{ "type": "bundle", "id": "bundle--572f0929-9b8c-42de-adc6-450202de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T12:11:34.000Z", "modified": "2016-05-08T12:11:34.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--572f0929-9b8c-42de-adc6-450202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T12:11:34.000Z", "modified": "2016-05-08T12:11:34.000Z", "name": "OSINT - New Infostealer Trojan uses Fiddler Proxy & Json.NET", "published": "2016-05-08T14:30:36Z", "object_refs": [ "observed-data--572f0959-382c-40fd-a1ef-417802de0b81", "url--572f0959-382c-40fd-a1ef-417802de0b81", "x-misp-attribute--572f096a-b6e4-4a00-a516-4b5202de0b81", "indicator--572f0994-2888-4cb2-bef4-4cdc02de0b81", "indicator--572f0994-1398-43d7-a3c7-40f302de0b81", "indicator--572f0994-b168-4cec-ae39-44a802de0b81", "indicator--572f0995-4b48-4a6a-b4e5-488a02de0b81", "indicator--572f0995-32bc-4e5f-9a94-4dd502de0b81", "indicator--572f0995-0434-4e12-bb42-497502de0b81", "indicator--572f09a5-abf4-4a2c-8adf-4a2802de0b81", "indicator--572f09a5-19cc-4ae4-8937-41d802de0b81", "observed-data--572f09a6-a9f0-4f63-b764-40b102de0b81", "url--572f09a6-a9f0-4f63-b764-40b102de0b81", "indicator--572f09a6-d610-4e53-8d4b-48cb02de0b81", "indicator--572f09a6-87ec-4208-938d-40ce02de0b81", "observed-data--572f09a7-d788-4203-882c-423f02de0b81", "url--572f09a7-d788-4203-882c-423f02de0b81", "indicator--572f09a7-9a88-42fe-b27d-41ca02de0b81", "indicator--572f09a7-4cec-4efe-a023-4dc702de0b81", "observed-data--572f09a8-0d5c-4d48-ad67-469602de0b81", "url--572f09a8-0d5c-4d48-ad67-469602de0b81", "indicator--572f09a8-51cc-43de-ab98-4ffa02de0b81", "indicator--572f09a8-1ed0-48e0-b1ac-42e202de0b81", "observed-data--572f09a9-ec50-477e-81f2-4fd302de0b81", "url--572f09a9-ec50-477e-81f2-4fd302de0b81", "indicator--572f09a9-b624-4ab2-9562-4df802de0b81", "indicator--572f09a9-0000-4636-8c8a-4ff802de0b81", "observed-data--572f09aa-7b58-46ee-87ef-411b02de0b81", "url--572f09aa-7b58-46ee-87ef-411b02de0b81", "indicator--572f09aa-40a0-4602-9f82-4fac02de0b81", "indicator--572f09aa-a274-4fec-9a5c-4e8f02de0b81", "observed-data--572f09ab-ff50-46d6-b513-447002de0b81", "url--572f09ab-ff50-46d6-b513-447002de0b81", "indicator--572f09ca-4264-41c4-8427-448a02de0b81", "indicator--572f09cb-5de8-455e-8cae-4a6f02de0b81", "indicator--572f09cb-d388-4330-9fef-49ae02de0b81", "indicator--572f09cb-4d0c-43b9-81b0-444902de0b81", "indicator--572f09cc-f888-45d5-804d-492302de0b81", "x-misp-attribute--572f09eb-6ed0-4642-a2bb-4bb102de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "circl:topic=\"finance\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--572f0959-382c-40fd-a1ef-417802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:39:37.000Z", "modified": "2016-05-08T09:39:37.000Z", "first_observed": "2016-05-08T09:39:37Z", "last_observed": "2016-05-08T09:39:37Z", "number_observed": 1, "object_refs": [ "url--572f0959-382c-40fd-a1ef-417802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--572f0959-382c-40fd-a1ef-417802de0b81", "value": "https://www.zscaler.com/blogs/research/new-infostealer-trojan-uses-fiddler-proxy-jsonnet" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--572f096a-b6e4-4a00-a516-4b5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:39:54.000Z", "modified": "2016-05-08T09:39:54.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Zscaler ThreatLabZ came across a new Infostealer Trojan written in .NET that utilizes popular tools like Fiddler & Json.NET for its operation. In April, the new Infostealer family of Spanish origin was first noted targeting users in the U.S. and Mexico.\r\n\r\nThe malware authors are currently targeting users of Mexico's second largest bank, Banamex, but it is capable of updating the configuration file to include more financial institutions." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f0994-2888-4cb2-bef4-4cdc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:36.000Z", "modified": "2016-05-08T09:40:36.000Z", "description": "Infostealer installer payload", "pattern": "[file:hashes.MD5 = '123f4c1d2d3d691c2427aca42289fe85']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f0994-1398-43d7-a3c7-40f302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:36.000Z", "modified": "2016-05-08T09:40:36.000Z", "description": "Infostealer installer payload", "pattern": "[file:hashes.MD5 = '070ab6aa63e658ff8a56ea05426a71b4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f0994-b168-4cec-ae39-44a802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:36.000Z", "modified": "2016-05-08T09:40:36.000Z", "description": "Infostealer installer payload", "pattern": "[file:hashes.MD5 = 'ac6027d316070dc6d2fd3b273162f2ee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f0995-4b48-4a6a-b4e5-488a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:37.000Z", "modified": "2016-05-08T09:40:37.000Z", "description": "Infostealer installer payload", "pattern": "[file:hashes.MD5 = '98bbc1917613c4a73b1fe35e3ba9a8d9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f0995-32bc-4e5f-9a94-4dd502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:37.000Z", "modified": "2016-05-08T09:40:37.000Z", "description": "Infostealer installer payload", "pattern": "[file:hashes.MD5 = '06f3da0adf8a18679d51c6adaa100bd4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f0995-0434-4e12-bb42-497502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:37.000Z", "modified": "2016-05-08T09:40:37.000Z", "description": "Infostealer installer payload", "pattern": "[file:hashes.MD5 = '8c9896440fb0c8f2d36aff0382c9c2e4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09a5-abf4-4a2c-8adf-4a2802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:53.000Z", "modified": "2016-05-08T09:40:53.000Z", "description": "Infostealer installer payload - Xchecked via VT: 8c9896440fb0c8f2d36aff0382c9c2e4", "pattern": "[file:hashes.SHA256 = 'fe7da12c96c2be9c0ab8e1ad3a069787be50d138e7c9b96ba73803b0ed8dd401']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09a5-19cc-4ae4-8937-41d802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:53.000Z", "modified": "2016-05-08T09:40:53.000Z", "description": "Infostealer installer payload - Xchecked via VT: 8c9896440fb0c8f2d36aff0382c9c2e4", "pattern": "[file:hashes.SHA1 = '5fdf01ca8ae47bdd65a2423e0ac7bfb9d80ef73e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--572f09a6-a9f0-4f63-b764-40b102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:54.000Z", "modified": "2016-05-08T09:40:54.000Z", "first_observed": "2016-05-08T09:40:54Z", "last_observed": "2016-05-08T09:40:54Z", "number_observed": 1, "object_refs": [ "url--572f09a6-a9f0-4f63-b764-40b102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--572f09a6-a9f0-4f63-b764-40b102de0b81", "value": "https://www.virustotal.com/file/fe7da12c96c2be9c0ab8e1ad3a069787be50d138e7c9b96ba73803b0ed8dd401/analysis/1462520987/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09a6-d610-4e53-8d4b-48cb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:54.000Z", "modified": "2016-05-08T09:40:54.000Z", "description": "Infostealer installer payload - Xchecked via VT: 06f3da0adf8a18679d51c6adaa100bd4", "pattern": "[file:hashes.SHA256 = '66d1130a801e0f698d38af5e597c3607415fd33902ab8516984b4e398e4f7baf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09a6-87ec-4208-938d-40ce02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:54.000Z", "modified": "2016-05-08T09:40:54.000Z", "description": "Infostealer installer payload - Xchecked via VT: 06f3da0adf8a18679d51c6adaa100bd4", "pattern": "[file:hashes.SHA1 = '8182d4eb88e9958039438c72e9b872d21e8af1d8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--572f09a7-d788-4203-882c-423f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:55.000Z", "modified": "2016-05-08T09:40:55.000Z", "first_observed": "2016-05-08T09:40:55Z", "last_observed": "2016-05-08T09:40:55Z", "number_observed": 1, "object_refs": [ "url--572f09a7-d788-4203-882c-423f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--572f09a7-d788-4203-882c-423f02de0b81", "value": "https://www.virustotal.com/file/66d1130a801e0f698d38af5e597c3607415fd33902ab8516984b4e398e4f7baf/analysis/1462538557/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09a7-9a88-42fe-b27d-41ca02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:55.000Z", "modified": "2016-05-08T09:40:55.000Z", "description": "Infostealer installer payload - Xchecked via VT: 98bbc1917613c4a73b1fe35e3ba9a8d9", "pattern": "[file:hashes.SHA256 = '9bf35a7318909b7eea0cc2a8201d378bbd35559a2399a0107017a902bd3bcc43']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09a7-4cec-4efe-a023-4dc702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:55.000Z", "modified": "2016-05-08T09:40:55.000Z", "description": "Infostealer installer payload - Xchecked via VT: 98bbc1917613c4a73b1fe35e3ba9a8d9", "pattern": "[file:hashes.SHA1 = '42bfe35afbcea775d5bdbc8bfeb25e928f76d4b7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--572f09a8-0d5c-4d48-ad67-469602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:56.000Z", "modified": "2016-05-08T09:40:56.000Z", "first_observed": "2016-05-08T09:40:56Z", "last_observed": "2016-05-08T09:40:56Z", "number_observed": 1, "object_refs": [ "url--572f09a8-0d5c-4d48-ad67-469602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--572f09a8-0d5c-4d48-ad67-469602de0b81", "value": "https://www.virustotal.com/file/9bf35a7318909b7eea0cc2a8201d378bbd35559a2399a0107017a902bd3bcc43/analysis/1462525662/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09a8-51cc-43de-ab98-4ffa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:56.000Z", "modified": "2016-05-08T09:40:56.000Z", "description": "Infostealer installer payload - Xchecked via VT: ac6027d316070dc6d2fd3b273162f2ee", "pattern": "[file:hashes.SHA256 = '87ddb2c79b9edc81443f5df5a6fb57101fba35dfcfb86a2c2bbfb08884dcf6e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09a8-1ed0-48e0-b1ac-42e202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:56.000Z", "modified": "2016-05-08T09:40:56.000Z", "description": "Infostealer installer payload - Xchecked via VT: ac6027d316070dc6d2fd3b273162f2ee", "pattern": "[file:hashes.SHA1 = '1733cac501b28a6498a69d3f8fc24e0cc58b7cbb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--572f09a9-ec50-477e-81f2-4fd302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:57.000Z", "modified": "2016-05-08T09:40:57.000Z", "first_observed": "2016-05-08T09:40:57Z", "last_observed": "2016-05-08T09:40:57Z", "number_observed": 1, "object_refs": [ "url--572f09a9-ec50-477e-81f2-4fd302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--572f09a9-ec50-477e-81f2-4fd302de0b81", "value": "https://www.virustotal.com/file/87ddb2c79b9edc81443f5df5a6fb57101fba35dfcfb86a2c2bbfb08884dcf6e6/analysis/1462004459/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09a9-b624-4ab2-9562-4df802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:57.000Z", "modified": "2016-05-08T09:40:57.000Z", "description": "Infostealer installer payload - Xchecked via VT: 070ab6aa63e658ff8a56ea05426a71b4", "pattern": "[file:hashes.SHA256 = 'be6cbe01f409d3299c20e87dd6bc0ede12a7cb2b9abfb20241f46df210a57241']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09a9-0000-4636-8c8a-4ff802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:57.000Z", "modified": "2016-05-08T09:40:57.000Z", "description": "Infostealer installer payload - Xchecked via VT: 070ab6aa63e658ff8a56ea05426a71b4", "pattern": "[file:hashes.SHA1 = '8e5029121123c46bd673119e9dfe93f40d6f3b32']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--572f09aa-7b58-46ee-87ef-411b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:58.000Z", "modified": "2016-05-08T09:40:58.000Z", "first_observed": "2016-05-08T09:40:58Z", "last_observed": "2016-05-08T09:40:58Z", "number_observed": 1, "object_refs": [ "url--572f09aa-7b58-46ee-87ef-411b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--572f09aa-7b58-46ee-87ef-411b02de0b81", "value": "https://www.virustotal.com/file/be6cbe01f409d3299c20e87dd6bc0ede12a7cb2b9abfb20241f46df210a57241/analysis/1462552657/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09aa-40a0-4602-9f82-4fac02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:58.000Z", "modified": "2016-05-08T09:40:58.000Z", "description": "Infostealer installer payload - Xchecked via VT: 123f4c1d2d3d691c2427aca42289fe85", "pattern": "[file:hashes.SHA256 = 'ac93f5fdc3b2ca4708794e19642e565d06912613499bbb2f48c174a20e3db8d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09aa-a274-4fec-9a5c-4e8f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:58.000Z", "modified": "2016-05-08T09:40:58.000Z", "description": "Infostealer installer payload - Xchecked via VT: 123f4c1d2d3d691c2427aca42289fe85", "pattern": "[file:hashes.SHA1 = 'ad56435e072b8c9da6cf8c0ed9ccedec9dd0bbb3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:40:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--572f09ab-ff50-46d6-b513-447002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:40:59.000Z", "modified": "2016-05-08T09:40:59.000Z", "first_observed": "2016-05-08T09:40:59Z", "last_observed": "2016-05-08T09:40:59Z", "number_observed": 1, "object_refs": [ "url--572f09ab-ff50-46d6-b513-447002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--572f09ab-ff50-46d6-b513-447002de0b81", "value": "https://www.virustotal.com/file/ac93f5fdc3b2ca4708794e19642e565d06912613499bbb2f48c174a20e3db8d3/analysis/1462552657/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09ca-4264-41c4-8427-448a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:41:30.000Z", "modified": "2016-05-08T09:41:30.000Z", "description": "Sample URLs that we have seen serving installer payloads in last two weeks", "pattern": "[url:value = 'cigm.co/js/slick/curp.pdf.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:41:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09cb-5de8-455e-8cae-4a6f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:41:31.000Z", "modified": "2016-05-08T09:41:31.000Z", "description": "Sample URLs that we have seen serving installer payloads in last two weeks", "pattern": "[url:value = 'saysa.com.co/js/rfc.pdf.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:41:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09cb-d388-4330-9fef-49ae02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:41:31.000Z", "modified": "2016-05-08T09:41:31.000Z", "description": "Sample URLs that we have seen serving installer payloads in last two weeks", "pattern": "[url:value = 'saysa.com.co/js/curp.pdf.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:41:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09cb-4d0c-43b9-81b0-444902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:41:31.000Z", "modified": "2016-05-08T09:41:31.000Z", "description": "Sample URLs that we have seen serving installer payloads in last two weeks", "pattern": "[url:value = 'bestdentalimplants.co.in/js/curp.pdf.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:41:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572f09cc-f888-45d5-804d-492302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:41:32.000Z", "modified": "2016-05-08T09:41:32.000Z", "description": "Sample URLs that we have seen serving installer payloads in last two weeks", "pattern": "[url:value = 'denticenter.com.co/js/slick/curp.pdf.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T09:41:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--572f09eb-6ed0-4642-a2bb-4bb102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T09:42:03.000Z", "modified": "2016-05-08T09:42:03.000Z", "labels": [ "misp:type=\"target-org\"", "misp:category=\"Targeting data\"" ], "x_misp_category": "Targeting data", "x_misp_type": "target-org", "x_misp_value": "Banamex" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }