
|
||
|
"modified": "2017-03-23T16:14:57.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: e5de4a14367d1a7b599d7afae07aa66c63941238ff25f4f17dea54db6d8ac350",
|
||
|
"pattern": "[file:hashes.MD5 = '54506270b7e558f783fff7b6cb33c118']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f482-95dc-4161-99f9-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:58.000Z",
|
||
|
"modified": "2017-03-23T16:14:58.000Z",
|
||
|
"first_observed": "2017-03-23T16:14:58Z",
|
||
|
"last_observed": "2017-03-23T16:14:58Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f482-95dc-4161-99f9-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f482-95dc-4161-99f9-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e5de4a14367d1a7b599d7afae07aa66c63941238ff25f4f17dea54db6d8ac350/analysis/1490174058/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f483-15d4-47ba-9207-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:14:59.000Z",
|
||
|
"modified": "2017-03-23T16:14:59.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: a28c3c075ecfb982e6e3cb237c0eab1308f023e7bcf207d0fd1f2b4f29791074",
|
||
|
"pattern": "[file:hashes.SHA1 = 'fb1121a40ad44d1992af96a89803d93b9f2238af']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:14:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f484-fe38-437e-9200-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:00.000Z",
|
||
|
"modified": "2017-03-23T16:15:00.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: a28c3c075ecfb982e6e3cb237c0eab1308f023e7bcf207d0fd1f2b4f29791074",
|
||
|
"pattern": "[file:hashes.MD5 = '432bc47556733fc6430556191013f817']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f485-6e70-4db3-9ed5-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:01.000Z",
|
||
|
"modified": "2017-03-23T16:15:01.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:01Z",
|
||
|
"last_observed": "2017-03-23T16:15:01Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f485-6e70-4db3-9ed5-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f485-6e70-4db3-9ed5-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a28c3c075ecfb982e6e3cb237c0eab1308f023e7bcf207d0fd1f2b4f29791074/analysis/1489656320/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f486-dfa4-4833-ba6a-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:02.000Z",
|
||
|
"modified": "2017-03-23T16:15:02.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 156cbbb25240e246a2340e1bca1692b7110277bac30f76dcacd48dd5f2042caa",
|
||
|
"pattern": "[file:hashes.SHA1 = '52594e603c08626f8198804b47c0f33b5a487c5e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f487-3070-48cd-a586-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:03.000Z",
|
||
|
"modified": "2017-03-23T16:15:03.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 156cbbb25240e246a2340e1bca1692b7110277bac30f76dcacd48dd5f2042caa",
|
||
|
"pattern": "[file:hashes.MD5 = '9e4a4e881981fdeadcbf3b538d757a08']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f488-91b4-4fbd-a83b-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:04.000Z",
|
||
|
"modified": "2017-03-23T16:15:04.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:04Z",
|
||
|
"last_observed": "2017-03-23T16:15:04Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f488-91b4-4fbd-a83b-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f488-91b4-4fbd-a83b-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/156cbbb25240e246a2340e1bca1692b7110277bac30f76dcacd48dd5f2042caa/analysis/1487800971/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f489-c2d8-4596-815a-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:05.000Z",
|
||
|
"modified": "2017-03-23T16:15:05.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 0882c8a38ca485fe9763b0c0c7c5a22c330cebe86101a9e1ffa5a70c4f58faac",
|
||
|
"pattern": "[file:hashes.SHA1 = '6d53c60a5ccb6ed9282863979e34dfc18ca2bd22']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f489-a69c-4247-bcc0-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:05.000Z",
|
||
|
"modified": "2017-03-23T16:15:05.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 0882c8a38ca485fe9763b0c0c7c5a22c330cebe86101a9e1ffa5a70c4f58faac",
|
||
|
"pattern": "[file:hashes.MD5 = '14c93af313c1c96c57c23b88572f6cc9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f48a-2f20-4536-8866-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:06.000Z",
|
||
|
"modified": "2017-03-23T16:15:06.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:06Z",
|
||
|
"last_observed": "2017-03-23T16:15:06Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f48a-2f20-4536-8866-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f48a-2f20-4536-8866-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/0882c8a38ca485fe9763b0c0c7c5a22c330cebe86101a9e1ffa5a70c4f58faac/analysis/1487737901/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f48b-d194-42c9-af6d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:07.000Z",
|
||
|
"modified": "2017-03-23T16:15:07.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 9f40662ebbd3a848219aa47c149c174c292cea5e62dcc0bd26f12e1bf5ba7d7c",
|
||
|
"pattern": "[file:hashes.SHA1 = '3b20c41374a6e5ae04600c6cc248e7ebaa47d8af']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f48c-bc18-45fe-b514-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:08.000Z",
|
||
|
"modified": "2017-03-23T16:15:08.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 9f40662ebbd3a848219aa47c149c174c292cea5e62dcc0bd26f12e1bf5ba7d7c",
|
||
|
"pattern": "[file:hashes.MD5 = 'b4525dae66b645664212c44b2325777d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f48d-ed58-4832-b2c9-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:09.000Z",
|
||
|
"modified": "2017-03-23T16:15:09.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:09Z",
|
||
|
"last_observed": "2017-03-23T16:15:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f48d-ed58-4832-b2c9-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f48d-ed58-4832-b2c9-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9f40662ebbd3a848219aa47c149c174c292cea5e62dcc0bd26f12e1bf5ba7d7c/analysis/1490199819/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f48e-a8d0-4a80-bb64-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:10.000Z",
|
||
|
"modified": "2017-03-23T16:15:10.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 885877989df73bafd087f7c689eedfa5e2fe3620ab62d6ff57a3394702761751",
|
||
|
"pattern": "[file:hashes.SHA1 = '245961eb098174ab176cb042e1d195c5ff8e1c57']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f48f-2188-4f91-a5ae-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:11.000Z",
|
||
|
"modified": "2017-03-23T16:15:11.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 885877989df73bafd087f7c689eedfa5e2fe3620ab62d6ff57a3394702761751",
|
||
|
"pattern": "[file:hashes.MD5 = 'b4e93af7aa9c0c6c4231f8d62e56b904']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:11Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f490-4c58-4735-bad2-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:12.000Z",
|
||
|
"modified": "2017-03-23T16:15:12.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:12Z",
|
||
|
"last_observed": "2017-03-23T16:15:12Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f490-4c58-4735-bad2-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f490-4c58-4735-bad2-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/885877989df73bafd087f7c689eedfa5e2fe3620ab62d6ff57a3394702761751/analysis/1489710082/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f491-4ddc-4653-8342-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:13.000Z",
|
||
|
"modified": "2017-03-23T16:15:13.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 726f170f13b9a24d409c0c4fbf0a14aff0f3cd1662762230bfaf7a8822257880",
|
||
|
"pattern": "[file:hashes.SHA1 = '248d77facd849c606a09afa3ed23a53c94f49868']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f491-950c-4e31-98dd-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:13.000Z",
|
||
|
"modified": "2017-03-23T16:15:13.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 726f170f13b9a24d409c0c4fbf0a14aff0f3cd1662762230bfaf7a8822257880",
|
||
|
"pattern": "[file:hashes.MD5 = 'c5197060f32efe8f06fbdacd1f7ccc6d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f492-19dc-486e-a83e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:14.000Z",
|
||
|
"modified": "2017-03-23T16:15:14.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:14Z",
|
||
|
"last_observed": "2017-03-23T16:15:14Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f492-19dc-486e-a83e-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f492-19dc-486e-a83e-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/726f170f13b9a24d409c0c4fbf0a14aff0f3cd1662762230bfaf7a8822257880/analysis/1489105110/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f493-ba20-472a-8e83-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:15.000Z",
|
||
|
"modified": "2017-03-23T16:15:15.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: bc4f30177538628f93d57ae1e59859c50409afefe133956ec801c040ab9253f5",
|
||
|
"pattern": "[file:hashes.SHA1 = '4335311c55cfdd75b8577fd59aec688461805f00']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f494-2564-475f-8b0d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:16.000Z",
|
||
|
"modified": "2017-03-23T16:15:16.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: bc4f30177538628f93d57ae1e59859c50409afefe133956ec801c040ab9253f5",
|
||
|
"pattern": "[file:hashes.MD5 = '4e71b67ada100e0e9a2be1303e97053c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f495-2b6c-40b4-9246-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:17.000Z",
|
||
|
"modified": "2017-03-23T16:15:17.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:17Z",
|
||
|
"last_observed": "2017-03-23T16:15:17Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f495-2b6c-40b4-9246-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f495-2b6c-40b4-9246-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/bc4f30177538628f93d57ae1e59859c50409afefe133956ec801c040ab9253f5/analysis/1490018428/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f496-3e7c-470a-a837-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:18.000Z",
|
||
|
"modified": "2017-03-23T16:15:18.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 7c5337250b6a1ede2472e4acc74366e8a425eaf2c36e3805d36200ad560d0feb",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c884caa2af7e60989b4ea5be649a894b09cff14b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f497-6fa0-46b6-9633-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:19.000Z",
|
||
|
"modified": "2017-03-23T16:15:19.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 7c5337250b6a1ede2472e4acc74366e8a425eaf2c36e3805d36200ad560d0feb",
|
||
|
"pattern": "[file:hashes.MD5 = '91723d3297db56d27f76f11c22465d57']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:19Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f498-3080-4592-84bb-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:20.000Z",
|
||
|
"modified": "2017-03-23T16:15:20.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:20Z",
|
||
|
"last_observed": "2017-03-23T16:15:20Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f498-3080-4592-84bb-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f498-3080-4592-84bb-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7c5337250b6a1ede2472e4acc74366e8a425eaf2c36e3805d36200ad560d0feb/analysis/1489081066/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f499-82e8-4f8c-8f08-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:21.000Z",
|
||
|
"modified": "2017-03-23T16:15:21.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 4d46087599b246cd297883341859561b3b1794419c704b167a28c7891ff5d7b1",
|
||
|
"pattern": "[file:hashes.SHA1 = 'fbe3fd88576d2235d66ad349245c3cfc1ff6efb9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f49a-881c-4000-9b66-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:22.000Z",
|
||
|
"modified": "2017-03-23T16:15:22.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 4d46087599b246cd297883341859561b3b1794419c704b167a28c7891ff5d7b1",
|
||
|
"pattern": "[file:hashes.MD5 = '376cd33189c74cd3213b6ebf58bedd9f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f49a-4320-40bb-9485-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:22.000Z",
|
||
|
"modified": "2017-03-23T16:15:22.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:22Z",
|
||
|
"last_observed": "2017-03-23T16:15:22Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f49a-4320-40bb-9485-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f49a-4320-40bb-9485-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/4d46087599b246cd297883341859561b3b1794419c704b167a28c7891ff5d7b1/analysis/1490178042/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f49b-83b8-4712-8b2f-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:23.000Z",
|
||
|
"modified": "2017-03-23T16:15:23.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 6d33cd5b7cfcc4a55583adbf75f578d71d6aa572e93c5a7392ece4dc8204d0f8",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b78dcc00427ab7562330a9fe1345d2f0c579856a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f49c-0310-4f19-81c5-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:24.000Z",
|
||
|
"modified": "2017-03-23T16:15:24.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 6d33cd5b7cfcc4a55583adbf75f578d71d6aa572e93c5a7392ece4dc8204d0f8",
|
||
|
"pattern": "[file:hashes.MD5 = '6f989159f08f3bdee9ddf5aa66a77f38']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f49d-b5a0-4e7f-960b-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:25.000Z",
|
||
|
"modified": "2017-03-23T16:15:25.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:25Z",
|
||
|
"last_observed": "2017-03-23T16:15:25Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f49d-b5a0-4e7f-960b-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f49d-b5a0-4e7f-960b-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6d33cd5b7cfcc4a55583adbf75f578d71d6aa572e93c5a7392ece4dc8204d0f8/analysis/1490245613/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f49e-dcb8-4253-ad25-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:26.000Z",
|
||
|
"modified": "2017-03-23T16:15:26.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 9eb85367bd59854ccd7b8e13a22deec92bbe746a5de83820d7265055f96da40f",
|
||
|
"pattern": "[file:hashes.SHA1 = '953d32f490475fe04e1e07e5cef415297ae3a864']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f49f-141c-4677-ba9b-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:27.000Z",
|
||
|
"modified": "2017-03-23T16:15:27.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 9eb85367bd59854ccd7b8e13a22deec92bbe746a5de83820d7265055f96da40f",
|
||
|
"pattern": "[file:hashes.MD5 = '9181db58d9145fb1ccc32ea4667fc226']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:27Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4a0-b594-48ef-aaab-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:28.000Z",
|
||
|
"modified": "2017-03-23T16:15:28.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:28Z",
|
||
|
"last_observed": "2017-03-23T16:15:28Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4a0-b594-48ef-aaab-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4a0-b594-48ef-aaab-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9eb85367bd59854ccd7b8e13a22deec92bbe746a5de83820d7265055f96da40f/analysis/1489660837/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4a1-63a8-4fc4-b21b-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:29.000Z",
|
||
|
"modified": "2017-03-23T16:15:29.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 5872ec86add4892f061cc1fd2478da098645876d0b13d3ce3e789f526c5b8ec8",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b8d6186dbbce77bc264c004fbbd6adfb1ec8fb50']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4a2-9eb8-4698-bcbb-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:30.000Z",
|
||
|
"modified": "2017-03-23T16:15:30.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 5872ec86add4892f061cc1fd2478da098645876d0b13d3ce3e789f526c5b8ec8",
|
||
|
"pattern": "[file:hashes.MD5 = 'ee35461e320213caf8308bd5416d525c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4a3-fa88-4ee5-b387-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:31.000Z",
|
||
|
"modified": "2017-03-23T16:15:31.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:31Z",
|
||
|
"last_observed": "2017-03-23T16:15:31Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4a3-fa88-4ee5-b387-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4a3-fa88-4ee5-b387-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5872ec86add4892f061cc1fd2478da098645876d0b13d3ce3e789f526c5b8ec8/analysis/1487038202/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4a4-2408-4323-b129-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:32.000Z",
|
||
|
"modified": "2017-03-23T16:15:32.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 44583aca68ce734bccc79d28f666bdc81a1436c257f035875df15a82f35e6910",
|
||
|
"pattern": "[file:hashes.SHA1 = '81cf84c5f699f618b681a7df64c7b1191db38359']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4a5-64e0-4c3d-9349-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:33.000Z",
|
||
|
"modified": "2017-03-23T16:15:33.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 44583aca68ce734bccc79d28f666bdc81a1436c257f035875df15a82f35e6910",
|
||
|
"pattern": "[file:hashes.MD5 = '0ea4ea09627484cfe037000b1da47e84']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:33Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4a5-e470-42e1-b47d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:33.000Z",
|
||
|
"modified": "2017-03-23T16:15:33.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:33Z",
|
||
|
"last_observed": "2017-03-23T16:15:33Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4a5-e470-42e1-b47d-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4a5-e470-42e1-b47d-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/44583aca68ce734bccc79d28f666bdc81a1436c257f035875df15a82f35e6910/analysis/1486569365/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4a6-ba10-4ebc-afaf-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:34.000Z",
|
||
|
"modified": "2017-03-23T16:15:34.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: cbb58841ef2179e52fcfb918d085503ccf4482014fa1f0714e11fd667de974a0",
|
||
|
"pattern": "[file:hashes.SHA1 = 'acd37c026021a7d834afd1eea693d200ed3966a9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4a7-18cc-4ead-ba97-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:35.000Z",
|
||
|
"modified": "2017-03-23T16:15:35.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: cbb58841ef2179e52fcfb918d085503ccf4482014fa1f0714e11fd667de974a0",
|
||
|
"pattern": "[file:hashes.MD5 = '25b3494084faf4d320c4688c63b9608a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4a8-c578-407a-b8c7-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:36.000Z",
|
||
|
"modified": "2017-03-23T16:15:36.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:36Z",
|
||
|
"last_observed": "2017-03-23T16:15:36Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4a8-c578-407a-b8c7-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4a8-c578-407a-b8c7-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cbb58841ef2179e52fcfb918d085503ccf4482014fa1f0714e11fd667de974a0/analysis/1490244446/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4a9-c780-4a64-9fd3-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:37.000Z",
|
||
|
"modified": "2017-03-23T16:15:37.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 1d73428619f69cbdfc5158f1682cc304ba6af2a0b425244bcd8c2c432d4a50d7",
|
||
|
"pattern": "[file:hashes.SHA1 = '53fab257bf206ba8741cf002f64bce68dba4bc8f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4aa-e0cc-42f0-9616-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:38.000Z",
|
||
|
"modified": "2017-03-23T16:15:38.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 1d73428619f69cbdfc5158f1682cc304ba6af2a0b425244bcd8c2c432d4a50d7",
|
||
|
"pattern": "[file:hashes.MD5 = '59073cdda35e5646469f9557ed187fe8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:38Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4ab-4168-4134-95c5-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:39.000Z",
|
||
|
"modified": "2017-03-23T16:15:39.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:39Z",
|
||
|
"last_observed": "2017-03-23T16:15:39Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4ab-4168-4134-95c5-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4ab-4168-4134-95c5-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1d73428619f69cbdfc5158f1682cc304ba6af2a0b425244bcd8c2c432d4a50d7/analysis/1487713727/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4ac-c624-4a96-979d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:40.000Z",
|
||
|
"modified": "2017-03-23T16:15:40.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: e7fc4527e4cb65e05069b871e06226ce9c9669649ed9cfbad2dcb41cdd9fe94c",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ade5df4cc9fefe20e524fe822cfc799f0f9c5ac7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4ad-8f60-44ab-ae9b-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:41.000Z",
|
||
|
"modified": "2017-03-23T16:15:41.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: e7fc4527e4cb65e05069b871e06226ce9c9669649ed9cfbad2dcb41cdd9fe94c",
|
||
|
"pattern": "[file:hashes.MD5 = '00f9cd32ba4d79d5c8d1821d82834e66']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:41Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4ae-20a0-473a-a4dd-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:42.000Z",
|
||
|
"modified": "2017-03-23T16:15:42.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:42Z",
|
||
|
"last_observed": "2017-03-23T16:15:42Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4ae-20a0-473a-a4dd-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4ae-20a0-473a-a4dd-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/e7fc4527e4cb65e05069b871e06226ce9c9669649ed9cfbad2dcb41cdd9fe94c/analysis/1487565053/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4af-b314-4f41-818d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:43.000Z",
|
||
|
"modified": "2017-03-23T16:15:43.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 99a3939d654e4c424dcf33fbc18c7568d1030981ad1ae8f2a6da2966efbff669",
|
||
|
"pattern": "[file:hashes.SHA1 = 'c3d5baad23b756093fc67b7db7830f6c37c23a59']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4af-1274-4b40-941e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:43.000Z",
|
||
|
"modified": "2017-03-23T16:15:43.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 99a3939d654e4c424dcf33fbc18c7568d1030981ad1ae8f2a6da2966efbff669",
|
||
|
"pattern": "[file:hashes.MD5 = '978679966dc7797816f3ad0a6f63e70e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4b0-6334-4fce-9704-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:44.000Z",
|
||
|
"modified": "2017-03-23T16:15:44.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:44Z",
|
||
|
"last_observed": "2017-03-23T16:15:44Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4b0-6334-4fce-9704-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4b0-6334-4fce-9704-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/99a3939d654e4c424dcf33fbc18c7568d1030981ad1ae8f2a6da2966efbff669/analysis/1489681560/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4b1-ba78-4b17-b845-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:45.000Z",
|
||
|
"modified": "2017-03-23T16:15:45.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 450b2d6741a452d3bff491fb3a40ec8e29cbaf24fb1b400863efe1a7f920543e",
|
||
|
"pattern": "[file:hashes.SHA1 = 'a14565053de9facb97c6d1d283b37fc6333078fb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4b2-a248-4911-8f00-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:46.000Z",
|
||
|
"modified": "2017-03-23T16:15:46.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 450b2d6741a452d3bff491fb3a40ec8e29cbaf24fb1b400863efe1a7f920543e",
|
||
|
"pattern": "[file:hashes.MD5 = 'bc652907773d5d2f15e2b9f922fb87ab']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:46Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4b3-44bc-420e-a5d9-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:47.000Z",
|
||
|
"modified": "2017-03-23T16:15:47.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:47Z",
|
||
|
"last_observed": "2017-03-23T16:15:47Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4b3-44bc-420e-a5d9-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4b3-44bc-420e-a5d9-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/450b2d6741a452d3bff491fb3a40ec8e29cbaf24fb1b400863efe1a7f920543e/analysis/1486718178/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4b4-f8e4-4f2b-bf75-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:48.000Z",
|
||
|
"modified": "2017-03-23T16:15:48.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: ecc9526b380bd109dbcb3d9c4635c1866234d302658758d6ecf4e927a12af9a1",
|
||
|
"pattern": "[file:hashes.SHA1 = '6cd11dbf35ebf83f1c416324d9d883e2c593dbc1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4b5-9f10-4dc4-868c-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:49.000Z",
|
||
|
"modified": "2017-03-23T16:15:49.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: ecc9526b380bd109dbcb3d9c4635c1866234d302658758d6ecf4e927a12af9a1",
|
||
|
"pattern": "[file:hashes.MD5 = '72c326f6915bde95d89898a7e8e298da']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:49Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4b6-6eac-4220-8615-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:50.000Z",
|
||
|
"modified": "2017-03-23T16:15:50.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:50Z",
|
||
|
"last_observed": "2017-03-23T16:15:50Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4b6-6eac-4220-8615-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4b6-6eac-4220-8615-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ecc9526b380bd109dbcb3d9c4635c1866234d302658758d6ecf4e927a12af9a1/analysis/1489592673/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4b7-2258-49ec-a7a8-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:51.000Z",
|
||
|
"modified": "2017-03-23T16:15:51.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: c343e92d30c1374c631efa8cf612faf5567e8bd66330e1ff58ac9296c3373304",
|
||
|
"pattern": "[file:hashes.SHA1 = '9adcc8a2ce8cc94968d43b51f8c867b46b1c0c7c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4b8-87cc-41aa-8300-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:52.000Z",
|
||
|
"modified": "2017-03-23T16:15:52.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: c343e92d30c1374c631efa8cf612faf5567e8bd66330e1ff58ac9296c3373304",
|
||
|
"pattern": "[file:hashes.MD5 = '50f00680e95100a3b808d1675875873a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4b8-42f8-4743-b13a-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:52.000Z",
|
||
|
"modified": "2017-03-23T16:15:52.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:52Z",
|
||
|
"last_observed": "2017-03-23T16:15:52Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4b8-42f8-4743-b13a-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4b8-42f8-4743-b13a-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c343e92d30c1374c631efa8cf612faf5567e8bd66330e1ff58ac9296c3373304/analysis/1490174627/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4b9-c48c-460a-8ae7-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:53.000Z",
|
||
|
"modified": "2017-03-23T16:15:53.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 5c1db6ce5989645bbc8cb8489dee2fb99eba7b4093eaad96cd5a6c692a53c245",
|
||
|
"pattern": "[file:hashes.SHA1 = 'cd65ed59eddc98cb4cc3dc56ba3796427908c893']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4ba-7820-495f-9320-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:54.000Z",
|
||
|
"modified": "2017-03-23T16:15:54.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 5c1db6ce5989645bbc8cb8489dee2fb99eba7b4093eaad96cd5a6c692a53c245",
|
||
|
"pattern": "[file:hashes.MD5 = '51186182ad3a1698119204f5194a1213']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:54Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4bb-d08c-4568-8ae9-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:55.000Z",
|
||
|
"modified": "2017-03-23T16:15:55.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:55Z",
|
||
|
"last_observed": "2017-03-23T16:15:55Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4bb-d08c-4568-8ae9-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4bb-d08c-4568-8ae9-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5c1db6ce5989645bbc8cb8489dee2fb99eba7b4093eaad96cd5a6c692a53c245/analysis/1489482718/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4bc-a700-4b97-b45f-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:56.000Z",
|
||
|
"modified": "2017-03-23T16:15:56.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: a0e529ed847b78fd68a871688a7e99e6abc87295c671a3e2d02a61a1e04f5ce9",
|
||
|
"pattern": "[file:hashes.SHA1 = 'da86b97fe62db0c32274961b27a407510c2b2c79']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4bd-e1bc-47c6-a589-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:57.000Z",
|
||
|
"modified": "2017-03-23T16:15:57.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: a0e529ed847b78fd68a871688a7e99e6abc87295c671a3e2d02a61a1e04f5ce9",
|
||
|
"pattern": "[file:hashes.MD5 = '7d0a63918683e92163a34d89e39d0032']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:57Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4be-7f68-4a67-9d7d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:58.000Z",
|
||
|
"modified": "2017-03-23T16:15:58.000Z",
|
||
|
"first_observed": "2017-03-23T16:15:58Z",
|
||
|
"last_observed": "2017-03-23T16:15:58Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4be-7f68-4a67-9d7d-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4be-7f68-4a67-9d7d-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a0e529ed847b78fd68a871688a7e99e6abc87295c671a3e2d02a61a1e04f5ce9/analysis/1489161096/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4bf-fcf8-40cb-8b69-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:15:59.000Z",
|
||
|
"modified": "2017-03-23T16:15:59.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 66de8e2f1d5ebbf3f8c511d5cd6394e24be3c694e78d614dfe703f8aa198906f",
|
||
|
"pattern": "[file:hashes.SHA1 = '1bcb8314231b2346e22b5384947aee5b7500fd5e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:15:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4c0-2198-424d-b375-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:00.000Z",
|
||
|
"modified": "2017-03-23T16:16:00.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 66de8e2f1d5ebbf3f8c511d5cd6394e24be3c694e78d614dfe703f8aa198906f",
|
||
|
"pattern": "[file:hashes.MD5 = 'd5afa01d01ee54e8567d889f691fce8e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4c1-4074-453b-ab12-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:01.000Z",
|
||
|
"modified": "2017-03-23T16:16:01.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:01Z",
|
||
|
"last_observed": "2017-03-23T16:16:01Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4c1-4074-453b-ab12-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4c1-4074-453b-ab12-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/66de8e2f1d5ebbf3f8c511d5cd6394e24be3c694e78d614dfe703f8aa198906f/analysis/1490280326/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4c1-d398-4488-8c7a-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:01.000Z",
|
||
|
"modified": "2017-03-23T16:16:01.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 27290fd934092cf1ca2a242e6847665a16771376af8f5c81ef1c851463e77709",
|
||
|
"pattern": "[file:hashes.SHA1 = '25a387375f6055a2b7e48efeda4ca1c608795ce4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4c2-1f0c-4b35-b40e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:02.000Z",
|
||
|
"modified": "2017-03-23T16:16:02.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 27290fd934092cf1ca2a242e6847665a16771376af8f5c81ef1c851463e77709",
|
||
|
"pattern": "[file:hashes.MD5 = 'e565863cae9c7e131a6558bfbb5d797d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:02Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4c3-d014-4bb3-9961-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:03.000Z",
|
||
|
"modified": "2017-03-23T16:16:03.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:03Z",
|
||
|
"last_observed": "2017-03-23T16:16:03Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4c3-d014-4bb3-9961-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4c3-d014-4bb3-9961-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/27290fd934092cf1ca2a242e6847665a16771376af8f5c81ef1c851463e77709/analysis/1487844593/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4c4-ef20-4174-affe-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:04.000Z",
|
||
|
"modified": "2017-03-23T16:16:04.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 552fe8b5fd175822d4479552078331dbfb16881fea9514377a802f3cce87ac02",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f822cafde38c48c813a1e98c628f23e0a082c02d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:04Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4c5-5984-466b-835e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:05.000Z",
|
||
|
"modified": "2017-03-23T16:16:05.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 552fe8b5fd175822d4479552078331dbfb16881fea9514377a802f3cce87ac02",
|
||
|
"pattern": "[file:hashes.MD5 = '15b201d48cbf5f94644fe4d30d741bd2']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4c6-301c-4652-88c8-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:06.000Z",
|
||
|
"modified": "2017-03-23T16:16:06.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:06Z",
|
||
|
"last_observed": "2017-03-23T16:16:06Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4c6-301c-4652-88c8-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4c6-301c-4652-88c8-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/552fe8b5fd175822d4479552078331dbfb16881fea9514377a802f3cce87ac02/analysis/1490261112/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4c7-5ed0-493a-b5d4-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:07.000Z",
|
||
|
"modified": "2017-03-23T16:16:07.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: a406f0208c914ff28f8e30eda539acb6abd23bbdecf704be4b77615a27f62e8d",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f3e1fe6ea74b283f6e8b10b211891a24ea13de29']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4c8-78f0-4e7e-8900-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:08.000Z",
|
||
|
"modified": "2017-03-23T16:16:08.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: a406f0208c914ff28f8e30eda539acb6abd23bbdecf704be4b77615a27f62e8d",
|
||
|
"pattern": "[file:hashes.MD5 = '1cdc6f8d329741d6a5525528278fc609']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:08Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4c9-8ea4-4eff-b81c-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:09.000Z",
|
||
|
"modified": "2017-03-23T16:16:09.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:09Z",
|
||
|
"last_observed": "2017-03-23T16:16:09Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4c9-8ea4-4eff-b81c-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4c9-8ea4-4eff-b81c-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a406f0208c914ff28f8e30eda539acb6abd23bbdecf704be4b77615a27f62e8d/analysis/1486569476/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4c9-987c-4761-8c25-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:09.000Z",
|
||
|
"modified": "2017-03-23T16:16:09.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 79316e4c2601a5721d5d6ada0f152790ad44aa9ac5badf17e12c7825fb1f46aa",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f103a119a779b4071309b4768ea4930a321cd07a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4ca-9818-4277-9a2e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:10.000Z",
|
||
|
"modified": "2017-03-23T16:16:10.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 79316e4c2601a5721d5d6ada0f152790ad44aa9ac5badf17e12c7825fb1f46aa",
|
||
|
"pattern": "[file:hashes.MD5 = '7948214cc9830abc636eb1fa71ea6827']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4cb-0944-496d-95f3-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:11.000Z",
|
||
|
"modified": "2017-03-23T16:16:11.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:11Z",
|
||
|
"last_observed": "2017-03-23T16:16:11Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4cb-0944-496d-95f3-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4cb-0944-496d-95f3-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/79316e4c2601a5721d5d6ada0f152790ad44aa9ac5badf17e12c7825fb1f46aa/analysis/1489420783/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4cc-bb1c-4496-ac1d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:12.000Z",
|
||
|
"modified": "2017-03-23T16:16:12.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: dbc97df1e5036ac572d8a247a6b073ab1f1dabd20676443598135c6743534028",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd11c3e0003c5cec7363c6fd58d09d72726971d19']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4cd-bba4-4e73-b121-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:13.000Z",
|
||
|
"modified": "2017-03-23T16:16:13.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: dbc97df1e5036ac572d8a247a6b073ab1f1dabd20676443598135c6743534028",
|
||
|
"pattern": "[file:hashes.MD5 = '9f721ef90d7ec58d48f25eb68b16aae7']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4ce-f8f0-485e-9bf2-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:14.000Z",
|
||
|
"modified": "2017-03-23T16:16:14.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:14Z",
|
||
|
"last_observed": "2017-03-23T16:16:14Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4ce-f8f0-485e-9bf2-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4ce-f8f0-485e-9bf2-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/dbc97df1e5036ac572d8a247a6b073ab1f1dabd20676443598135c6743534028/analysis/1490246791/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4cf-75bc-426d-966d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:15.000Z",
|
||
|
"modified": "2017-03-23T16:16:15.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 17ae8d128938131ebc944f5d77be7009fd05c8831f88ef3558cc9c00f0633f97",
|
||
|
"pattern": "[file:hashes.SHA1 = '18d9199cc35cd76003ee065b769a6bb9a1ed9d0f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4d0-5580-4826-a76c-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:16.000Z",
|
||
|
"modified": "2017-03-23T16:16:16.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 17ae8d128938131ebc944f5d77be7009fd05c8831f88ef3558cc9c00f0633f97",
|
||
|
"pattern": "[file:hashes.MD5 = '6993c2e110a8b4c4f12e07ac4afdad30']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:16Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4d1-5b1c-47c3-b2cd-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:17.000Z",
|
||
|
"modified": "2017-03-23T16:16:17.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:17Z",
|
||
|
"last_observed": "2017-03-23T16:16:17Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4d1-5b1c-47c3-b2cd-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4d1-5b1c-47c3-b2cd-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/17ae8d128938131ebc944f5d77be7009fd05c8831f88ef3558cc9c00f0633f97/analysis/1489232312/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4d2-9d24-427b-a00c-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:18.000Z",
|
||
|
"modified": "2017-03-23T16:16:18.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: c201e4bb7b68b4655ab7ac85c8a7c93abe2238ec3d24914d86e8a543b6c6abbd",
|
||
|
"pattern": "[file:hashes.SHA1 = 'bd69ba1cc4a7c5d9eb14582f94573434312ce691']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4d2-9570-4a5e-bf21-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:18.000Z",
|
||
|
"modified": "2017-03-23T16:16:18.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: c201e4bb7b68b4655ab7ac85c8a7c93abe2238ec3d24914d86e8a543b6c6abbd",
|
||
|
"pattern": "[file:hashes.MD5 = 'a1ffba962b2e96bb0213fde45485d839']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4d3-357c-4605-8899-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:19.000Z",
|
||
|
"modified": "2017-03-23T16:16:19.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:19Z",
|
||
|
"last_observed": "2017-03-23T16:16:19Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4d3-357c-4605-8899-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4d3-357c-4605-8899-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c201e4bb7b68b4655ab7ac85c8a7c93abe2238ec3d24914d86e8a543b6c6abbd/analysis/1487706989/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4d4-34a4-4d48-a27e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:20.000Z",
|
||
|
"modified": "2017-03-23T16:16:20.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 9c62f4947a572356f43f71fb55f2b702b78c2e1688c67eff89c36da50137ed21",
|
||
|
"pattern": "[file:hashes.SHA1 = 'f9675515ac8fc84a2fd29e62d2f1b9a420ecf6ab']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4d5-6c54-46fe-8da0-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:21.000Z",
|
||
|
"modified": "2017-03-23T16:16:21.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 9c62f4947a572356f43f71fb55f2b702b78c2e1688c67eff89c36da50137ed21",
|
||
|
"pattern": "[file:hashes.MD5 = '69d71124701a58d254effc455474175e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4d6-5dbc-4b36-8b92-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:22.000Z",
|
||
|
"modified": "2017-03-23T16:16:22.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:22Z",
|
||
|
"last_observed": "2017-03-23T16:16:22Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4d6-5dbc-4b36-8b92-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4d6-5dbc-4b36-8b92-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9c62f4947a572356f43f71fb55f2b702b78c2e1688c67eff89c36da50137ed21/analysis/1489498491/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4d7-6668-4ec1-b0c8-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:23.000Z",
|
||
|
"modified": "2017-03-23T16:16:23.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 84a2ded87681e65be35994ea26f4b2287e52438bbeebaac784c291196a6f94c6",
|
||
|
"pattern": "[file:hashes.SHA1 = '6660780579e0f416901921ef910a0a5d05fc11e4']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4d8-cd78-4ddc-b420-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:24.000Z",
|
||
|
"modified": "2017-03-23T16:16:24.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 84a2ded87681e65be35994ea26f4b2287e52438bbeebaac784c291196a6f94c6",
|
||
|
"pattern": "[file:hashes.MD5 = 'ab377c359cf4328ce8e0996a44aa2ddd']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:24Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4d9-36f8-4b3a-8da1-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:25.000Z",
|
||
|
"modified": "2017-03-23T16:16:25.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:25Z",
|
||
|
"last_observed": "2017-03-23T16:16:25Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4d9-36f8-4b3a-8da1-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4d9-36f8-4b3a-8da1-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/84a2ded87681e65be35994ea26f4b2287e52438bbeebaac784c291196a6f94c6/analysis/1490174459/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4da-f654-4570-b92e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:26.000Z",
|
||
|
"modified": "2017-03-23T16:16:26.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 415b9e72811cd7c50366d9c9038df02fe3bbfc6446ef42b099d85ea576fbd35d",
|
||
|
"pattern": "[file:hashes.SHA1 = '82cf01470fa321496bd7b6229e5d03589f7a7cca']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4da-9464-4464-960e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:26.000Z",
|
||
|
"modified": "2017-03-23T16:16:26.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 415b9e72811cd7c50366d9c9038df02fe3bbfc6446ef42b099d85ea576fbd35d",
|
||
|
"pattern": "[file:hashes.MD5 = '6379f5b1f34f72a0268f843c47f85f32']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4db-4fa4-4638-ae46-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:27.000Z",
|
||
|
"modified": "2017-03-23T16:16:27.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:27Z",
|
||
|
"last_observed": "2017-03-23T16:16:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4db-4fa4-4638-ae46-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4db-4fa4-4638-ae46-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/415b9e72811cd7c50366d9c9038df02fe3bbfc6446ef42b099d85ea576fbd35d/analysis/1490245303/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4dc-b564-4558-a522-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:28.000Z",
|
||
|
"modified": "2017-03-23T16:16:28.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 737d1468b20dc39300bc2be38285b6482940d2be9ae59b7dc984cf4dc6d82053",
|
||
|
"pattern": "[file:hashes.SHA1 = '03094768ec13f6d326caa3560ecc60e28d0a7845']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4dd-5b30-4672-983f-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:29.000Z",
|
||
|
"modified": "2017-03-23T16:16:29.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 737d1468b20dc39300bc2be38285b6482940d2be9ae59b7dc984cf4dc6d82053",
|
||
|
"pattern": "[file:hashes.MD5 = '8eb9d5405f1746025318c4cf52e7759d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4de-675c-49be-bced-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:30.000Z",
|
||
|
"modified": "2017-03-23T16:16:30.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:30Z",
|
||
|
"last_observed": "2017-03-23T16:16:30Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4de-675c-49be-bced-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4de-675c-49be-bced-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/737d1468b20dc39300bc2be38285b6482940d2be9ae59b7dc984cf4dc6d82053/analysis/1486541106/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4df-d2ac-4989-8f5f-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:31.000Z",
|
||
|
"modified": "2017-03-23T16:16:31.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 11836837753c754997adf8ccf4fa8ba824e57725f56fbcd3b0d903e1fa30ac5b",
|
||
|
"pattern": "[file:hashes.SHA1 = '4ea0a2b4f90358c3147b5cbc6613506ed7ef00bc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4e0-144c-428b-97b6-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:32.000Z",
|
||
|
"modified": "2017-03-23T16:16:32.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 11836837753c754997adf8ccf4fa8ba824e57725f56fbcd3b0d903e1fa30ac5b",
|
||
|
"pattern": "[file:hashes.MD5 = '92b4f31afa1471d510d48ed6c285ed61']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:32Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4e1-e650-4b87-8236-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:33.000Z",
|
||
|
"modified": "2017-03-23T16:16:33.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:33Z",
|
||
|
"last_observed": "2017-03-23T16:16:33Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4e1-e650-4b87-8236-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4e1-e650-4b87-8236-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/11836837753c754997adf8ccf4fa8ba824e57725f56fbcd3b0d903e1fa30ac5b/analysis/1487931205/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4e2-2764-40dc-b738-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:34.000Z",
|
||
|
"modified": "2017-03-23T16:16:34.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 6077c3ed4dc67526f89b2c59fc16b389530a73b326f63fff17ae7c824b7770fd",
|
||
|
"pattern": "[file:hashes.SHA1 = '57f56d5a295058f22d6dbe99863f5db842091c15']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:34Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4e3-ac74-476c-88d7-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:35.000Z",
|
||
|
"modified": "2017-03-23T16:16:35.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 6077c3ed4dc67526f89b2c59fc16b389530a73b326f63fff17ae7c824b7770fd",
|
||
|
"pattern": "[file:hashes.MD5 = 'a2b79d655e1f000510f1f73de236960f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:35Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4e3-f2b4-4df3-bd6e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:35.000Z",
|
||
|
"modified": "2017-03-23T16:16:35.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:35Z",
|
||
|
"last_observed": "2017-03-23T16:16:35Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4e3-f2b4-4df3-bd6e-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4e3-f2b4-4df3-bd6e-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/6077c3ed4dc67526f89b2c59fc16b389530a73b326f63fff17ae7c824b7770fd/analysis/1486984912/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4e4-f018-471c-a801-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:36.000Z",
|
||
|
"modified": "2017-03-23T16:16:36.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 4a7d6c770c5fdbb32534b535efe0324e3bc25a8bcd3551b7fe0ff3610ee81299",
|
||
|
"pattern": "[file:hashes.SHA1 = '0599357139722cbf3b634b957073ce66f501a7b3']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:36Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4e5-d3f4-4911-869f-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:37.000Z",
|
||
|
"modified": "2017-03-23T16:16:37.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 4a7d6c770c5fdbb32534b535efe0324e3bc25a8bcd3551b7fe0ff3610ee81299",
|
||
|
"pattern": "[file:hashes.MD5 = '7e05a8f63ad73092e0a3f66bdb6b7dae']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:37Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4e6-bf80-47f8-8c5c-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:38.000Z",
|
||
|
"modified": "2017-03-23T16:16:38.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:38Z",
|
||
|
"last_observed": "2017-03-23T16:16:38Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4e6-bf80-47f8-8c5c-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4e6-bf80-47f8-8c5c-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/4a7d6c770c5fdbb32534b535efe0324e3bc25a8bcd3551b7fe0ff3610ee81299/analysis/1490173985/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4e7-b39c-41b3-aa8d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:39.000Z",
|
||
|
"modified": "2017-03-23T16:16:39.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: c53bf11adb48a00393c30a0902716e0088f650750349f5966ba3b60a0fa17487",
|
||
|
"pattern": "[file:hashes.SHA1 = '3976d852993a9febbc512870ee177acec4ebf3a9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:39Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4e8-26c4-4601-b9e6-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:40.000Z",
|
||
|
"modified": "2017-03-23T16:16:40.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: c53bf11adb48a00393c30a0902716e0088f650750349f5966ba3b60a0fa17487",
|
||
|
"pattern": "[file:hashes.MD5 = '2412d1e94a5eacf0d066c2330cc2585c']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:40Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4e9-b10c-4c7f-9fd2-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:41.000Z",
|
||
|
"modified": "2017-03-23T16:16:41.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:41Z",
|
||
|
"last_observed": "2017-03-23T16:16:41Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4e9-b10c-4c7f-9fd2-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4e9-b10c-4c7f-9fd2-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c53bf11adb48a00393c30a0902716e0088f650750349f5966ba3b60a0fa17487/analysis/1489993470/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4ea-da6c-4472-a666-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:42.000Z",
|
||
|
"modified": "2017-03-23T16:16:42.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 89a1264bd7facf02d48aff46724a0215c2fb1974d06451cebefdb2ea7ea9a71a",
|
||
|
"pattern": "[file:hashes.SHA1 = '524a23cabe678f6042e4c872a1454d1714b02ccc']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:42Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4eb-893c-4586-b9a4-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:43.000Z",
|
||
|
"modified": "2017-03-23T16:16:43.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 89a1264bd7facf02d48aff46724a0215c2fb1974d06451cebefdb2ea7ea9a71a",
|
||
|
"pattern": "[file:hashes.MD5 = 'e692a01b1aa01e20ef6f281a6182ca7a']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:43Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4eb-5e8c-44d4-be1a-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:43.000Z",
|
||
|
"modified": "2017-03-23T16:16:43.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:43Z",
|
||
|
"last_observed": "2017-03-23T16:16:43Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4eb-5e8c-44d4-be1a-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4eb-5e8c-44d4-be1a-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/89a1264bd7facf02d48aff46724a0215c2fb1974d06451cebefdb2ea7ea9a71a/analysis/1489658266/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4ec-7f6c-41b6-acf8-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:44.000Z",
|
||
|
"modified": "2017-03-23T16:16:44.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: ad3af8a7ab469fa930d0873475214c3160f52b17c06f296d6ce9cc6fc92e8a79",
|
||
|
"pattern": "[file:hashes.SHA1 = '91b157648296683f50551f60c6653ebb452f902b']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:44Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4ed-5990-40e4-a4eb-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:45.000Z",
|
||
|
"modified": "2017-03-23T16:16:45.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: ad3af8a7ab469fa930d0873475214c3160f52b17c06f296d6ce9cc6fc92e8a79",
|
||
|
"pattern": "[file:hashes.MD5 = 'abf4e672f6c7f353f6a0ca0a6c9e23b9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:45Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4ee-ef48-4469-b86b-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:46.000Z",
|
||
|
"modified": "2017-03-23T16:16:46.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:46Z",
|
||
|
"last_observed": "2017-03-23T16:16:46Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4ee-ef48-4469-b86b-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4ee-ef48-4469-b86b-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ad3af8a7ab469fa930d0873475214c3160f52b17c06f296d6ce9cc6fc92e8a79/analysis/1489568479/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4ef-0ea0-4202-ae79-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:47.000Z",
|
||
|
"modified": "2017-03-23T16:16:47.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 7aa0abedd75c46680ac65814d9433a04bb9f6bc6f094d66cc33a918f32dcb2fa",
|
||
|
"pattern": "[file:hashes.SHA1 = 'fd2eb0321699cf9b46ad8ace68beb4247f1bd9bb']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:47Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4f0-39c4-4a31-bfd1-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:48.000Z",
|
||
|
"modified": "2017-03-23T16:16:48.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 7aa0abedd75c46680ac65814d9433a04bb9f6bc6f094d66cc33a918f32dcb2fa",
|
||
|
"pattern": "[file:hashes.MD5 = '9f8144db1ffecbcc7c69bae783d85d9d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:48Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4f1-139c-435a-8449-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:49.000Z",
|
||
|
"modified": "2017-03-23T16:16:49.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:49Z",
|
||
|
"last_observed": "2017-03-23T16:16:49Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4f1-139c-435a-8449-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4f1-139c-435a-8449-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7aa0abedd75c46680ac65814d9433a04bb9f6bc6f094d66cc33a918f32dcb2fa/analysis/1489645405/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4f2-10ec-4801-b454-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:50.000Z",
|
||
|
"modified": "2017-03-23T16:16:50.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 59011fa80db84cea54bc6ec7f7bc689d916f04e8df9950b259ad524142225731",
|
||
|
"pattern": "[file:hashes.SHA1 = '6180bb93948116371cd0a060ec11186fb4845595']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:50Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4f3-7c50-4e58-b7b8-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:51.000Z",
|
||
|
"modified": "2017-03-23T16:16:51.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 59011fa80db84cea54bc6ec7f7bc689d916f04e8df9950b259ad524142225731",
|
||
|
"pattern": "[file:hashes.MD5 = '1b187f7e1eb6c256f6c7e00ae387a478']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:51Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4f3-64f4-4432-b3f2-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:51.000Z",
|
||
|
"modified": "2017-03-23T16:16:51.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:51Z",
|
||
|
"last_observed": "2017-03-23T16:16:51Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4f3-64f4-4432-b3f2-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4f3-64f4-4432-b3f2-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/59011fa80db84cea54bc6ec7f7bc689d916f04e8df9950b259ad524142225731/analysis/1490158625/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4f4-ce20-4e35-8a8a-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:52.000Z",
|
||
|
"modified": "2017-03-23T16:16:52.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: dd783bcdbc81bc605cf07545a01273596d4e51b198874253815069cd6708b2fa",
|
||
|
"pattern": "[file:hashes.SHA1 = 'a9b7cc4a0f3f043b0775d53a60b45ed34d5144d0']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:52Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4f5-a34c-4abe-b6b1-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:53.000Z",
|
||
|
"modified": "2017-03-23T16:16:53.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: dd783bcdbc81bc605cf07545a01273596d4e51b198874253815069cd6708b2fa",
|
||
|
"pattern": "[file:hashes.MD5 = '0eae6cd107eef9b21b009dbf8f1991a6']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:53Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4f6-d2e4-4f6c-b80a-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:54.000Z",
|
||
|
"modified": "2017-03-23T16:16:54.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:54Z",
|
||
|
"last_observed": "2017-03-23T16:16:54Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4f6-d2e4-4f6c-b80a-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4f6-d2e4-4f6c-b80a-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/dd783bcdbc81bc605cf07545a01273596d4e51b198874253815069cd6708b2fa/analysis/1487997184/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4f7-ded4-4b80-b9bd-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:55.000Z",
|
||
|
"modified": "2017-03-23T16:16:55.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 9f48ce01ac99033c03e9aa983c09fa273eae0e168e55de8cc364311ae4fc88b9",
|
||
|
"pattern": "[file:hashes.SHA1 = '6f7d89a5014f839457b59e1fcf3849d57df4d34f']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:55Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4f8-295c-4535-b5ba-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:56.000Z",
|
||
|
"modified": "2017-03-23T16:16:56.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 9f48ce01ac99033c03e9aa983c09fa273eae0e168e55de8cc364311ae4fc88b9",
|
||
|
"pattern": "[file:hashes.MD5 = '79f72ea2fee5d8c5e488a20f188d9e3d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:56Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4f9-6a74-491b-b612-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:57.000Z",
|
||
|
"modified": "2017-03-23T16:16:57.000Z",
|
||
|
"first_observed": "2017-03-23T16:16:57Z",
|
||
|
"last_observed": "2017-03-23T16:16:57Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4f9-6a74-491b-b612-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4f9-6a74-491b-b612-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9f48ce01ac99033c03e9aa983c09fa273eae0e168e55de8cc364311ae4fc88b9/analysis/1487844739/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4fa-d49c-4cf7-a12c-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:58.000Z",
|
||
|
"modified": "2017-03-23T16:16:58.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 629d1afbedd7cc082549d5c3fc3926b6b4e55abc3c07f8d994a791893a2fd530",
|
||
|
"pattern": "[file:hashes.SHA1 = 'fd86a08c0705b06fe4d2a16090af943ea4139a95']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:58Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4fb-940c-43f8-a8d0-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:16:59.000Z",
|
||
|
"modified": "2017-03-23T16:16:59.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 629d1afbedd7cc082549d5c3fc3926b6b4e55abc3c07f8d994a791893a2fd530",
|
||
|
"pattern": "[file:hashes.MD5 = '1bc15ec752aedd92a46534362f6c0e82']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:16:59Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4fc-2318-4024-8936-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:00.000Z",
|
||
|
"modified": "2017-03-23T16:17:00.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:00Z",
|
||
|
"last_observed": "2017-03-23T16:17:00Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4fc-2318-4024-8936-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4fc-2318-4024-8936-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/629d1afbedd7cc082549d5c3fc3926b6b4e55abc3c07f8d994a791893a2fd530/analysis/1487910889/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4fc-71d4-4903-b449-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:00.000Z",
|
||
|
"modified": "2017-03-23T16:17:00.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: b330fadeb337e9fb5aa9f8046462e3d1d418946fd6237bc252a80a2d4fb2fff7",
|
||
|
"pattern": "[file:hashes.SHA1 = 'd2cd8cb500e9baae94c2df1e9a3bdf4c1c42ba1d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:00Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4fd-f1b8-4e6a-9127-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:01.000Z",
|
||
|
"modified": "2017-03-23T16:17:01.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: b330fadeb337e9fb5aa9f8046462e3d1d418946fd6237bc252a80a2d4fb2fff7",
|
||
|
"pattern": "[file:hashes.MD5 = 'ad311fbba70dd1fdc5b069f57b6afe5e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:01Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f4fe-3c20-47e9-84f6-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:02.000Z",
|
||
|
"modified": "2017-03-23T16:17:02.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:02Z",
|
||
|
"last_observed": "2017-03-23T16:17:02Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f4fe-3c20-47e9-84f6-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f4fe-3c20-47e9-84f6-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/b330fadeb337e9fb5aa9f8046462e3d1d418946fd6237bc252a80a2d4fb2fff7/analysis/1487717141/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f4ff-a5e0-4591-a3aa-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:03.000Z",
|
||
|
"modified": "2017-03-23T16:17:03.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: cd16e420fbc39b63de93198cdb1265c1bfe83119c7d4d75d5501465cdd0847f1",
|
||
|
"pattern": "[file:hashes.SHA1 = '19013eb9d291e421261473ca5d1fa166ff92554d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:03Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f501-5324-4530-9b4e-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:05.000Z",
|
||
|
"modified": "2017-03-23T16:17:05.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: cd16e420fbc39b63de93198cdb1265c1bfe83119c7d4d75d5501465cdd0847f1",
|
||
|
"pattern": "[file:hashes.MD5 = '24681993ce5ae4126905dd051fb29caa']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:05Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f501-ccc0-4b1a-b1e1-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:05.000Z",
|
||
|
"modified": "2017-03-23T16:17:05.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:05Z",
|
||
|
"last_observed": "2017-03-23T16:17:05Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f501-ccc0-4b1a-b1e1-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f501-ccc0-4b1a-b1e1-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cd16e420fbc39b63de93198cdb1265c1bfe83119c7d4d75d5501465cdd0847f1/analysis/1489124421/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f502-0cac-478f-8b4f-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:06.000Z",
|
||
|
"modified": "2017-03-23T16:17:06.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: be81741ae3c7c2c5000785a2573c901068a2906054690ac22119ac794aa9e8e2",
|
||
|
"pattern": "[file:hashes.SHA1 = '37bc0b13f3d040a071cc0a7a119c65a0709a8258']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:06Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f503-e688-4a36-8c4d-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:07.000Z",
|
||
|
"modified": "2017-03-23T16:17:07.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: be81741ae3c7c2c5000785a2573c901068a2906054690ac22119ac794aa9e8e2",
|
||
|
"pattern": "[file:hashes.MD5 = '4dd24284c7e6d95d58f5b7a8004b23ce']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:07Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f504-b188-4f0b-9c62-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:08.000Z",
|
||
|
"modified": "2017-03-23T16:17:08.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:08Z",
|
||
|
"last_observed": "2017-03-23T16:17:08Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f504-b188-4f0b-9c62-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f504-b188-4f0b-9c62-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/be81741ae3c7c2c5000785a2573c901068a2906054690ac22119ac794aa9e8e2/analysis/1489638430/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f505-2ad4-47e3-b8a3-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:09.000Z",
|
||
|
"modified": "2017-03-23T16:17:09.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: f07f87ab68482d329eeac5525ea5f189bcd720d2b2d149db61ab81ae04be957a",
|
||
|
"pattern": "[file:hashes.SHA1 = '3141e21f51171c12d2ffb5cf3d913b2ddd8fab14']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:09Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f506-1874-4fc6-84ab-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:10.000Z",
|
||
|
"modified": "2017-03-23T16:17:10.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: f07f87ab68482d329eeac5525ea5f189bcd720d2b2d149db61ab81ae04be957a",
|
||
|
"pattern": "[file:hashes.MD5 = '7fde245137e0ed3a335a4c3086e0911e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:10Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f507-5540-4cb3-8caa-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:11.000Z",
|
||
|
"modified": "2017-03-23T16:17:11.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:11Z",
|
||
|
"last_observed": "2017-03-23T16:17:11Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f507-5540-4cb3-8caa-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f507-5540-4cb3-8caa-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f07f87ab68482d329eeac5525ea5f189bcd720d2b2d149db61ab81ae04be957a/analysis/1486655768/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f508-819c-4057-bcae-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:12.000Z",
|
||
|
"modified": "2017-03-23T16:17:12.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 41c4483cfcc0b5a10504aa137ec3824d139663b7ec318d5e1fb6c9f5db8af8f9",
|
||
|
"pattern": "[file:hashes.SHA1 = '6bfc8580d74920f484441b7146ca31b26ae494f8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:12Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f509-5704-4fc4-9282-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:13.000Z",
|
||
|
"modified": "2017-03-23T16:17:13.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 41c4483cfcc0b5a10504aa137ec3824d139663b7ec318d5e1fb6c9f5db8af8f9",
|
||
|
"pattern": "[file:hashes.MD5 = 'bfa4002b794ab5900866d10fc44997f8']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:13Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f509-33c8-4d34-91d4-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:13.000Z",
|
||
|
"modified": "2017-03-23T16:17:13.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:13Z",
|
||
|
"last_observed": "2017-03-23T16:17:13Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f509-33c8-4d34-91d4-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f509-33c8-4d34-91d4-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/41c4483cfcc0b5a10504aa137ec3824d139663b7ec318d5e1fb6c9f5db8af8f9/analysis/1490279633/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f50a-058c-45da-9e00-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:14.000Z",
|
||
|
"modified": "2017-03-23T16:17:14.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: b1da2cb4fcee52cdc94c06325c339ac11a3fb1e399e1ed5a2a55107f5f64867f",
|
||
|
"pattern": "[file:hashes.SHA1 = '28651d200780f28b1289f41ac0aab5619cdbb090']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:14Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f50b-81e8-4afc-8781-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:15.000Z",
|
||
|
"modified": "2017-03-23T16:17:15.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: b1da2cb4fcee52cdc94c06325c339ac11a3fb1e399e1ed5a2a55107f5f64867f",
|
||
|
"pattern": "[file:hashes.MD5 = 'f7b6f70ba69fbfce3d5670f3bcc3f13d']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:15Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f50c-75c4-4850-87d5-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:16.000Z",
|
||
|
"modified": "2017-03-23T16:17:16.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:16Z",
|
||
|
"last_observed": "2017-03-23T16:17:16Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f50c-75c4-4850-87d5-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f50c-75c4-4850-87d5-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/b1da2cb4fcee52cdc94c06325c339ac11a3fb1e399e1ed5a2a55107f5f64867f/analysis/1490174190/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f50d-1954-46db-8799-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:17.000Z",
|
||
|
"modified": "2017-03-23T16:17:17.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 4f2c10b64d4f4b56d56b5a271331c92484b6ddf8c4eb9f56669ed60545a4c06d",
|
||
|
"pattern": "[file:hashes.SHA1 = 'b535f6fdcb4ca3da7fb6a28677fe7430ca6b8089']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:17Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f50e-d3b8-4dd0-b191-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:18.000Z",
|
||
|
"modified": "2017-03-23T16:17:18.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 4f2c10b64d4f4b56d56b5a271331c92484b6ddf8c4eb9f56669ed60545a4c06d",
|
||
|
"pattern": "[file:hashes.MD5 = '46e5de82b73e15609028e11c38918ed9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:18Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f50f-9e10-4588-956b-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:19.000Z",
|
||
|
"modified": "2017-03-23T16:17:19.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:19Z",
|
||
|
"last_observed": "2017-03-23T16:17:19Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f50f-9e10-4588-956b-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f50f-9e10-4588-956b-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/4f2c10b64d4f4b56d56b5a271331c92484b6ddf8c4eb9f56669ed60545a4c06d/analysis/1490244732/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f510-2d88-45fc-8e3c-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:20.000Z",
|
||
|
"modified": "2017-03-23T16:17:20.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 1ae6aa92ce8ee9a2ab78631663fa5a9bdcc14490c4c5fe799b41d26455b5b696",
|
||
|
"pattern": "[file:hashes.SHA1 = 'ea1f99b2bd8eae0d7dd35f78013cfe9ec8aa2be1']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:20Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f511-233c-45a7-8baa-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:21.000Z",
|
||
|
"modified": "2017-03-23T16:17:21.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 1ae6aa92ce8ee9a2ab78631663fa5a9bdcc14490c4c5fe799b41d26455b5b696",
|
||
|
"pattern": "[file:hashes.MD5 = 'e93338fb2a8653089b236a3c051b5c21']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:21Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f511-5498-4ea5-ab36-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:21.000Z",
|
||
|
"modified": "2017-03-23T16:17:21.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:21Z",
|
||
|
"last_observed": "2017-03-23T16:17:21Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f511-5498-4ea5-ab36-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f511-5498-4ea5-ab36-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/1ae6aa92ce8ee9a2ab78631663fa5a9bdcc14490c4c5fe799b41d26455b5b696/analysis/1489752442/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f512-ece8-4295-a27c-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:22.000Z",
|
||
|
"modified": "2017-03-23T16:17:22.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 14a6e04a60b1bb5f4d0fb3fffa240b7b34bf9c0b8504da19caeb31182510c139",
|
||
|
"pattern": "[file:hashes.SHA1 = '059f7a95d4621a0a2370f14617e75cbb673e0fb9']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:22Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f513-7240-4980-b6f8-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:23.000Z",
|
||
|
"modified": "2017-03-23T16:17:23.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 14a6e04a60b1bb5f4d0fb3fffa240b7b34bf9c0b8504da19caeb31182510c139",
|
||
|
"pattern": "[file:hashes.MD5 = 'fe16d984a645b66f50b204b5de79590e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:23Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f514-d40c-4065-b661-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:24.000Z",
|
||
|
"modified": "2017-03-23T16:17:24.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:24Z",
|
||
|
"last_observed": "2017-03-23T16:17:24Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f514-d40c-4065-b661-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f514-d40c-4065-b661-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/14a6e04a60b1bb5f4d0fb3fffa240b7b34bf9c0b8504da19caeb31182510c139/analysis/1487931142/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f515-e7c0-45bc-91c2-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:25.000Z",
|
||
|
"modified": "2017-03-23T16:17:25.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 7b684ad97bb9f5093e5cfb100352ad2f0ec3dfce63232207daf0aa736d6438c9",
|
||
|
"pattern": "[file:hashes.SHA1 = 'e0c7dc12e146b5ffc948cb913599817e1c50796e']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:25Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f516-836c-442c-a32f-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:26.000Z",
|
||
|
"modified": "2017-03-23T16:17:26.000Z",
|
||
|
"description": "malicious samples with similar malformations of the RTF file format: - Xchecked via VT: 7b684ad97bb9f5093e5cfb100352ad2f0ec3dfce63232207daf0aa736d6438c9",
|
||
|
"pattern": "[file:hashes.MD5 = 'ce4a4bccdad5b85ea2138893c9070232']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:26Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f517-1164-4ebb-b531-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:27.000Z",
|
||
|
"modified": "2017-03-23T16:17:27.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:27Z",
|
||
|
"last_observed": "2017-03-23T16:17:27Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f517-1164-4ebb-b531-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f517-1164-4ebb-b531-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7b684ad97bb9f5093e5cfb100352ad2f0ec3dfce63232207daf0aa736d6438c9/analysis/1486619722/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f518-ae40-4b54-8a05-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:28.000Z",
|
||
|
"modified": "2017-03-23T16:17:28.000Z",
|
||
|
"description": "dropped executables - Xchecked via VT: a3c3abcd461d00e1f928e375770e39e3a33f719d7287a2fee661d82ce8de1c56",
|
||
|
"pattern": "[file:hashes.SHA1 = '942c04608285c4540def1704961a906f86df04ee']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:28Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f519-f824-448b-bfbf-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:29.000Z",
|
||
|
"modified": "2017-03-23T16:17:29.000Z",
|
||
|
"description": "dropped executables - Xchecked via VT: a3c3abcd461d00e1f928e375770e39e3a33f719d7287a2fee661d82ce8de1c56",
|
||
|
"pattern": "[file:hashes.MD5 = '77c1e477fd120dd7cd8093d9eb355a46']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:29Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f519-8b20-4235-ae02-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:29.000Z",
|
||
|
"modified": "2017-03-23T16:17:29.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:29Z",
|
||
|
"last_observed": "2017-03-23T16:17:29Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f519-8b20-4235-ae02-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f519-8b20-4235-ae02-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/a3c3abcd461d00e1f928e375770e39e3a33f719d7287a2fee661d82ce8de1c56/analysis/1489664454/"
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f51a-de34-4885-885f-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:30.000Z",
|
||
|
"modified": "2017-03-23T16:17:30.000Z",
|
||
|
"description": "dropped executables - Xchecked via VT: da1a6747a3329c3a317d4bd7ecf029e89bd76192075f84834563103a54bac968",
|
||
|
"pattern": "[file:hashes.SHA1 = '5d1862dc83c051b255ebdc238eab861466c48680']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:30Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"sha1\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "indicator",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "indicator--58d3f51b-6944-4b48-99ea-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:31.000Z",
|
||
|
"modified": "2017-03-23T16:17:31.000Z",
|
||
|
"description": "dropped executables - Xchecked via VT: da1a6747a3329c3a317d4bd7ecf029e89bd76192075f84834563103a54bac968",
|
||
|
"pattern": "[file:hashes.MD5 = 'efcc5cfb3e0c1a52889642c5d02aa301']",
|
||
|
"pattern_type": "stix",
|
||
|
"pattern_version": "2.1",
|
||
|
"valid_from": "2017-03-23T16:17:31Z",
|
||
|
"kill_chain_phases": [
|
||
|
{
|
||
|
"kill_chain_name": "misp-category",
|
||
|
"phase_name": "Payload delivery"
|
||
|
}
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"md5\"",
|
||
|
"misp:category=\"Payload delivery\"",
|
||
|
"misp:to_ids=\"True\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "observed-data",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "observed-data--58d3f51c-7490-49b5-9a64-9f0702de0b81",
|
||
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
||
|
"created": "2017-03-23T16:17:32.000Z",
|
||
|
"modified": "2017-03-23T16:17:32.000Z",
|
||
|
"first_observed": "2017-03-23T16:17:32Z",
|
||
|
"last_observed": "2017-03-23T16:17:32Z",
|
||
|
"number_observed": 1,
|
||
|
"object_refs": [
|
||
|
"url--58d3f51c-7490-49b5-9a64-9f0702de0b81"
|
||
|
],
|
||
|
"labels": [
|
||
|
"misp:type=\"link\"",
|
||
|
"misp:category=\"External analysis\""
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"type": "url",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "url--58d3f51c-7490-49b5-9a64-9f0702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/da1a6747a3329c3a317d4bd7ecf029e89bd76192075f84834563103a54bac968/analysis/1489664348/"
|
||
|
},
|
||
|
{
|
||
|
"type": "marking-definition",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
||
|
"created": "2017-01-20T00:00:00.000Z",
|
||
|
"definition_type": "tlp",
|
||
|
"name": "TLP:WHITE",
|
||
|
"definition": {
|
||
|
"tlp": "white"
|
||
|
}
|
||
|
}
|
||
|
]
|
||
|
}
|