{ "type": "bundle", "id": "bundle--57aaeefd-0bd4-4a41-87ad-4e17950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:40:36.000Z", "modified": "2016-08-10T09:40:36.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57aaeefd-0bd4-4a41-87ad-4e17950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:40:36.000Z", "modified": "2016-08-10T09:40:36.000Z", "name": "OSINT - Cracking Orcus RAT", "published": "2016-08-10T09:50:13Z", "object_refs": [ "observed-data--57aaef08-62dc-4948-ac44-473b950d210f", "url--57aaef08-62dc-4948-ac44-473b950d210f", "x-misp-attribute--57aaef3b-655c-4274-a59d-4572950d210f", "indicator--57aaef5f-1808-4585-a00b-497c950d210f", "indicator--57aaf016-8cf0-439a-b2a6-441002de0b81", "indicator--57aaf016-ac94-4574-ba76-4b6a02de0b81", "observed-data--57aaf016-ade0-4582-afcc-4d4602de0b81", "url--57aaf016-ade0-4582-afcc-4d4602de0b81", "observed-data--57aaf05f-b420-419c-bcc6-477d950d210f", "url--57aaf05f-b420-419c-bcc6-477d950d210f", "indicator--57aaf0e6-c11c-4aa5-99a0-4293950d210f", "indicator--57aaf0e7-6fec-409e-9459-46ee950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "ms-caro-malware:malware-type=\"RemoteAccess\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57aaef08-62dc-4948-ac44-473b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:08:23.000Z", "modified": "2016-08-10T09:08:23.000Z", "first_observed": "2016-08-10T09:08:23Z", "last_observed": "2016-08-10T09:08:23Z", "number_observed": 1, "object_refs": [ "url--57aaef08-62dc-4948-ac44-473b950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57aaef08-62dc-4948-ac44-473b950d210f", "value": "http://blog.deniable.org/blog/2016/08/09/cracking-orcus-rat/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57aaef3b-655c-4274-a59d-4572950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:09:15.000Z", "modified": "2016-08-10T09:09:15.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "At first I thought I could be dealing with someone trying to \u00e2\u20ac\u02dcphish\u00e2\u20ac\u2122 me, but the offer was legit. Challenge accepted. The zip file I got is for version 1.4.2 (which is the latest version available at the \u00e2\u20ac\u02dcOrcus RAT\u00e2\u20ac\u2122 website, at the time of this writing). The zip file is massive. Here\u00e2\u20ac\u2122s the whole contents of the zip file." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57aaef5f-1808-4585-a00b-497c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:09:51.000Z", "modified": "2016-08-10T09:09:51.000Z", "description": "Orcus.Administration.exe", "pattern": "[file:hashes.SHA256 = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-10T09:09:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57aaf016-8cf0-439a-b2a6-441002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:12:54.000Z", "modified": "2016-08-10T09:12:54.000Z", "description": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea", "pattern": "[file:hashes.SHA1 = 'ea6d05abfce77d01a1a039c8bc97f973b6780f07']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-10T09:12:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57aaf016-ac94-4574-ba76-4b6a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:12:54.000Z", "modified": "2016-08-10T09:12:54.000Z", "description": "Orcus.Administration.exe - Xchecked via VT: 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea", "pattern": "[file:hashes.MD5 = 'd2140d8c9eb3889dee164f09014380d7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-10T09:12:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57aaf016-ade0-4582-afcc-4d4602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:12:54.000Z", "modified": "2016-08-10T09:12:54.000Z", "first_observed": "2016-08-10T09:12:54Z", "last_observed": "2016-08-10T09:12:54Z", "number_observed": 1, "object_refs": [ "url--57aaf016-ade0-4582-afcc-4d4602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57aaf016-ade0-4582-afcc-4d4602de0b81", "value": "https://www.virustotal.com/file/4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea/analysis/1467970246/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57aaf05f-b420-419c-bcc6-477d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:14:07.000Z", "modified": "2016-08-10T09:14:07.000Z", "first_observed": "2016-08-10T09:14:07Z", "last_observed": "2016-08-10T09:14:07Z", "number_observed": 1, "object_refs": [ "url--57aaf05f-b420-419c-bcc6-477d950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57aaf05f-b420-419c-bcc6-477d950d210f", "value": "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57aaf0e6-c11c-4aa5-99a0-4293950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:16:22.000Z", "modified": "2016-08-10T09:16:22.000Z", "description": "Sample", "pattern": "[file:name = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea' AND file:hashes.SHA1 = 'ea6d05abfce77d01a1a039c8bc97f973b6780f07']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-10T09:16:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"filename|sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57aaf0e7-6fec-409e-9459-46ee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-10T09:16:23.000Z", "modified": "2016-08-10T09:16:23.000Z", "description": "Sample", "pattern": "[file:name = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea' AND file:hashes.SHA256 = '4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-10T09:16:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"filename|sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] } ] }