{ "type": "bundle", "id": "bundle--5718c835-f58c-4f8e-8da4-452a950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:40.000Z", "modified": "2016-04-21T15:04:40.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5718c835-f58c-4f8e-8da4-452a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:40.000Z", "modified": "2016-04-21T15:04:40.000Z", "name": "CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler", "published": "2016-04-21T15:05:28Z", "object_refs": [ "observed-data--5718c848-2c34-4d55-a27f-47a7950d210f", "url--5718c848-2c34-4d55-a27f-47a7950d210f", "x-misp-attribute--5718c862-de50-4d77-9195-450c950d210f", "indicator--5718c9b2-98dc-4310-8a5d-4dff950d210f", "indicator--5718c9b2-a384-45fa-ba7f-4e32950d210f", "indicator--5718c9b3-b180-4c09-b026-4010950d210f", "indicator--5718c9b3-b1ec-4bde-9de2-4eaa950d210f", "indicator--5718ca39-5404-495b-a24b-45a6950d210f", "indicator--5718ca39-4744-4e5b-afa4-4449950d210f", "indicator--5718ca39-d1d0-4775-b006-4e70950d210f", "indicator--5718ca3a-9598-449b-8fb9-4e4e950d210f", "indicator--5718ca3a-e5a0-4afb-954f-4e39950d210f", "indicator--5718cb52-4df8-47fb-aaaa-4367950d210f", "indicator--5718cb52-77ec-495e-87da-4831950d210f", "indicator--5718cb68-e624-45fd-aa89-4a29950d210f", "indicator--5718cb68-0760-46b9-9987-4596950d210f", "indicator--5718cbde-58c0-40b2-be07-4b82950d210f", "indicator--5718cbde-0fc4-4c28-85a1-46ee950d210f", "indicator--5718cbde-9158-4737-8278-4d3b950d210f", "indicator--5718cbdf-cd08-4ec1-9cc1-4fe5950d210f", "indicator--5718cbdf-bcd0-4e91-8ba0-424f950d210f", "indicator--5718cbfd-0d9c-4f42-ba85-454f950d210f", "indicator--5718cbfe-c5e4-4c77-bfdf-4ec3950d210f", "indicator--5718cbfe-760c-4f40-9ca2-49b8950d210f", "indicator--5718cbfe-5b80-4d79-8a87-479f950d210f", "indicator--5718cbff-9790-406a-aca4-4b5a950d210f", "indicator--5718cbff-bfd4-4f0b-9704-46c0950d210f", "indicator--5718cc81-eda0-46c5-9008-45d6950d210f", "indicator--5718cc82-b3f0-4c5a-b661-4461950d210f", "indicator--5718cc82-8504-4d59-8540-47a1950d210f", "indicator--5718cc82-b7ac-4b18-abfe-4746950d210f", "indicator--5718cc83-2e60-41aa-ba90-43ec950d210f", "indicator--5718cc83-bcbc-4afa-a0b0-47e3950d210f", "indicator--5718cc84-0dc4-4f65-bbaa-4c79950d210f", "indicator--5718cc84-6a50-40aa-853e-465a950d210f", "indicator--5718cc84-3584-49c1-8236-4601950d210f", "indicator--5718cc84-2eac-4ccf-a8c7-4c04950d210f", "indicator--5718ec08-17e8-4e4f-bc91-4dc002de0b81", "observed-data--5718ec09-0a94-4850-95dd-42e402de0b81", "url--5718ec09-0a94-4850-95dd-42e402de0b81", "indicator--5718ec09-9708-4e77-b8e1-444c02de0b81", "observed-data--5718ec09-a8b8-47fa-b41a-481102de0b81", "url--5718ec09-a8b8-47fa-b41a-481102de0b81", "indicator--5718ec0a-a808-4a5b-8dd6-4de802de0b81", "observed-data--5718ec0a-e65c-4944-ba24-415f02de0b81", "url--5718ec0a-e65c-4944-ba24-415f02de0b81", "indicator--5718ec0b-1cfc-449d-8b92-439602de0b81", "observed-data--5718ec0b-2f3c-4ce3-a20e-489e02de0b81", "url--5718ec0b-2f3c-4ce3-a20e-489e02de0b81", "indicator--5718ec0b-991c-4adf-83ad-4f5402de0b81", "observed-data--5718ec0c-9290-4654-8052-441e02de0b81", "url--5718ec0c-9290-4654-8052-441e02de0b81", "indicator--5718ec0c-f468-49fb-9ba3-472f02de0b81", "observed-data--5718ec0c-bff4-422c-ab48-403202de0b81", "url--5718ec0c-bff4-422c-ab48-403202de0b81", "indicator--5718ec0d-4f74-4871-b896-43a102de0b81", "observed-data--5718ec0d-2b70-41f4-87f7-445902de0b81", "url--5718ec0d-2b70-41f4-87f7-445902de0b81", "indicator--5718ec0e-d908-428b-bba4-4c4802de0b81", "observed-data--5718ec0e-22f0-48d2-b7bb-499102de0b81", "url--5718ec0e-22f0-48d2-b7bb-499102de0b81", "indicator--5718ec0e-5244-4e01-814e-401c02de0b81", "observed-data--5718ec0f-30f8-402c-bda5-4aba02de0b81", "url--5718ec0f-30f8-402c-bda5-4aba02de0b81", "indicator--5718ec0f-a46c-4586-9ce8-484902de0b81", "observed-data--5718ec0f-b980-4e86-bc98-468602de0b81", "url--5718ec0f-b980-4e86-bc98-468602de0b81", "indicator--5718ec10-4cf4-44af-9f1d-4e9f02de0b81", "observed-data--5718ec10-c750-4490-958d-427902de0b81", "url--5718ec10-c750-4490-958d-427902de0b81", "indicator--5718ec11-7160-45ce-aa3c-4f8f02de0b81", "observed-data--5718ec11-c674-4178-8bb7-48bb02de0b81", "url--5718ec11-c674-4178-8bb7-48bb02de0b81", "indicator--5718ec11-4c84-4afb-818a-43a402de0b81", "indicator--5718ec12-bb6c-4b99-b685-470b02de0b81", "observed-data--5718ec12-fd54-4b04-8e9f-4e0f02de0b81", "url--5718ec12-fd54-4b04-8e9f-4e0f02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718c848-2c34-4d55-a27f-47a7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:32:08.000Z", "modified": "2016-04-21T12:32:08.000Z", "first_observed": "2016-04-21T12:32:08Z", "last_observed": "2016-04-21T12:32:08Z", "number_observed": 1, "object_refs": [ "url--5718c848-2c34-4d55-a27f-47a7950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718c848-2c34-4d55-a27f-47a7950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5718c862-de50-4d77-9195-450c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:32:34.000Z", "modified": "2016-04-21T12:32:34.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Proofpoint researchers recently found a previously undocumented ransomware spreading since the end of March through Bedep after infection via the Angler Exploit Kit (EK). Combining our findings with intelligence shared by Frank Ruiz (Fox IT InTELL) lead us to the same conclusion: this project is conducted by the same group that was driving Reveton ransomware operations and is closely tied to Angler/Bedep. Dubbed \"CryptXXX\", this new ransomware is currently asking a relatively high $500 per computer to unlock encrypted files. Angler is the number one exploit kit by volume, making the potential impact of new ransomware in the hands of experienced actors with access to this vector quite significant." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718c9b2-98dc-4310-8a5d-4dff950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:38:10.000Z", "modified": "2016-04-21T12:38:10.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '\\\\%TEMP\\\\%\\\\{C3F31E62-344D-4056-BF01-BF77B94E0254}\\\\api-ms-win-system-softpub-l1-1-0.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:38:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718c9b2-a384-45fa-ba7f-4e32950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:38:10.000Z", "modified": "2016-04-21T12:38:10.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '\\\\%TEMP\\\\%\\\\{D075E5D0-4442-4108-850E-3AD2874B270C}\\\\api-ms-win-system-provsvc-l1-1-0.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:38:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718c9b3-b180-4c09-b026-4010950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:38:11.000Z", "modified": "2016-04-21T12:38:11.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '\\\\%TEMP\\\\%\\\\{D4A2C643-5399-4F4F-B9BF-ECB1A25644A6}\\\\api-ms-win-system-wer-l1-1-0.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:38:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718c9b3-b1ec-4bde-9de2-4eaa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:38:11.000Z", "modified": "2016-04-21T12:38:11.000Z", "description": "Imported via the freetext import.", "pattern": "[file:name = '\\\\%TEMP\\\\%\\\\{FD68402A-8F8F-4B3D-9808-174323767296}\\\\api-ms-win-system-advpack-l1-1-0.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:38:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ca39-5404-495b-a24b-45a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:40:25.000Z", "modified": "2016-04-21T12:40:25.000Z", "description": "CryptXXX checkin server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '146.0.42.68']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:40:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ca39-4744-4e5b-afa4-4449950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:40:25.000Z", "modified": "2016-04-21T12:40:25.000Z", "description": "CryptXXX payment site", "pattern": "[url:value = 'rp4roxeuhcf2vgft.onion.to']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:40:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ca39-d1d0-4775-b006-4e70950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:40:25.000Z", "modified": "2016-04-21T12:40:25.000Z", "description": "CryptXXX payment site", "pattern": "[url:value = 'rp4roxeuhcf2vgft.onion.cab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:40:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ca3a-9598-449b-8fb9-4e4e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:40:26.000Z", "modified": "2016-04-21T12:40:26.000Z", "description": "CryptXXX payment site", "pattern": "[url:value = 'rp4roxeuhcf2vgft.onion.city']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:40:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ca3a-e5a0-4afb-954f-4e39950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:40:26.000Z", "modified": "2016-04-21T12:40:26.000Z", "description": "Bedep C&C IP", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '104.193.252.245']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:40:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cb52-4df8-47fb-aaaa-4367950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:45:06.000Z", "modified": "2016-04-21T12:45:06.000Z", "description": "Zip archive with most of the mentioned content", "pattern": "[file:hashes.MD5 = '3776ec795ef3aa649ff48fcf83c87713']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:45:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cb52-77ec-495e-87da-4831950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:45:06.000Z", "modified": "2016-04-21T12:45:06.000Z", "description": "Zip archive with most of the mentioned content", "pattern": "[file:hashes.SHA256 = '41dbbc60b8921709c5eb187cf03e60701e3b172e6deebdb67dd66c8cb3666b90']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:45:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cb68-e624-45fd-aa89-4a29950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:45:28.000Z", "modified": "2016-04-21T12:45:28.000Z", "description": "Bedep 1809 first stream dll CryptXXX", "pattern": "[file:hashes.MD5 = '17697e1829f0d18d2051a67bc2bca134']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:45:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cb68-0760-46b9-9987-4596950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:45:28.000Z", "modified": "2016-04-21T12:45:28.000Z", "description": "Bedep 1809 first stream dll CryptXXX", "pattern": "[file:hashes.SHA256 = 'ab7a58b6e50be6b9bcb926c550ff26669601bbd8bfd922a5b32756e663b25a67']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:45:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbde-58c0-40b2-be07-4b82950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:26.000Z", "modified": "2016-04-21T12:47:26.000Z", "description": "Bedep 1809 update stream dll1", "pattern": "[file:hashes.MD5 = 'd4439055d2d63e52ffc23c6d24d89194']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbde-0fc4-4c28-85a1-46ee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:26.000Z", "modified": "2016-04-21T12:47:26.000Z", "description": "Bedep 1809 update stream dll1 || Bedep 1809 update stream exe2 - Dridex 222", "pattern": "[file:hashes.SHA256 = '1036c84a003378907560356642bb065caef961f9dbc5c3b2a4954d5cbe7100df']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbde-9158-4737-8278-4d3b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:26.000Z", "modified": "2016-04-21T12:47:26.000Z", "description": "Bedep 1809 update stream exe2 - Dridex 222", "pattern": "[file:hashes.MD5 = '3e75e8238a6bbd8817164658696198af']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbdf-cd08-4ec1-9cc1-4fe5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:27.000Z", "modified": "2016-04-21T12:47:27.000Z", "description": "Bedep 1809 update stream dll3", "pattern": "[file:hashes.MD5 = 'de882c049be133a950b6917562bb2313']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbdf-bcd0-4e91-8ba0-424f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:27.000Z", "modified": "2016-04-21T12:47:27.000Z", "description": "Bedep 1809 update stream dll3", "pattern": "[file:hashes.SHA256 = 'e53610a977b65c01b275e37aefad7884368dfe00b50750e35b6c8c87556a2c06']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbfd-0d9c-4f42-ba85-454f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:57.000Z", "modified": "2016-04-21T12:47:57.000Z", "description": "CryptXXX", "pattern": "[file:hashes.MD5 = 'bfb8f7f6cbe24330a310e5c7cbe99ed4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbfe-c5e4-4c77-bfdf-4ec3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:58.000Z", "modified": "2016-04-21T12:47:58.000Z", "description": "CryptXXX", "pattern": "[file:hashes.SHA256 = 'a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbfe-760c-4f40-9ca2-49b8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:58.000Z", "modified": "2016-04-21T12:47:58.000Z", "description": "CryptXXX", "pattern": "[file:hashes.MD5 = '0c3431dbb8cd0478250eb4357257880e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbfe-5b80-4d79-8a87-479f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:58.000Z", "modified": "2016-04-21T12:47:58.000Z", "description": "CryptXXX", "pattern": "[file:hashes.SHA256 = '565dadb36e1d8b0c787d0d5e4cd7ec8c24cac1d6b37637427547ae465ab0fff0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbff-9790-406a-aca4-4b5a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:59.000Z", "modified": "2016-04-21T12:47:59.000Z", "description": "CryptXXX", "pattern": "[file:hashes.MD5 = 'cd2d085998a289134ffaf27fbdcbc8cb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cbff-bfd4-4f0b-9704-46c0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:47:59.000Z", "modified": "2016-04-21T12:47:59.000Z", "description": "CryptXXX", "pattern": "[file:hashes.SHA256 = '0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:47:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cc81-eda0-46c5-9008-45d6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:50:09.000Z", "modified": "2016-04-21T12:50:09.000Z", "description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d", "pattern": "[file:hashes.MD5 = 'd65f155381d26f8ddfa304c83b1ad95a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:50:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cc82-b3f0-4c5a-b661-4461950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:50:10.000Z", "modified": "2016-04-21T12:50:10.000Z", "description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d", "pattern": "[file:hashes.SHA256 = 'eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:50:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cc82-8504-4d59-8540-47a1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:50:10.000Z", "modified": "2016-04-21T12:50:10.000Z", "description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d", "pattern": "[file:hashes.MD5 = 'b824d94af0f981106ec2a12d0c4cc1c0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:50:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cc82-b7ac-4b18-abfe-4746950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:50:10.000Z", "modified": "2016-04-21T12:50:10.000Z", "description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d", "pattern": "[file:hashes.SHA256 = '5bfae47c9fda81243b50b6df53ac4184d90a70000894fa2a516044fa44770cfd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:50:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cc83-2e60-41aa-ba90-43ec950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:50:11.000Z", "modified": "2016-04-21T12:50:11.000Z", "description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (May 2015)", "pattern": "[file:hashes.MD5 = '971c578c9dea43f91bfb44ceac0ee01d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:50:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cc83-bcbc-4afa-a0b0-47e3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:50:11.000Z", "modified": "2016-04-21T12:50:11.000Z", "description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (May 2015)", "pattern": "[file:hashes.SHA256 = '59ddf36a9e85f4cf82a6511b49cfcdd9e4521b17f7e245f005e18418176ff4aa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:50:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cc84-0dc4-4f65-bbaa-4c79950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:50:12.000Z", "modified": "2016-04-21T12:50:12.000Z", "description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (December 2015)", "pattern": "[file:hashes.MD5 = '70a377690917a98e6ee682f7941eb565']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:50:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cc84-6a50-40aa-853e-465a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:50:12.000Z", "modified": "2016-04-21T12:50:12.000Z", "description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (December 2015)", "pattern": "[file:hashes.SHA256 = 'ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:50:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cc84-3584-49c1-8236-4601950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:50:12.000Z", "modified": "2016-04-21T12:50:12.000Z", "description": "Reveton - 2015-04-14", "pattern": "[file:hashes.MD5 = '728733095fe2c66f91a19ebde412dd25']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:50:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718cc84-2eac-4ccf-a8c7-4c04950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T12:50:12.000Z", "modified": "2016-04-21T12:50:12.000Z", "description": "Reveton - 2015-04-14", "pattern": "[file:hashes.SHA256 = 'dff7c0aac326f210705e4f53cd78a57cb277e80ecec7bdffd6f68db3bdda39c3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T12:50:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec08-17e8-4e4f-bc91-4dc002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:40.000Z", "modified": "2016-04-21T15:04:40.000Z", "description": "Reveton - 2015-04-14 - Xchecked via VT: dff7c0aac326f210705e4f53cd78a57cb277e80ecec7bdffd6f68db3bdda39c3", "pattern": "[file:hashes.SHA1 = 'fd1ae96536ef9f29f336425b83022d2beab767a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec09-0a94-4850-95dd-42e402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:41.000Z", "modified": "2016-04-21T15:04:41.000Z", "first_observed": "2016-04-21T15:04:41Z", "last_observed": "2016-04-21T15:04:41Z", "number_observed": 1, "object_refs": [ "url--5718ec09-0a94-4850-95dd-42e402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec09-0a94-4850-95dd-42e402de0b81", "value": "https://www.virustotal.com/file/dff7c0aac326f210705e4f53cd78a57cb277e80ecec7bdffd6f68db3bdda39c3/analysis/1461131947/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec09-9708-4e77-b8e1-444c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:41.000Z", "modified": "2016-04-21T15:04:41.000Z", "description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (December 2015) - Xchecked via VT: ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de", "pattern": "[file:hashes.SHA1 = '246b1e0d01772a47a5f2032c8642d33d47a11c57']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec09-a8b8-47fa-b41a-481102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:41.000Z", "modified": "2016-04-21T15:04:41.000Z", "first_observed": "2016-04-21T15:04:41Z", "last_observed": "2016-04-21T15:04:41Z", "number_observed": 1, "object_refs": [ "url--5718ec09-a8b8-47fa-b41a-481102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec09-a8b8-47fa-b41a-481102de0b81", "value": "https://www.virustotal.com/file/ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de/analysis/1461131953/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec0a-a808-4a5b-8dd6-4de802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:42.000Z", "modified": "2016-04-21T15:04:42.000Z", "description": "Bedep Pony \u00e2\u20ac\u0153news.php\u00e2\u20ac\u009d - (May 2015) - Xchecked via VT: 59ddf36a9e85f4cf82a6511b49cfcdd9e4521b17f7e245f005e18418176ff4aa", "pattern": "[file:hashes.SHA1 = '0487c3856c5e44d3a5c2dcee29c63cb644a4fc52']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec0a-e65c-4944-ba24-415f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:42.000Z", "modified": "2016-04-21T15:04:42.000Z", "first_observed": "2016-04-21T15:04:42Z", "last_observed": "2016-04-21T15:04:42Z", "number_observed": 1, "object_refs": [ "url--5718ec0a-e65c-4944-ba24-415f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec0a-e65c-4944-ba24-415f02de0b81", "value": "https://www.virustotal.com/file/59ddf36a9e85f4cf82a6511b49cfcdd9e4521b17f7e245f005e18418176ff4aa/analysis/1461131974/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec0b-1cfc-449d-8b92-439602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:42.000Z", "modified": "2016-04-21T15:04:42.000Z", "description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d - Xchecked via VT: 5bfae47c9fda81243b50b6df53ac4184d90a70000894fa2a516044fa44770cfd", "pattern": "[file:hashes.SHA1 = 'b4e17ebe8b07727e7ce6ae8580b97d1129e7c6ce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec0b-2f3c-4ce3-a20e-489e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:43.000Z", "modified": "2016-04-21T15:04:43.000Z", "first_observed": "2016-04-21T15:04:43Z", "last_observed": "2016-04-21T15:04:43Z", "number_observed": 1, "object_refs": [ "url--5718ec0b-2f3c-4ce3-a20e-489e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec0b-2f3c-4ce3-a20e-489e02de0b81", "value": "https://www.virustotal.com/file/5bfae47c9fda81243b50b6df53ac4184d90a70000894fa2a516044fa44770cfd/analysis/1461163306/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec0b-991c-4adf-83ad-4f5402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:43.000Z", "modified": "2016-04-21T15:04:43.000Z", "description": "Bedep \u00e2\u20ac\u0153Private stealer\u00e2\u20ac\u009d - Xchecked via VT: eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d", "pattern": "[file:hashes.SHA1 = '87d7a85b4ea7d4041ade140576b4d6fd2c5aa403']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec0c-9290-4654-8052-441e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:44.000Z", "modified": "2016-04-21T15:04:44.000Z", "first_observed": "2016-04-21T15:04:44Z", "last_observed": "2016-04-21T15:04:44Z", "number_observed": 1, "object_refs": [ "url--5718ec0c-9290-4654-8052-441e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec0c-9290-4654-8052-441e02de0b81", "value": "https://www.virustotal.com/file/eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d/analysis/1461131964/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec0c-f468-49fb-9ba3-472f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:44.000Z", "modified": "2016-04-21T15:04:44.000Z", "description": "CryptXXX - Xchecked via VT: 0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e", "pattern": "[file:hashes.SHA1 = 'e22678fe4bd0b209b14d5ed061ae61bb52e79df1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec0c-bff4-422c-ab48-403202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:44.000Z", "modified": "2016-04-21T15:04:44.000Z", "first_observed": "2016-04-21T15:04:44Z", "last_observed": "2016-04-21T15:04:44Z", "number_observed": 1, "object_refs": [ "url--5718ec0c-bff4-422c-ab48-403202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec0c-bff4-422c-ab48-403202de0b81", "value": "https://www.virustotal.com/file/0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e/analysis/1461160828/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec0d-4f74-4871-b896-43a102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:45.000Z", "modified": "2016-04-21T15:04:45.000Z", "description": "CryptXXX - Xchecked via VT: 565dadb36e1d8b0c787d0d5e4cd7ec8c24cac1d6b37637427547ae465ab0fff0", "pattern": "[file:hashes.SHA1 = '0a1d2182f272ff4e4321b41f6bf65f8320d9e88c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec0d-2b70-41f4-87f7-445902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:45.000Z", "modified": "2016-04-21T15:04:45.000Z", "first_observed": "2016-04-21T15:04:45Z", "last_observed": "2016-04-21T15:04:45Z", "number_observed": 1, "object_refs": [ "url--5718ec0d-2b70-41f4-87f7-445902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec0d-2b70-41f4-87f7-445902de0b81", "value": "https://www.virustotal.com/file/565dadb36e1d8b0c787d0d5e4cd7ec8c24cac1d6b37637427547ae465ab0fff0/analysis/1461162322/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec0e-d908-428b-bba4-4c4802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:46.000Z", "modified": "2016-04-21T15:04:46.000Z", "description": "CryptXXX - Xchecked via VT: a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05", "pattern": "[file:hashes.SHA1 = 'cfb97a66c90bff92b5d72eb9e81b2e9d8013b66d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec0e-22f0-48d2-b7bb-499102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:46.000Z", "modified": "2016-04-21T15:04:46.000Z", "first_observed": "2016-04-21T15:04:46Z", "last_observed": "2016-04-21T15:04:46Z", "number_observed": 1, "object_refs": [ "url--5718ec0e-22f0-48d2-b7bb-499102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec0e-22f0-48d2-b7bb-499102de0b81", "value": "https://www.virustotal.com/file/a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05/analysis/1461225821/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec0e-5244-4e01-814e-401c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:46.000Z", "modified": "2016-04-21T15:04:46.000Z", "description": "Bedep 1809 update stream dll3 - Xchecked via VT: e53610a977b65c01b275e37aefad7884368dfe00b50750e35b6c8c87556a2c06", "pattern": "[file:hashes.SHA1 = '93e9e42eba18e83811b4e9858be5cd09b9c50e5d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec0f-30f8-402c-bda5-4aba02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:47.000Z", "modified": "2016-04-21T15:04:47.000Z", "first_observed": "2016-04-21T15:04:47Z", "last_observed": "2016-04-21T15:04:47Z", "number_observed": 1, "object_refs": [ "url--5718ec0f-30f8-402c-bda5-4aba02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec0f-30f8-402c-bda5-4aba02de0b81", "value": "https://www.virustotal.com/file/e53610a977b65c01b275e37aefad7884368dfe00b50750e35b6c8c87556a2c06/analysis/1461164621/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec0f-a46c-4586-9ce8-484902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:47.000Z", "modified": "2016-04-21T15:04:47.000Z", "description": "Bedep 1809 update stream dll1 || Bedep 1809 update stream exe2 - Dridex 222 - Xchecked via VT: 1036c84a003378907560356642bb065caef961f9dbc5c3b2a4954d5cbe7100df", "pattern": "[file:hashes.SHA1 = '92a35105a3cf19a183ef9ca9e66cb9063fffecf1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec0f-b980-4e86-bc98-468602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:47.000Z", "modified": "2016-04-21T15:04:47.000Z", "first_observed": "2016-04-21T15:04:47Z", "last_observed": "2016-04-21T15:04:47Z", "number_observed": 1, "object_refs": [ "url--5718ec0f-b980-4e86-bc98-468602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec0f-b980-4e86-bc98-468602de0b81", "value": "https://www.virustotal.com/file/1036c84a003378907560356642bb065caef961f9dbc5c3b2a4954d5cbe7100df/analysis/1461131970/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec10-4cf4-44af-9f1d-4e9f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:48.000Z", "modified": "2016-04-21T15:04:48.000Z", "description": "Bedep 1809 first stream dll CryptXXX - Xchecked via VT: ab7a58b6e50be6b9bcb926c550ff26669601bbd8bfd922a5b32756e663b25a67", "pattern": "[file:hashes.SHA1 = 'd3f6bd8b57a8c353fd3f25d66e0690d9f578d35e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec10-c750-4490-958d-427902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:48.000Z", "modified": "2016-04-21T15:04:48.000Z", "first_observed": "2016-04-21T15:04:48Z", "last_observed": "2016-04-21T15:04:48Z", "number_observed": 1, "object_refs": [ "url--5718ec10-c750-4490-958d-427902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec10-c750-4490-958d-427902de0b81", "value": "https://www.virustotal.com/file/ab7a58b6e50be6b9bcb926c550ff26669601bbd8bfd922a5b32756e663b25a67/analysis/1461226696/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec11-7160-45ce-aa3c-4f8f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:49.000Z", "modified": "2016-04-21T15:04:49.000Z", "description": "Zip archive with most of the mentioned content - Xchecked via VT: 41dbbc60b8921709c5eb187cf03e60701e3b172e6deebdb67dd66c8cb3666b90", "pattern": "[file:hashes.SHA1 = '8b2771240fdcb3ca11c0ea1b77a313484154a85f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec11-c674-4178-8bb7-48bb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:49.000Z", "modified": "2016-04-21T15:04:49.000Z", "first_observed": "2016-04-21T15:04:49Z", "last_observed": "2016-04-21T15:04:49Z", "number_observed": 1, "object_refs": [ "url--5718ec11-c674-4178-8bb7-48bb02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec11-c674-4178-8bb7-48bb02de0b81", "value": "https://www.virustotal.com/file/41dbbc60b8921709c5eb187cf03e60701e3b172e6deebdb67dd66c8cb3666b90/analysis/1461162315/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec11-4c84-4afb-818a-43a402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:49.000Z", "modified": "2016-04-21T15:04:49.000Z", "description": "Bedep 1809 update stream exe2 - Dridex 222 - Xchecked via VT: 3e75e8238a6bbd8817164658696198af", "pattern": "[file:hashes.SHA256 = '669ae51d73a3fac117ec39195efb969cb41a16fadecfe412ad83b767b25ae2ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5718ec12-bb6c-4b99-b685-470b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:50.000Z", "modified": "2016-04-21T15:04:50.000Z", "description": "Bedep 1809 update stream exe2 - Dridex 222 - Xchecked via VT: 3e75e8238a6bbd8817164658696198af", "pattern": "[file:hashes.SHA1 = '3c0246b41063f5ea26de9d96301774836270eff3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-04-21T15:04:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5718ec12-fd54-4b04-8e9f-4e0f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-04-21T15:04:50.000Z", "modified": "2016-04-21T15:04:50.000Z", "first_observed": "2016-04-21T15:04:50Z", "last_observed": "2016-04-21T15:04:50Z", "number_observed": 1, "object_refs": [ "url--5718ec12-fd54-4b04-8e9f-4e0f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5718ec12-fd54-4b04-8e9f-4e0f02de0b81", "value": "https://www.virustotal.com/file/669ae51d73a3fac117ec39195efb969cb41a16fadecfe412ad83b767b25ae2ae/analysis/1461160978/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }