adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/e9bf73b9-f82c-4203-ba04-deacf8d9fbd6.json

1346 lines
330 KiB
JSON
Raw Normal View History

chg: [misp-stix] STIX 2.1 export added
2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--e9bf73b9-f82c-4203-ba04-deacf8d9fbd6",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T14:32:27.000Z",
"modified": "2023-04-14T14:32:27.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--e9bf73b9-f82c-4203-ba04-deacf8d9fbd6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T14:32:27.000Z",
"modified": "2023-04-14T14:32:27.000Z",
"name": "SNOWYAMBER, HALFRIG, QUARTERRIG - IoC Reference",
"published": "2023-04-14T14:32:40Z",
"object_refs": [
"indicator--9f520974-6089-4bc0-ba9a-11703af0898f",
"indicator--562de197-3e0b-483d-af2c-04cfba0bce91",
"indicator--0c5341a9-472a-40b8-8977-228aaba8303c",
"indicator--06c6b49d-dddb-4625-b38e-f89e0cbfda04",
"indicator--b81fc0d1-1c31-4246-b49a-92538284c5fe",
"indicator--54bbcc91-53f4-48ed-9cee-69e4e0b96b18",
"indicator--3a852cbe-b663-4419-8d52-8f4f49e5ceb1",
"indicator--9bb49ae8-9921-4464-af2a-13f0eabfe6aa",
"indicator--ae2fc1c5-a21c-4bd7-94b7-abd2f666aaa2",
"indicator--e2a4c314-dc62-4791-8be9-c07f6ebd9627",
"indicator--d9a7d34e-df43-4ca9-9637-ad7b20680423",
"indicator--2b5638cd-1596-4e4f-a905-8b917864a264",
"indicator--20985b84-445b-4cd8-9a4e-438717131374",
"indicator--2f775c20-527b-41db-a86c-93bd41aec7d4",
"indicator--2ff30677-8495-4288-995c-aaa072af7afc",
"indicator--47b0c033-bc69-42e8-a379-c7ebf4b198bb",
"indicator--693b2be5-19c4-4d78-96b1-aeeae581b3d2",
"indicator--42762f0f-da00-4fd6-88bd-df723863f89f",
"indicator--852c2f54-d64d-40e9-b77a-51c430c03616",
"indicator--4d3cbcdc-8254-4fdf-bf4b-3b6a31cc43b7",
"indicator--0c680fdd-0f59-4cea-9c23-b20d5bde3f51",
"indicator--97ca781f-93d1-4322-bbba-6c50f2b33733",
"indicator--944935b8-4dfc-47f4-8095-0b32d08d276c",
"indicator--3bc6c7dd-e199-4aaa-8c0d-c362959fc990",
"indicator--5136e6ff-c602-438f-8884-40f313c4bd1f",
"indicator--844c8b61-bfaf-40f4-9cdb-559a8867323e",
"indicator--0927d840-3cee-45af-894c-954bed55034f",
"indicator--ffbadd58-a7f1-4292-8c9d-825654816429",
"x-misp-object--cacc499d-1523-42de-990f-6ba57a4f4cc5",
"indicator--fb5d8e74-975e-4396-b9bf-cfbd14e06cb0",
"indicator--13f7ac43-2427-4631-8b19-4204fd4636ed",
"indicator--54bb5140-f5d0-4478-9776-5d68204038ba",
"indicator--98923877-e697-4e46-be52-89926b10186a",
"indicator--d44e1f2d-6dd6-4a1f-b648-59d690e84b70",
"indicator--4a36fbd0-f4e4-4265-af09-1c860934b981",
"indicator--b995157a-f9c8-4e1c-a338-e65775627ddd",
"indicator--674e907b-7058-4613-98d0-76d938cfd6e2",
"indicator--36164b07-dc2e-458a-b3f5-b6117f239934",
"indicator--ceed65f8-1499-4487-b95f-e9acbe047956",
"indicator--fc2c7391-60a9-4f16-b09c-5dc9b0743454",
"indicator--60ed09c9-da38-4dce-b8b4-e21e8fc1933a",
"indicator--3ae9fc2a-cfda-45c7-a247-d73f73a51930",
"indicator--69e85677-63c6-4d60-bb2c-9301d469e077",
"indicator--7f85f95f-7e80-49be-985f-26c62453e9ec",
"indicator--2ecea181-6b4c-42f8-9db6-b84bfdab7392",
"indicator--f253b7db-5840-4c70-9bc9-a2880e555148",
"indicator--e4bdcae2-8d1c-4fa4-9f7c-aeafa565b79e",
"indicator--72df797d-68f8-4a2e-8483-964cf53d94e5",
"indicator--4423841b-a166-4a48-acf1-d0c7198907f5",
"indicator--eb54a2c7-2b9c-4809-a253-d800821ecf38",
"indicator--38c908cd-2958-4021-b434-7271ec84bada"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"tlp:clear",
"misp-galaxy:tool=\"SNOWYAMBER\"",
"misp-galaxy:tool=\"HALFRIG\"",
"misp-galaxy:tool=\"QUARTERRIG\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9f520974-6089-4bc0-ba9a-11703af0898f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:27:48.000Z",
"modified": "2023-04-14T09:27:48.000Z",
"description": "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ZIP",
"pattern": "[url:value = 'totalmassasje.no/schedule.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--562de197-3e0b-483d-af2c-04cfba0bce91",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:27:48.000Z",
"modified": "2023-04-14T09:27:48.000Z",
"description": "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO",
"pattern": "[url:value = 'signitivelogics.com/Schedule.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0c5341a9-472a-40b8-8977-228aaba8303c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:27:48.000Z",
"modified": "2023-04-14T09:27:48.000Z",
"description": "SNOWYAMBER - Cobalt Strike Team Server",
"pattern": "[url:value = 'humanecosmetics.com/category/noteworthy/6426-7346-9789']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--06c6b49d-dddb-4625-b38e-f89e0cbfda04",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:27:48.000Z",
"modified": "2023-04-14T09:27:48.000Z",
"description": "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO",
"pattern": "[url:value = 'signitivelogics.com/BMW.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b81fc0d1-1c31-4246-b49a-92538284c5fe",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:27:48.000Z",
"modified": "2023-04-14T09:27:48.000Z",
"description": "SNOWYAMBER - BRUTERATEL C2",
"pattern": "[domain-name:value = 'badriatimimi.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54bbcc91-53f4-48ed-9cee-69e4e0b96b18",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:27:48.000Z",
"modified": "2023-04-14T09:27:48.000Z",
"description": "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ZIP",
"pattern": "[url:value = 'literaturaelsalvador.com/Instructions.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3a852cbe-b663-4419-8d52-8f4f49e5ceb1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:27:48.000Z",
"modified": "2023-04-14T09:27:48.000Z",
"description": "SNOWYAMBER - ENVYSCOUT URL",
"pattern": "[url:value = 'parquesanrafael.cl/note.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9bb49ae8-9921-4464-af2a-13f0eabfe6aa",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:27:48.000Z",
"modified": "2023-04-14T09:27:48.000Z",
"description": "SNOWYAMBER - ENVYSCOUT URL",
"pattern": "[url:value = 'inovaoftalmologia.com.br/form.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:27:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ae2fc1c5-a21c-4bd7-94b7-abd2f666aaa2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:28:14.000Z",
"modified": "2023-04-14T09:28:14.000Z",
"description": "SNOWYAMBER - ENVYSCOUT delivering SNOWYAMBER ISO",
"pattern": "[url:value = 'literaturaelsalvador.com/Schedule.htm']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:28:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e2a4c314-dc62-4791-8be9-c07f6ebd9627",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:53:55.000Z",
"modified": "2023-04-14T12:53:55.000Z",
"description": "HALFRIG - ENVYSCOUT backend fingerprint collector",
"pattern": "[url:value = 'sawabfoundation.net/p.php? ip=<IP>&ua=<USER_AGENT>']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:53:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d9a7d34e-df43-4ca9-9637-ad7b20680423",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:54:18.000Z",
"modified": "2023-04-14T12:54:18.000Z",
"description": "HALFRIG - ENVYSCOUT",
"pattern": "[url:value = 'sawabfoundation.net/note.html']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:54:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2b5638cd-1596-4e4f-a905-8b917864a264",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:54:14.000Z",
"modified": "2023-04-14T12:54:14.000Z",
"description": "HALFRIG - compromised hosting used for ENVYSCOUT",
"pattern": "[domain-name:value = 'sawabfoundation.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:54:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--20985b84-445b-4cd8-9a4e-438717131374",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:54:06.000Z",
"modified": "2023-04-14T12:54:06.000Z",
"description": "HALFRIG - CobaltStrike redirector",
"pattern": "[domain-name:value = 'communitypowersports.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:54:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2f775c20-527b-41db-a86c-93bd41aec7d4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:54:01.000Z",
"modified": "2023-04-14T12:54:01.000Z",
"description": "HALFRIG - CobaltStrike C2",
"pattern": "[domain-name:value = 'sanjosemotosport.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:54:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2ff30677-8495-4288-995c-aaa072af7afc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:24:35.000Z",
"modified": "2023-04-14T13:24:35.000Z",
"pattern": "[file:hashes.MD5 = 'bc4b0bd5da76b683cc28849b1eed504d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:24:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--47b0c033-bc69-42e8-a379-c7ebf4b198bb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:27:43.000Z",
"modified": "2023-04-14T13:27:43.000Z",
"description": "QUARTERRIG C2 URL",
"pattern": "[url:value = 'pateke.com/auth/login.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:27:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--693b2be5-19c4-4d78-96b1-aeeae581b3d2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:27:43.000Z",
"modified": "2023-04-14T13:27:43.000Z",
"description": "QUARTERRIG C2 URL",
"pattern": "[url:value = 'pateke.com/index.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:27:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--42762f0f-da00-4fd6-88bd-df723863f89f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:27:43.000Z",
"modified": "2023-04-14T13:27:43.000Z",
"description": "QUARTERRIG Domain",
"pattern": "[domain-name:value = 'pateke.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:27:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--852c2f54-d64d-40e9-b77a-51c430c03616",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:27:43.000Z",
"modified": "2023-04-14T13:27:43.000Z",
"description": "QUARTERRIG server IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.195.89.91']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:27:43Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4d3cbcdc-8254-4fdf-bf4b-3b6a31cc43b7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:31:18.000Z",
"modified": "2023-04-14T13:31:18.000Z",
"description": "QUARTERRIG - COBALT STRIKE Handler URL",
"pattern": "[url:value = 'gatewan.com/c/msdownload/update/others/2021/10/se9fW4z8WJtmMyPQu']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:31:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0c680fdd-0f59-4cea-9c23-b20d5bde3f51",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:31:18.000Z",
"modified": "2023-04-14T13:31:18.000Z",
"description": "QUARTERRIG - COBALT STRIKE Handler URL",
"pattern": "[url:value = 'gatewan.com/c/msdownload/update/others/2021/10/8PaDBDxLtokI3eH8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:31:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--97ca781f-93d1-4322-bbba-6c50f2b33733",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:31:18.000Z",
"modified": "2023-04-14T13:31:18.000Z",
"description": "QUARTERRIG - COBALT STRIKE C2 Domain",
"pattern": "[domain-name:value = 'gatewan.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:31:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--944935b8-4dfc-47f4-8095-0b32d08d276c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:31:18.000Z",
"modified": "2023-04-14T13:31:18.000Z",
"description": "QUARTERRIG - COBALT STRIKE C2 IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.218.183.90']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:31:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3bc6c7dd-e199-4aaa-8c0d-c362959fc990",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:31:18.000Z",
"modified": "2023-04-14T13:31:18.000Z",
"description": "QUARTERRIG C2 URL",
"pattern": "[url:value = 'sharpledge.com/login.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:31:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5136e6ff-c602-438f-8884-40f313c4bd1f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:31:18.000Z",
"modified": "2023-04-14T13:31:18.000Z",
"description": "QUARTERRIG C2 Domain",
"pattern": "[domain-name:value = 'sharpledge.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:31:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--844c8b61-bfaf-40f4-9cdb-559a8867323e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:31:18.000Z",
"modified": "2023-04-14T13:31:18.000Z",
"description": "QUARTERRIG server IP",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '51.75.210.218']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:31:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0927d840-3cee-45af-894c-954bed55034f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:31:18.000Z",
"modified": "2023-04-14T13:31:18.000Z",
"description": "URL to ENYVYSCOUT used to deliver QUARTERRIG",
"pattern": "[url:value = 'sylvio.com.br/form.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:31:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ffbadd58-a7f1-4292-8c9d-825654816429",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:31:18.000Z",
"modified": "2023-04-14T13:31:18.000Z",
"description": "QUARTERRIG - Domain used to host ENVYSCOUT",
"pattern": "[domain-name:value = 'sylvio.com.br']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:31:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--cacc499d-1523-42de-990f-6ba57a4f4cc5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:42:09.000Z",
"modified": "2023-04-14T13:42:09.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf",
"category": "External analysis",
"uuid": "2f37fc00-2762-4853-ab11-ef4ab8ad401e"
},
{
"type": "text",
"object_relation": "summary",
"value": "SNOWYAMBER, HALFRIG, QUARTERRIG - IoC Reference",
"category": "Other",
"uuid": "e39a0bf4-28c2-4764-8b28-551226d11673"
},
{
"type": "text",
"object_relation": "type",
"value": "Report",
"category": "Other",
"uuid": "ca00a9f2-cd8a-455d-a6e5-08a0fb0012b4"
},
{
"type": "attachment",
"object_relation": "report-file",
"value": "IoC_Reference_.pdf",
"category": "External analysis",
"uuid": "cfc505c6-f0a1-429f-abe7-2e4c4a24961b",
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDYzIDAgUi9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4vTWV0YWRhdGEgMTMwMiAwIFIvVmlld2VyUHJlZmVyZW5jZXMgMTMwMyAwIFI+Pg0KZW5kb2JqDQoyIDAgb2JqDQo8PC9UeXBlL1BhZ2VzL0NvdW50IDExL0tpZHNbIDMgMCBSIDE1IDAgUiAyNCAwIFIgMjYgMCBSIDI5IDAgUiAzMCAwIFIgMzIgMCBSIDMzIDAgUiA1NCAwIFIgNTYgMCBSIDU4IDAgUl0gPj4NCmVuZG9iag0KMyAwIG9iag0KPDwvVHlwZS9QYWdlL1BhcmVudCAyIDAgUi9SZXNvdXJjZXM8PC9Gb250PDwvRjEgNSAwIFIvRjIgOSAwIFIvRjMgMTEgMCBSL0Y0IDEzIDAgUj4+L0V4dEdTdGF0ZTw8L0dTNyA3IDAgUi9HUzggOCAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dC9JbWFnZUIvSW1hZ2VDL0ltYWdlSV0gPj4vTWVkaWFCb3hbIDAgMCA1OTUuMzIgODQxLjkyXSAvQ29udGVudHMgNCAwIFIvR3JvdXA8PC9UeXBlL0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQj4+L1RhYnMvUy9TdHJ1Y3RQYXJlbnRzIDA+Pg0KZW5kb2JqDQo0IDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDExNDg+Pg0Kc3RyZWFtDQp4nL1Y227bOBB9N+B/4FMhFWuawzsXRYHETdMUzW4auygWQR/cRHENZO3UdVPk73eGjhPZkiJf1PUDYZIjzZkzFw7VPZjNx9fDyzl79ap7MJ8PL79lV+yiO5jefukO7m+z7tlwNJ4M5+PppNv/+XVOS++y4VU2e/2aHb7pse/tluCCft47YIKZYLiSzGvgQbJZ1m59fskm7dbhoN3qvgUGwIVmg+t2i6QFAyaD49YxFyw9OPgX5Y77jo1+4KvZKM78w+y43bpIWNrRONj8ny9s8L7dOkIdH9utBjApkFxBHlOE8ohgN30oy45Oe4x1z4jw097JGyaaI9IJ7qVmzgp6ogZ0AQjsBkQyMDzYUiDScG+3BiKbByIs19szopoDopTlLjDrLQ9+ayC6cUasddzorYGY3YCoZ4DowNXWOGzzOKTnYWscblccqhSE8aEERD8FSP5KQSV/pyCTzzT8k4JJDmg4pekhDUckck7//qiB7RuCLb3kASpg13EXGuZOK8KyjuIdkReJ+kD0vE1BLzg6oekxDXVswY4luoAUUFxDFdLa+rxjga4iTAfPhSvA+EiEfSKaImuRqwFNn8Irz18N5h1reTHStCXqKjDXUrdjJdcMfCl11lM1jzC4MS7uzkb52XkEdjLtsfPsOktVMssm2KlcZnu1KgVA4BRXanNAtUzljprOAhlI6fwSECpYRXjzuBClwSsAWlx5eHVrYVD0X4UKib2NzWlYEbNKkDpc/tZuXb9c0vi70SJ9+8PtV7BuiqxrD2FjO6TErHjSLISxdm3rwQ7ugXa88A8jRYmkioTaMIp0iBZZHRe049rHFytP3abRmmsTF0zABSxmFmuarfTG/2UFRXdjZlR5yRa8JIIKG0ebsCCUyRmovbN+fS+XHYYuRqwDQXAL9Hrln6Y3y32J3X5QVR74jQiJ8h0gVrHrCuwadKjaNZcxCtD1pbm8UiEJoTF4ukoOirRYLbhWzAaOlR4fUgqjh3WkUlRicUEGzY1cWBlWeS9atWy1gByqtOHOYM+ruXJM4p0g4BGJJ1ss9PQOQfu/qL4Tu8/L9x/0facXWw4k6LnSURCJA/AU009nyAqwXPu12dOPJ5BcvdkYPIEMc8ZwW7xQvJ+O045MJngAztnw6o5u7HHlx3SWdlRyz77S7P7PwrG4FyiNISJlFajaC6homBupuS3eg0+JgEjGDQ3x33w4u2e96c9JqpN5lrpkNiapyB9Nb1bFR9RZ0Cb2FSZh/Wx2F9dL2oy9DDEycCwEFYbU8gkN8ylC2XX+RbM2Kyso4SuU1dosm7XZYtERRep7R+TucxoGGAYcw+bsQ8M8BCCnVwBY46GUimX3Td0zZQPVbHB0Z8T8xNq7LH6t5wRy1c4BB0/fuTDHdRTEDthRppfXOplrajd59pGI4hc2JNDThirLA1Dxg+QBpuItOmI2vll8oFx3x34YSDn2laUYGB1+WuIN6fIikUKqpnUrQ9+vKuyvzQnTsB88liNZrO93wIl40bDx1GyISqUVifAftrp/9g0KZW5kc3RyZWFtDQplbmRvYmoNCjUgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjEvQmFzZUZvbnQvQkNERUVFK1JhamRoYW5pLVJlZ3VsYXIvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDYgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjIvV2lkdGhzIDEyODcgMCBSPj4NCmVuZG9iag0KNiAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudCA5MzAvRGVzY2VudCAtMzQ2L0NhcEhlaWdodCA5MzAvQXZnV2lkdGggNDc3L01heFdpZHRoIDI0MzYvRm9udFdlaWdodCA0MDAvWEhlaWdodCAyNTAvU3RlbVYgNDcvRm9udEJCb3hbIC00MTYgLTM0NiAyMDIwIDkzMF0gL0ZvbnRGaWxlMiAxMjg1IDAgUj4+DQplbmRvYmoNCjcgMCBvYmoNCjw8L1R5cGUvRXh0R1N0YXRlL0JNL05vcm1hbC9jYSAxPj4NCmVuZG9iag0KOCAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL0NBIDE+Pg0KZW5kb2JqDQo5IDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YyL0Jhc2VGb250L0JDREZFRStWZXJkYW5hLUJvbGQvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDEwIDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMzIvV2lkdGhzIDEyODggMCBSPj4NCmVuZG9iag0KMTAgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNERkVFK1ZlcmRhbmEtQm9sZC9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0FzY2VudCAxMDA1L0Rlc2NlbnQgLTIwNy9DYXBIZWlnaHQgNzY1L0F2Z1dpZHRoIDU2OC9NYXhXaWR0aCAyMjU3L0ZvbnRXZWlnaHQgNzAwL1hIZWlnaHQgMjUwL1N0ZW1WIDU2L0ZvbnRCQm94WyAtNTUwIC0yMDcgMTcwNyA3NjVdIC9Gb250RmlsZTIgMTI4OSAwIFI+Pg0KZW5kb2JqDQoxMSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMy9CYXNlRm9udC9CQ0RHRUUrUmFqZGhhbmktU2VtaUJvbGQvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDEyIDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMTE2L1dpZHRocyAxMjkwIDAgUj4+DQplbmRvYmoNCjEyIDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9GbGFncyAzMi9JdGFsaWNBbmdsZSAwL0
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fb5d8e74-975e-4396-b9bf-cfbd14e06cb0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T08:57:37.000Z",
"modified": "2023-04-14T08:57:37.000Z",
"description": "SNOWYAMBER",
"pattern": "[file:hashes.MD5 = 'd0efe94196b4923eb644ec0b53d226cc' AND file:hashes.SHA1 = 'c938934c0f5304541087313382aee163e0c5239c' AND file:hashes.SHA256 = '381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c' AND file:name = '7za.dll' AND file:size = '270336']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T08:57:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--13f7ac43-2427-4631-8b19-4204fd4636ed",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T08:57:05.000Z",
"modified": "2023-04-14T08:57:05.000Z",
"description": "SNOWYAMBER\r\nIt seems that the adversary made a mistake while compiling this sample. Internal functions were added to exports (authored by the adversary as well as those from libraries: SysWhispers3, Nlohmann JSON, Obfuscate). While binary itself is stripped, those exported functions have names that can be demangled revealing naming, prototypes and datatypes.",
"pattern": "[file:hashes.MD5 = 'cf36bf564fbb7d5ec4cec9b0f185f6c9' AND file:hashes.SHA1 = '8eb64670c10505322d45f6114bc9f7de0826e3a1' AND file:hashes.SHA256 = 'e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98' AND file:name = 'BugSplatRc64.dll' AND file:size = '271360']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T08:57:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--54bb5140-f5d0-4478-9776-5d68204038ba",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:09:27.000Z",
"modified": "2023-04-14T09:09:27.000Z",
"description": "SNOWYAMBER",
"pattern": "[file:hashes.MD5 = '82ecb8474efe5fedcb8f57b8aafa93d2' AND file:hashes.SHA1 = '3fd43de3c9f7609c52da71c1fc4c01ce0b5ac74c' AND file:hashes.SHA256 = '4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b' AND file:name = 'BugSplatRc64.dll' AND file:size = '301056']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:09:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--98923877-e697-4e46-be52-89926b10186a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:17:02.000Z",
"modified": "2023-04-14T09:17:02.000Z",
"description": "SNOWYAMBER - 2nd stage - CobaltStrike beacon (decrypted)\r\n",
"pattern": "[file:hashes.MD5 = '800db035f9b6f1e86a7f446a8a8e3947' AND file:hashes.SHA1 = 'aaf973a56b17a0a82cf1b3a49ff68da1c50283d4' AND file:hashes.SHA256 = '032855b043108967a6c2de154624c16b70a0b7d0d0a0e93064b387f59537cc1e' AND file:name = 'hXaIk1725.pdf' AND file:size = '261635']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:17:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d44e1f2d-6dd6-4a1f-b648-59d690e84b70",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T09:18:51.000Z",
"modified": "2023-04-14T09:18:51.000Z",
"description": "SNOWYAMBER - 2nd stage \u2013 BruteRatel stageless badger (decrypted)",
"pattern": "[file:hashes.MD5 = '0e594576bb36b025e80eab7c35dc885e' AND file:hashes.SHA1 = 'a8a82a7da2979b128cbeddf4e70f9d5725ef666b' AND file:hashes.SHA256 = 'ec687a447ca036b10c28c1f9e1e9cef9f2078fdbc2ffdb4d8dd32e834b310c0d' AND file:name = 'hXaIk1314.pdf' AND file:size = '347837']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T09:18:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4a36fbd0-f4e4-4265-af09-1c860934b981",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:07:33.000Z",
"modified": "2023-04-14T12:07:33.000Z",
"description": "HALFRIG - Legitimate binary used for loading malicious DLL",
"pattern": "[file:hashes.MD5 = '83863beee3502e42ced7e4b6dacb9eac' AND file:hashes.SHA1 = 'd9d40cb3e2fe05cf223dc0b592a592c132340042' AND file:hashes.SHA256 = 'cb470d77087518ed7bc53ca624806c265ae2485d40ec212acc2559720940fb27' AND file:name = 'Note.exe' AND file:size = '1597000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:07:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b995157a-f9c8-4e1c-a338-e65775627ddd",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:09:17.000Z",
"modified": "2023-04-14T12:09:17.000Z",
"description": "HALFRIG - Virtual disc container",
"pattern": "[file:hashes.MD5 = '0e5ed33778ee9c020aa067546384abcb' AND file:hashes.SHA1 = 'fbb482415f5312ed64b3a0ebee7fed5e6610c21a' AND file:hashes.SHA256 = 'd1455c42553fab54e78c874525c812aaefb1f3cc69f9c314649bd6e4e57b9fa9' AND file:name = 'Note.iso' AND file:size = '2688000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:09:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--674e907b-7058-4613-98d0-76d938cfd6e2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:15:01.000Z",
"modified": "2023-04-14T12:15:01.000Z",
"description": "HALFRIG - 1st module\r\n",
"pattern": "[file:hashes.MD5 = 'f532c0247b683de8936982e86876093b' AND file:hashes.SHA1 = 'f61e0d09be2fc81d6f325aa7041be6136a747c2d' AND file:hashes.SHA256 = 'ddf218e4e7ccd5e8bd502fb115d1e7fbfaa393fb7e0b3b9001168caebc771c50' AND file:name = 'AppvIsvSubsystems64.dll' AND file:size = '27000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:15:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--36164b07-dc2e-458a-b3f5-b6117f239934",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:19:28.000Z",
"modified": "2023-04-14T12:19:28.000Z",
"description": "HALFRIG - 2nd module",
"pattern": "[file:hashes.MD5 = 'abc87df854f31725dd1d7231f6f07354' AND file:hashes.SHA1 = 'e418d37fdcf4c288884bfe744b416cbdb0243a9e' AND file:hashes.SHA256 = 'efeb7d9d0fabe464a32c4e33fe756d6ef7a9b369c0f1462b3dd573b6b667488e' AND file:name = 'msword.dll' AND file:size = '53000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:19:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ceed65f8-1499-4487-b95f-e9acbe047956",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:36:18.000Z",
"modified": "2023-04-14T12:36:18.000Z",
"description": "HALFRIG - 3rd module",
"pattern": "[file:hashes.MD5 = '2ffaa8cbc7f0d21d03d3dd897d974dba' AND file:hashes.SHA1 = '6dff9a9f13300a5ce72a70d907ff7854599e990a' AND file:hashes.SHA256 = 'cfa65036aff012d7478694ea733e3e882cf8e18f336af5fba3ed2ef29160d45b' AND file:name = 'envsrv.dll' AND file:size = '56000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:36:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--fc2c7391-60a9-4f16-b09c-5dc9b0743454",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:42:54.000Z",
"modified": "2023-04-14T12:42:54.000Z",
"description": "HALFRIG - 4th module (shellcode stager)",
"pattern": "[file:hashes.MD5 = '5b6d8a474c556fe327004ed8a33edcdb' AND file:hashes.SHA1 = 'a677b6aa958fe02cac0730d36e8123648e02884f' AND file:hashes.SHA256 = '86edfd6c7a2fab8c50a372494e3d5b08c032cca754396f6e288d5d4c5738cb4c' AND file:name = 'mschost.dll' AND file:size = '391000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:42:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--60ed09c9-da38-4dce-b8b4-e21e8fc1933a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:52:13.000Z",
"modified": "2023-04-14T12:52:13.000Z",
"description": "QUARTERRIG - Legitimate executable used to load the malicious DLL",
"pattern": "[file:hashes.MD5 = 'b1820abc3a1ce2d32af04c18f9d2bfc3' AND file:hashes.SHA1 = 'b260d80fa81885d63565773480ca1e436ab657a0' AND file:hashes.SHA256 = '6c55195f025fb895f9d0ec3edbf58bc0aa46c43eeb246cfb88eef1ae051171b3' AND file:name = 'Note.exe' AND file:size = '1600000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:52:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3ae9fc2a-cfda-45c7-a247-d73f73a51930",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:53:10.000Z",
"modified": "2023-04-14T12:53:10.000Z",
"description": "QUARTERRIG - Virtual disc container",
"pattern": "[file:hashes.MD5 = '22adbffd1dbf3e13d036f936049a2e98' AND file:hashes.SHA1 = '52932be0bd8e381127aab9c639e6699fd1ecf268' AND file:hashes.SHA256 = 'c03292fca415b51d08da32e2f7226f66382eb391e19d53e3d81e3e3ba73aa8c1' AND file:name = 'Note.iso' AND file:size = '2624000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:53:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--69e85677-63c6-4d60-bb2c-9301d469e077",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:55:11.000Z",
"modified": "2023-04-14T12:55:11.000Z",
"description": "QUARTERRIG - loader",
"pattern": "[file:hashes.MD5 = 'db2d9d2704d320ecbd606a8720c22559' AND file:hashes.SHA1 = 'ca1ef3aeed9c0c5cfa355b6255a5ab238229a051' AND file:hashes.SHA256 = '18cc4c1577a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5a' AND file:name = 'AppvIsvSubsystems64.dll' AND file:size = '28000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:55:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7f85f95f-7e80-49be-985f-26c62453e9ec",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:56:10.000Z",
"modified": "2023-04-14T12:56:10.000Z",
"description": "QUARTERRIG - Encrypted resource containing the second stage",
"pattern": "[file:hashes.MD5 = '166f7269c2a69d8d1294a753f9e53214' AND file:hashes.SHA1 = '02cd4148754c9337dfa2c3b0c31d9fdd064616a0' AND file:hashes.SHA256 = '3c4c2ade1d7a2c55d3df4c19de72a9a6f68d7a281f44a0336e55b6d0f54ec36a' AND file:name = 'bdcmetadataresource.xsd' AND file:size = '456000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:56:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2ecea181-6b4c-42f8-9db6-b84bfdab7392",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T12:57:40.000Z",
"modified": "2023-04-14T12:57:40.000Z",
"description": "QUARTERRIG - Virtual disc container",
"pattern": "[file:hashes.MD5 = '1609bcb75babd9a3e823811b4329b3b9' AND file:hashes.SHA1 = '86dcdf623d0951e2f804c9fb4ef816fa5e6a22c3' AND file:hashes.SHA256 = '91b42488d1b8e5b547b945714c76c2af16b9566b35757bf055cec1fee9dff1b0' AND file:name = 'Invite.iso' AND file:size = '6464000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T12:57:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f253b7db-5840-4c70-9bc9-a2880e555148",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:00:52.000Z",
"modified": "2023-04-14T13:00:52.000Z",
"description": "QUARTERRIG - Legitimate executable used to load the malicious DLL",
"pattern": "[file:hashes.MD5 = 'd2027751280330559d1b42867e063a0f' AND file:hashes.SHA1 = '15511f1944d96b6b51291e3a68a2a1a560d95305' AND file:hashes.SHA256 = '35271a5d3b8e046546417d174abd0839b9b5adfc6b89990fc67c852aafa9ebb0' AND file:name = 'Invite.exe' AND file:size = '5380000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:00:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e4bdcae2-8d1c-4fa4-9f7c-aeafa565b79e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:11:40.000Z",
"modified": "2023-04-14T13:11:40.000Z",
"description": "QUATERRIG loader",
"pattern": "[file:hashes.MD5 = 'bd4cbcd9161e365067d0279b63a784ac' AND file:hashes.SHA1 = 'b91e71d8867ed8bf33ec39d07f4f7fa2c1eeb386' AND file:hashes.SHA256 = '673f91a2085358e3266f466845366f30cf741060edeb31e9a93e2c92033bba28' AND file:name = 'winhttp.dll' AND file:size = '32000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:11:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--72df797d-68f8-4a2e-8483-964cf53d94e5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:13:23.000Z",
"modified": "2023-04-14T13:13:23.000Z",
"description": "QUARTERRIG - Encrypted resource containing the second stage",
"pattern": "[file:hashes.MD5 = '8dcac7513d569ca41126987d876a9940' AND file:hashes.SHA1 = '1f65d068d0fbaec88e6bcce5f83771ab42a7a8c5' AND file:hashes.SHA256 = '9c6683fbb0bf44557472bcef94c213c25a56df539f46449a487a40eecb828a14' AND file:name = 'Stamp.aapp' AND file:size = '460000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:13:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4423841b-a166-4a48-acf1-d0c7198907f5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:15:23.000Z",
"modified": "2023-04-14T13:15:23.000Z",
"description": "QUARTERRIG - Virtual disc container",
"pattern": "[file:hashes.MD5 = '3aca0abdd7ec958a539705d5a4244196' AND file:hashes.SHA1 = 'bacb46d2ce5dfcaf8544125903f69f01091bc3d6' AND file:hashes.SHA256 = '10f1c5462eb006246cb7af5d696163db5facc452befbfd525f72507bb925131d' AND file:name = 'Note.iso' AND file:size = '2688000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:15:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--eb54a2c7-2b9c-4809-a253-d800821ecf38",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:16:53.000Z",
"modified": "2023-04-14T13:16:53.000Z",
"description": "QUATERRIG loader",
"pattern": "[file:hashes.MD5 = '9159d3c58c5d970ed25c2db9c9487d7a' AND file:hashes.SHA1 = '6382ae2061c865ddcb9337f155ae2d036e232dfe' AND file:hashes.SHA256 = 'a42dd6bea439b79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069' AND file:name = 'AppvIsvSubsystems64.dll' AND file:size = '26000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:16:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--38c908cd-2958-4021-b434-7271ec84bada",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-04-14T13:24:28.000Z",
"modified": "2023-04-14T13:24:28.000Z",
"description": "QUARTERRIG - Encrypted resource containing the second stage",
"pattern": "[file:hashes.MD5 = '8dcac7513d569ca41126987d876a9940' AND file:hashes.SHA256 = '15d6036b6b8283571f947d325ea77364c9d48bfa064a865cd24678a466aa5e38' AND file:name = 'bdcmetadataresource.xsd' AND file:size = '479000']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-04-14T13:24:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue Copy permalink