{ "type": "bundle", "id": "bundle--58503e2f-4c78-442d-833f-8ad202de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:38.000Z", "modified": "2016-12-13T18:38:38.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58503e2f-4c78-442d-833f-8ad202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:38.000Z", "modified": "2016-12-13T18:38:38.000Z", "name": "OSINT - The rise of TeleBots: Analyzing disruptive KillDisk attacks", "published": "2016-12-13T18:41:32Z", "object_refs": [ "x-misp-attribute--58503e41-62e8-4280-b09c-467402de0b81", "observed-data--58503e4e-56bc-45a0-8a80-e8a002de0b81", "url--58503e4e-56bc-45a0-8a80-e8a002de0b81", "indicator--58503e62-222c-4236-aa34-e8a002de0b81", "indicator--58503e63-0a98-4f7b-a6d3-e8a002de0b81", "indicator--58503e73-ef34-4b46-9215-e8ac02de0b81", "indicator--58503e73-66cc-42cd-8dd1-e8ac02de0b81", "indicator--58503e83-6230-4797-8a91-c7c302de0b81", "indicator--58503e97-84e4-4fe5-a7cc-4ab602de0b81", "indicator--58503e97-041c-4ebf-9541-479202de0b81", "indicator--58503ea6-c204-49fc-9ea6-e8a402de0b81", "indicator--58503eb8-4cac-48aa-b1e7-458d02de0b81", "indicator--58503eb8-928c-4b35-a948-4f4b02de0b81", "indicator--58503eb9-06f8-44a2-9940-418602de0b81", "indicator--58503ec5-1a14-4455-a56f-49ec02de0b81", "indicator--58503ec5-eab8-42f1-ba84-461c02de0b81", "indicator--58503ed8-ce04-4ac2-a419-469502de0b81", "indicator--58503ed9-b6d4-4688-ba83-476b02de0b81", "indicator--58503ed9-66b8-4518-846f-47aa02de0b81", "indicator--58503eda-0d74-4e8d-a7c3-406702de0b81", "indicator--58503eda-bcf0-4241-91ff-425502de0b81", "indicator--58503eee-5734-415d-a834-44bd02de0b81", "indicator--58503eef-e4f4-4565-ba44-4eb702de0b81", "indicator--58503eef-cd30-4c21-9acd-409a02de0b81", "indicator--58503ef0-c93c-41bf-bd4c-405d02de0b81", "indicator--58503ef0-6a38-4fa9-b633-4bae02de0b81", "indicator--58503ef1-3d38-46d8-8e58-405a02de0b81", "indicator--58503ef1-eeb0-41eb-8d93-41bf02de0b81", "indicator--58503ef2-bfbc-4cce-bc6a-4ae202de0b81", "indicator--58503ef2-f5cc-48cb-b254-4afe02de0b81", "indicator--58503ef3-1630-4ee5-9791-429502de0b81", "indicator--58503ef3-703c-4518-9dd9-480d02de0b81", "indicator--58503ef4-ecbc-481e-a3e3-4c1702de0b81", "indicator--58503ef4-61c0-4b1a-84d8-41c402de0b81", "indicator--58503ef4-1f20-4beb-b829-4c4d02de0b81", "indicator--58503ef5-9cd4-4623-8d55-4c0602de0b81", "indicator--58503f02-21ec-4514-b5ba-c7c302de0b81", "indicator--58503f14-99ec-4578-b7dd-451502de0b81", "indicator--58503f14-a8bc-4338-be8d-448202de0b81", "observed-data--58503f27-ec78-4a65-abb3-425702de0b81", "domain-name--58503f27-ec78-4a65-abb3-425702de0b81", "observed-data--58503f28-1a5c-46ca-a24e-4a3f02de0b81", "network-traffic--58503f28-1a5c-46ca-a24e-4a3f02de0b81", "ipv4-addr--58503f28-1a5c-46ca-a24e-4a3f02de0b81", "observed-data--58503f28-a918-4725-b7a7-4d4f02de0b81", "domain-name--58503f28-a918-4725-b7a7-4d4f02de0b81", "observed-data--58503f28-747c-4b4a-8cba-4e9902de0b81", "network-traffic--58503f28-747c-4b4a-8cba-4e9902de0b81", "ipv4-addr--58503f28-747c-4b4a-8cba-4e9902de0b81", "observed-data--58503f29-2b9c-4d14-82a6-4dda02de0b81", "network-traffic--58503f29-2b9c-4d14-82a6-4dda02de0b81", "ipv4-addr--58503f29-2b9c-4d14-82a6-4dda02de0b81", "observed-data--58503f29-2fbc-4fbc-8e65-4b0202de0b81", "network-traffic--58503f29-2fbc-4fbc-8e65-4b0202de0b81", "ipv4-addr--58503f29-2fbc-4fbc-8e65-4b0202de0b81", "observed-data--58503f2a-a898-494b-8cfa-480f02de0b81", "network-traffic--58503f2a-a898-494b-8cfa-480f02de0b81", "ipv4-addr--58503f2a-a898-494b-8cfa-480f02de0b81", "observed-data--58503f2a-9d08-4001-93a6-43fc02de0b81", "domain-name--58503f2a-9d08-4001-93a6-43fc02de0b81", "observed-data--58503f2b-c1c4-4de6-b948-4be302de0b81", "network-traffic--58503f2b-c1c4-4de6-b948-4be302de0b81", "ipv4-addr--58503f2b-c1c4-4de6-b948-4be302de0b81", "indicator--58503f3a-4414-4e2c-9562-424302de0b81", "indicator--58503f3a-a690-4478-a0ef-4fd602de0b81", "indicator--58503f3b-6e14-4deb-82c4-47c602de0b81", "indicator--5850402e-f8a8-4990-ba17-484002de0b81", "indicator--5850402f-a854-4c2e-af09-431a02de0b81", "observed-data--58504030-569c-417e-a638-49e502de0b81", "url--58504030-569c-417e-a638-49e502de0b81", "indicator--58504030-0760-4dcf-8527-409e02de0b81", "indicator--58504031-ffa8-46c5-9bb6-429f02de0b81", "observed-data--58504031-4490-49ed-854e-429202de0b81", "url--58504031-4490-49ed-854e-429202de0b81", "indicator--58504032-0ec8-49a1-94f3-482b02de0b81", "indicator--58504032-e93c-4675-bb15-4e5b02de0b81", "observed-data--58504033-4cf4-4a9a-a6d3-405302de0b81", "url--58504033-4cf4-4a9a-a6d3-405302de0b81", "indicator--58504033-4f20-4199-af62-440802de0b81", "indicator--58504034-e410-4ff2-ad04-483302de0b81", "observed-data--58504034-db74-413e-a182-4bec02de0b81", "url--58504034-db74-413e-a182-4bec02de0b81", "indicator--58504035-d258-418c-825d-48b102de0b81", "indicator--58504035-8c44-4988-8226-488002de0b81", "observed-data--58504036-c064-4e2c-9d3f-484d02de0b81", "url--58504036-c064-4e2c-9d3f-484d02de0b81", "indicator--58504036-1ce4-46ad-9a87-40f502de0b81", "indicator--58504037-f7ac-43a0-9e31-485f02de0b81", "observed-data--58504037-9f80-4883-8f0d-46b302de0b81", "url--58504037-9f80-4883-8f0d-46b302de0b81", "indicator--58504038-7214-4a85-a564-4ee102de0b81", "indicator--58504038-e2c4-4186-96bf-4f3b02de0b81", "observed-data--58504039-f2d8-419a-936a-4f4602de0b81", "url--58504039-f2d8-419a-936a-4f4602de0b81", "indicator--58504039-15bc-45d6-b60f-4dc602de0b81", "indicator--5850403a-eec4-4723-a1e0-4ff902de0b81", "observed-data--5850403a-fdf0-46d5-abcc-4bf802de0b81", "url--5850403a-fdf0-46d5-abcc-4bf802de0b81", "indicator--5850403b-0c30-4fe4-b6f1-482e02de0b81", "indicator--5850403b-2be0-4103-8f8f-4ceb02de0b81", "observed-data--5850403c-4150-43c1-be39-482502de0b81", "url--5850403c-4150-43c1-be39-482502de0b81", "indicator--5850403c-e308-48a9-b780-415702de0b81", "indicator--5850403d-ac3c-4442-a474-4b2f02de0b81", "observed-data--5850403d-507c-4196-b7e7-461702de0b81", "url--5850403d-507c-4196-b7e7-461702de0b81", "indicator--5850403d-6128-4f26-bf07-4fa102de0b81", "indicator--5850403e-5358-4e0c-be49-485202de0b81", "observed-data--5850403e-6d80-44e0-8c42-4b7102de0b81", "url--5850403e-6d80-44e0-8c42-4b7102de0b81", "indicator--5850403f-49bc-4edb-9e43-451502de0b81", "indicator--5850403f-b088-4448-b8aa-4f4702de0b81", "observed-data--58504040-8818-4b41-b6f3-421502de0b81", "url--58504040-8818-4b41-b6f3-421502de0b81", "indicator--58504040-f9a4-4380-87a4-405a02de0b81", "indicator--58504041-d378-4427-aafb-415d02de0b81", "observed-data--58504041-6110-4ca7-be7a-4fd602de0b81", "url--58504041-6110-4ca7-be7a-4fd602de0b81", "indicator--58504042-c64c-4694-a0ff-47b902de0b81", "indicator--58504042-1fa8-423e-87d2-40ee02de0b81", "observed-data--58504043-2dc4-43c6-9623-423f02de0b81", "url--58504043-2dc4-43c6-9623-423f02de0b81", "indicator--58504043-2408-4775-944a-4c1202de0b81", "indicator--58504044-c16c-46f8-87e9-48bb02de0b81", "observed-data--58504044-2238-4999-9bd4-471902de0b81", "url--58504044-2238-4999-9bd4-471902de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "misp-galaxy:threat-actor=\"TeleBots\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58503e41-62e8-4280-b09c-467402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:30:25.000Z", "modified": "2016-12-13T18:30:25.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "In the second half of 2016, ESET researchers identified a unique malicious toolset that was used in targeted cyberattacks against high-value targets in the Ukrainian financial sector. We believe that the main goal of attackers using these tools is cybersabotage. This blog post outlines the details about the campaign that we discovered.\r\n\r\nWe will refer to the gang behind the malware as TeleBots. However it\u00e2\u20ac\u2122s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58503e4e-56bc-45a0-8a80-e8a002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:30:38.000Z", "modified": "2016-12-13T18:30:38.000Z", "first_observed": "2016-12-13T18:30:38Z", "last_observed": "2016-12-13T18:30:38Z", "number_observed": 1, "object_refs": [ "url--58503e4e-56bc-45a0-8a80-e8a002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58503e4e-56bc-45a0-8a80-e8a002de0b81", "value": "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503e62-222c-4236-aa34-e8a002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:30:58.000Z", "modified": "2016-12-13T18:30:58.000Z", "description": "Win32/KillDisk", "pattern": "[file:hashes.SHA1 = '71a2b3f48828e4552637fa9753f0324b7146f3af']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:30:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503e63-0a98-4f7b-a6d3-e8a002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:30:59.000Z", "modified": "2016-12-13T18:30:59.000Z", "description": "Win32/KillDisk", "pattern": "[file:hashes.SHA1 = '8eb8527562dda552fc6b8827c0ebf50968848f1a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:30:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503e73-ef34-4b46-9215-e8ac02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:31:15.000Z", "modified": "2016-12-13T18:31:15.000Z", "description": "Intercepter-NG and silent WinPCAP installer", "pattern": "[file:hashes.SHA1 = '64cb897acc37e12e4f49c4da4dfad606b3976225']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:31:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503e73-66cc-42cd-8dd1-e8ac02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:31:15.000Z", "modified": "2016-12-13T18:31:15.000Z", "description": "Intercepter-NG and silent WinPCAP installer", "pattern": "[file:hashes.SHA1 = 'a0b9a35675153f4933c3e55418b6566e1a5dbf8a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:31:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503e83-6230-4797-8a91-c7c302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:31:31.000Z", "modified": "2016-12-13T18:31:31.000Z", "description": "Win64/Spy.KeyLogger.G trojan", "pattern": "[file:hashes.SHA1 = '7582de9e93e2f35f9a63b59317eba48846eea4c7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:31:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503e97-84e4-4fe5-a7cc-4ab602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:31:51.000Z", "modified": "2016-12-13T18:31:51.000Z", "description": "CredRaptor password stealer", "pattern": "[file:hashes.SHA1 = 'fffc20567da4656059860ed06c53fd4e5ad664c2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:31:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503e97-041c-4ebf-9541-479202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:31:51.000Z", "modified": "2016-12-13T18:31:51.000Z", "description": "CredRaptor password stealer", "pattern": "[file:hashes.SHA1 = '58a45ef055b287bad7b81033e17446ee6b682e2d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:31:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ea6-c204-49fc-9ea6-e8a402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:06.000Z", "modified": "2016-12-13T18:32:06.000Z", "description": "LDAP query tool", "pattern": "[file:hashes.SHA1 = '81f73c76fbf4ab3487d5e6e8629e83c0568de713']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503eb8-4cac-48aa-b1e7-458d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:24.000Z", "modified": "2016-12-13T18:32:24.000Z", "description": "Modified Mimikatz", "pattern": "[file:hashes.SHA1 = 'b0ba3405bb2b0fa5ba34b57c2cc7e5c184d86991']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503eb8-928c-4b35-a948-4f4b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:24.000Z", "modified": "2016-12-13T18:32:24.000Z", "description": "Modified Mimikatz", "pattern": "[file:hashes.SHA1 = 'ad2d3d00c7573733b70d9780ae3b89eeb8c62c76']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503eb9-06f8-44a2-9940-418602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:25.000Z", "modified": "2016-12-13T18:32:25.000Z", "description": "Modified Mimikatz", "pattern": "[file:hashes.SHA1 = 'd8614bc1d428ebabccbfae76a81037ff908a8f79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ec5-1a14-4455-a56f-49ec02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:37.000Z", "modified": "2016-12-13T18:32:37.000Z", "description": "BCS-server", "pattern": "[file:hashes.SHA1 = '4b692e2597683354e106dfb9b90677c9311972a1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ec5-eab8-42f1-ba84-461c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:37.000Z", "modified": "2016-12-13T18:32:37.000Z", "description": "BCS-server", "pattern": "[file:hashes.SHA1 = 'bf3cb98dc668e455188ebb4c311bd19cd9f46667']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ed8-ce04-4ac2-a419-469502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:56.000Z", "modified": "2016-12-13T18:32:56.000Z", "description": "VBS backdoors", "pattern": "[file:hashes.SHA1 = 'f00f632749418b2b75ca9ece73a02c485621c3b4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ed9-b6d4-4688-ba83-476b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:57.000Z", "modified": "2016-12-13T18:32:57.000Z", "description": "VBS backdoors", "pattern": "[file:hashes.SHA1 = '06e1f816cbaf45bd6ee55f74f0261a674e805f86']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ed9-66b8-4518-846f-47aa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:57.000Z", "modified": "2016-12-13T18:32:57.000Z", "description": "VBS backdoors", "pattern": "[file:hashes.SHA1 = '35d71de3e665cf9d6a685ae02c3876b7d56b1687']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503eda-0d74-4e8d-a7c3-406702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:58.000Z", "modified": "2016-12-13T18:32:58.000Z", "description": "VBS backdoors", "pattern": "[file:hashes.SHA1 = 'f22cea7bc080e712e85549848d35e7d5908d9b49']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503eda-bcf0-4241-91ff-425502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:32:58.000Z", "modified": "2016-12-13T18:32:58.000Z", "description": "VBS backdoors", "pattern": "[file:hashes.SHA1 = 'c473ccb92581a803c1f1540be2193bc8b9599bfe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:32:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503eee-5734-415d-a834-44bd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:18.000Z", "modified": "2016-12-13T18:33:18.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '16c206d9cfd4c82d6652afb1eebb589a927b041b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503eef-e4f4-4565-ba44-4eb702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:19.000Z", "modified": "2016-12-13T18:33:19.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '1dc1660677a41b6622b795a1eb5aa5e5118d8f18']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503eef-cd30-4c21-9acd-409a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:19.000Z", "modified": "2016-12-13T18:33:19.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '26da35564d04bb308d57f645f353d1de1fb76677']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef0-c93c-41bf-bd4c-405d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:20.000Z", "modified": "2016-12-13T18:33:20.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '30d2da7caf740baaa8a1300ee48220b3043a327d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef0-6a38-4fa9-b633-4bae02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:20.000Z", "modified": "2016-12-13T18:33:20.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef1-3d38-46d8-8e58-405a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:21.000Z", "modified": "2016-12-13T18:33:21.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '4d5023f9f9d0ba7a7328a8ee341dbbca244f72c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef1-eeb0-41eb-8d93-41bf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:21.000Z", "modified": "2016-12-13T18:33:21.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '57dad9cda501bc8f1d0496ef010146d9a1d3734f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef2-bfbc-4cce-bc6a-4ae202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:22.000Z", "modified": "2016-12-13T18:33:22.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '68377a993e5a85eb39aded400755a22eb7273ca0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef2-f5cc-48cb-b254-4afe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:22.000Z", "modified": "2016-12-13T18:33:22.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '77d7ea627f645219cf6b8454459baef1e5192467']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef3-1630-4ee5-9791-429502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:23.000Z", "modified": "2016-12-13T18:33:23.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '7b87ad4a25e80000ff1011b51f03e48e8ea6c23d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef3-703c-4518-9dd9-480d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:23.000Z", "modified": "2016-12-13T18:33:23.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '7c822f0fdb5ec14dd335cbe0238448c14015f495']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef4-ecbc-481e-a3e3-4c1702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:24.000Z", "modified": "2016-12-13T18:33:24.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '86abbf8a4cf9828381dde9fd09e55446e7533e78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef4-61c0-4b1a-84d8-41c402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:24.000Z", "modified": "2016-12-13T18:33:24.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = '9512a8280214674e6b16b07be281bb9f0255004b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef4-1f20-4beb-b829-4c4d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:24.000Z", "modified": "2016-12-13T18:33:24.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = 'b2e9d964c304fc91dcaf39ff44e3c38132c94655']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503ef5-9cd4-4623-8d55-4c0602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:25.000Z", "modified": "2016-12-13T18:33:25.000Z", "description": "Python/TeleBot.AA backdoor", "pattern": "[file:hashes.SHA1 = 'fe4c1c6b3d8fdc9e562c57849e8094393075bc93']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503f02-21ec-4514-b5ba-c7c302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:38.000Z", "modified": "2016-12-13T18:33:38.000Z", "description": "Win32/TrojanDownloader.Agent.CWY", "pattern": "[file:hashes.SHA1 = 'f1bf54186c2c64cd104755f247867238c8472504']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503f14-99ec-4578-b7dd-451502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:56.000Z", "modified": "2016-12-13T18:33:56.000Z", "description": "XLS documents with malicious macro", "pattern": "[file:hashes.SHA1 = '7fc462f1734c09d8d70c6779a4f1a3e6e2a9cc9f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503f14-a8bc-4338-be8d-448202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:33:56.000Z", "modified": "2016-12-13T18:33:56.000Z", "description": "XLS documents with malicious macro", "pattern": "[file:hashes.SHA1 = 'c361a06e51d2e2cd560f43d4cc9dabe765536179']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:33:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58503f27-ec78-4a65-abb3-425702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:15.000Z", "modified": "2016-12-13T18:34:15.000Z", "first_observed": "2016-12-13T18:34:15Z", "last_observed": "2016-12-13T18:34:15Z", "number_observed": 1, "object_refs": [ "domain-name--58503f27-ec78-4a65-abb3-425702de0b81" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--58503f27-ec78-4a65-abb3-425702de0b81", "value": "srv70.putdrive.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58503f28-1a5c-46ca-a24e-4a3f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:16.000Z", "modified": "2016-12-13T18:34:16.000Z", "first_observed": "2016-12-13T18:34:16Z", "last_observed": "2016-12-13T18:34:16Z", "number_observed": 1, "object_refs": [ "network-traffic--58503f28-1a5c-46ca-a24e-4a3f02de0b81", "ipv4-addr--58503f28-1a5c-46ca-a24e-4a3f02de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--58503f28-1a5c-46ca-a24e-4a3f02de0b81", "dst_ref": "ipv4-addr--58503f28-1a5c-46ca-a24e-4a3f02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--58503f28-1a5c-46ca-a24e-4a3f02de0b81", "value": "188.165.14.185" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58503f28-a918-4725-b7a7-4d4f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:16.000Z", "modified": "2016-12-13T18:34:16.000Z", "first_observed": "2016-12-13T18:34:16Z", "last_observed": "2016-12-13T18:34:16Z", "number_observed": 1, "object_refs": [ "domain-name--58503f28-a918-4725-b7a7-4d4f02de0b81" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--58503f28-a918-4725-b7a7-4d4f02de0b81", "value": "api.telegram.org" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58503f28-747c-4b4a-8cba-4e9902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:16.000Z", "modified": "2016-12-13T18:34:16.000Z", "first_observed": "2016-12-13T18:34:16Z", "last_observed": "2016-12-13T18:34:16Z", "number_observed": 1, "object_refs": [ "network-traffic--58503f28-747c-4b4a-8cba-4e9902de0b81", "ipv4-addr--58503f28-747c-4b4a-8cba-4e9902de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--58503f28-747c-4b4a-8cba-4e9902de0b81", "dst_ref": "ipv4-addr--58503f28-747c-4b4a-8cba-4e9902de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--58503f28-747c-4b4a-8cba-4e9902de0b81", "value": "149.154.167.200" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58503f29-2b9c-4d14-82a6-4dda02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:17.000Z", "modified": "2016-12-13T18:34:17.000Z", "first_observed": "2016-12-13T18:34:17Z", "last_observed": "2016-12-13T18:34:17Z", "number_observed": 1, "object_refs": [ "network-traffic--58503f29-2b9c-4d14-82a6-4dda02de0b81", "ipv4-addr--58503f29-2b9c-4d14-82a6-4dda02de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--58503f29-2b9c-4d14-82a6-4dda02de0b81", "dst_ref": "ipv4-addr--58503f29-2b9c-4d14-82a6-4dda02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--58503f29-2b9c-4d14-82a6-4dda02de0b81", "value": "149.154.167.197" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58503f29-2fbc-4fbc-8e65-4b0202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:17.000Z", "modified": "2016-12-13T18:34:17.000Z", "first_observed": "2016-12-13T18:34:17Z", "last_observed": "2016-12-13T18:34:17Z", "number_observed": 1, "object_refs": [ "network-traffic--58503f29-2fbc-4fbc-8e65-4b0202de0b81", "ipv4-addr--58503f29-2fbc-4fbc-8e65-4b0202de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--58503f29-2fbc-4fbc-8e65-4b0202de0b81", "dst_ref": "ipv4-addr--58503f29-2fbc-4fbc-8e65-4b0202de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--58503f29-2fbc-4fbc-8e65-4b0202de0b81", "value": "149.154.167.198" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58503f2a-a898-494b-8cfa-480f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:18.000Z", "modified": "2016-12-13T18:34:18.000Z", "first_observed": "2016-12-13T18:34:18Z", "last_observed": "2016-12-13T18:34:18Z", "number_observed": 1, "object_refs": [ "network-traffic--58503f2a-a898-494b-8cfa-480f02de0b81", "ipv4-addr--58503f2a-a898-494b-8cfa-480f02de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--58503f2a-a898-494b-8cfa-480f02de0b81", "dst_ref": "ipv4-addr--58503f2a-a898-494b-8cfa-480f02de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--58503f2a-a898-494b-8cfa-480f02de0b81", "value": "149.154.167.199" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58503f2a-9d08-4001-93a6-43fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:18.000Z", "modified": "2016-12-13T18:34:18.000Z", "first_observed": "2016-12-13T18:34:18Z", "last_observed": "2016-12-13T18:34:18Z", "number_observed": 1, "object_refs": [ "domain-name--58503f2a-9d08-4001-93a6-43fc02de0b81" ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--58503f2a-9d08-4001-93a6-43fc02de0b81", "value": "smtp-mail.outlook.com" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58503f2b-c1c4-4de6-b948-4be302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:19.000Z", "modified": "2016-12-13T18:34:19.000Z", "first_observed": "2016-12-13T18:34:19Z", "last_observed": "2016-12-13T18:34:19Z", "number_observed": 1, "object_refs": [ "network-traffic--58503f2b-c1c4-4de6-b948-4be302de0b81", "ipv4-addr--58503f2b-c1c4-4de6-b948-4be302de0b81" ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--58503f2b-c1c4-4de6-b948-4be302de0b81", "dst_ref": "ipv4-addr--58503f2b-c1c4-4de6-b948-4be302de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--58503f2b-c1c4-4de6-b948-4be302de0b81", "value": "65.55.176.126" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503f3a-4414-4e2c-9562-424302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:34.000Z", "modified": "2016-12-13T18:34:34.000Z", "description": "C&C Server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '93.190.137.212']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:34:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503f3a-a690-4478-a0ef-4fd602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:34.000Z", "modified": "2016-12-13T18:34:34.000Z", "description": "C&C Server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.141.37.3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:34:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58503f3b-6e14-4deb-82c4-47c602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:34:35.000Z", "modified": "2016-12-13T18:34:35.000Z", "description": "C&C Server", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '80.233.134.147']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:34:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850402e-f8a8-4990-ba17-484002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:38.000Z", "modified": "2016-12-13T18:38:38.000Z", "description": "XLS documents with malicious macro - Xchecked via VT: c361a06e51d2e2cd560f43d4cc9dabe765536179", "pattern": "[file:hashes.SHA256 = '97b317afa02cd35db40c197fea3a6ef8cdc8c01ca73523983850f323a47d0c2e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850402f-a854-4c2e-af09-431a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:39.000Z", "modified": "2016-12-13T18:38:39.000Z", "description": "XLS documents with malicious macro - Xchecked via VT: c361a06e51d2e2cd560f43d4cc9dabe765536179", "pattern": "[file:hashes.MD5 = '7d4fc63f2096a485d2da3db1150e6d34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504030-569c-417e-a638-49e502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:40.000Z", "modified": "2016-12-13T18:38:40.000Z", "first_observed": "2016-12-13T18:38:40Z", "last_observed": "2016-12-13T18:38:40Z", "number_observed": 1, "object_refs": [ "url--58504030-569c-417e-a638-49e502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504030-569c-417e-a638-49e502de0b81", "value": "https://www.virustotal.com/file/97b317afa02cd35db40c197fea3a6ef8cdc8c01ca73523983850f323a47d0c2e/analysis/1481528849/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504030-0760-4dcf-8527-409e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:40.000Z", "modified": "2016-12-13T18:38:40.000Z", "description": "XLS documents with malicious macro - Xchecked via VT: 7fc462f1734c09d8d70c6779a4f1a3e6e2a9cc9f", "pattern": "[file:hashes.SHA256 = 'a260320bb52eb0fe767d7e30e069492ab063b65a26969dd78d10d8141b850bc8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504031-ffa8-46c5-9bb6-429f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:41.000Z", "modified": "2016-12-13T18:38:41.000Z", "description": "XLS documents with malicious macro - Xchecked via VT: 7fc462f1734c09d8d70c6779a4f1a3e6e2a9cc9f", "pattern": "[file:hashes.MD5 = 'fd0fd58b20b1476e8f67d6a05307e9bc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504031-4490-49ed-854e-429202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:41.000Z", "modified": "2016-12-13T18:38:41.000Z", "first_observed": "2016-12-13T18:38:41Z", "last_observed": "2016-12-13T18:38:41Z", "number_observed": 1, "object_refs": [ "url--58504031-4490-49ed-854e-429202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504031-4490-49ed-854e-429202de0b81", "value": "https://www.virustotal.com/file/a260320bb52eb0fe767d7e30e069492ab063b65a26969dd78d10d8141b850bc8/analysis/1481528895/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504032-0ec8-49a1-94f3-482b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:42.000Z", "modified": "2016-12-13T18:38:42.000Z", "description": "Win32/TrojanDownloader.Agent.CWY - Xchecked via VT: f1bf54186c2c64cd104755f247867238c8472504", "pattern": "[file:hashes.SHA256 = '2ee5a743bd420aa04e0ea9ab7a25e1cc2c346a55d6a518f267896694d75539a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504032-e93c-4675-bb15-4e5b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:42.000Z", "modified": "2016-12-13T18:38:42.000Z", "description": "Win32/TrojanDownloader.Agent.CWY - Xchecked via VT: f1bf54186c2c64cd104755f247867238c8472504", "pattern": "[file:hashes.MD5 = '1019c101fc1ae71e5c1687e34f0628e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504033-4cf4-4a9a-a6d3-405302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:43.000Z", "modified": "2016-12-13T18:38:43.000Z", "first_observed": "2016-12-13T18:38:43Z", "last_observed": "2016-12-13T18:38:43Z", "number_observed": 1, "object_refs": [ "url--58504033-4cf4-4a9a-a6d3-405302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504033-4cf4-4a9a-a6d3-405302de0b81", "value": "https://www.virustotal.com/file/2ee5a743bd420aa04e0ea9ab7a25e1cc2c346a55d6a518f267896694d75539a2/analysis/1479466980/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504033-4f20-4199-af62-440802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:43.000Z", "modified": "2016-12-13T18:38:43.000Z", "description": "Python/TeleBot.AA backdoor - Xchecked via VT: 57dad9cda501bc8f1d0496ef010146d9a1d3734f", "pattern": "[file:hashes.SHA256 = 'ea57a45dda5b735fc2a982700a21363cbee138de2605d1df06103a5d94c539da']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504034-e410-4ff2-ad04-483302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:44.000Z", "modified": "2016-12-13T18:38:44.000Z", "description": "Python/TeleBot.AA backdoor - Xchecked via VT: 57dad9cda501bc8f1d0496ef010146d9a1d3734f", "pattern": "[file:hashes.MD5 = '24313581bbbffa9a784b48075b525810']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504034-db74-413e-a182-4bec02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:44.000Z", "modified": "2016-12-13T18:38:44.000Z", "first_observed": "2016-12-13T18:38:44Z", "last_observed": "2016-12-13T18:38:44Z", "number_observed": 1, "object_refs": [ "url--58504034-db74-413e-a182-4bec02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504034-db74-413e-a182-4bec02de0b81", "value": "https://www.virustotal.com/file/ea57a45dda5b735fc2a982700a21363cbee138de2605d1df06103a5d94c539da/analysis/1481525869/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504035-d258-418c-825d-48b102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:45.000Z", "modified": "2016-12-13T18:38:45.000Z", "description": "Python/TeleBot.AA backdoor - Xchecked via VT: 385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7", "pattern": "[file:hashes.SHA256 = 'dcdc4c72c6e0867e74790a882e8e8c20e8a38416e9b10ed64fbf0f64f4e2567c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504035-8c44-4988-8226-488002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:45.000Z", "modified": "2016-12-13T18:38:45.000Z", "description": "Python/TeleBot.AA backdoor - Xchecked via VT: 385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7", "pattern": "[file:hashes.MD5 = '0fce93cd9beeea30a7f0e2a819d2b968']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504036-c064-4e2c-9d3f-484d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:46.000Z", "modified": "2016-12-13T18:38:46.000Z", "first_observed": "2016-12-13T18:38:46Z", "last_observed": "2016-12-13T18:38:46Z", "number_observed": 1, "object_refs": [ "url--58504036-c064-4e2c-9d3f-484d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504036-c064-4e2c-9d3f-484d02de0b81", "value": "https://www.virustotal.com/file/dcdc4c72c6e0867e74790a882e8e8c20e8a38416e9b10ed64fbf0f64f4e2567c/analysis/1481552578/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504036-1ce4-46ad-9a87-40f502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:46.000Z", "modified": "2016-12-13T18:38:46.000Z", "description": "Python/TeleBot.AA backdoor - Xchecked via VT: 16c206d9cfd4c82d6652afb1eebb589a927b041b", "pattern": "[file:hashes.SHA256 = '904df5d6b900fcdac44c002f03ab1fbc698b8d421a22639819b3b208aaa6ea2c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504037-f7ac-43a0-9e31-485f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:47.000Z", "modified": "2016-12-13T18:38:47.000Z", "description": "Python/TeleBot.AA backdoor - Xchecked via VT: 16c206d9cfd4c82d6652afb1eebb589a927b041b", "pattern": "[file:hashes.MD5 = '75ee947e31a40ab4b5cde9f4a767310b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504037-9f80-4883-8f0d-46b302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:47.000Z", "modified": "2016-12-13T18:38:47.000Z", "first_observed": "2016-12-13T18:38:47Z", "last_observed": "2016-12-13T18:38:47Z", "number_observed": 1, "object_refs": [ "url--58504037-9f80-4883-8f0d-46b302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504037-9f80-4883-8f0d-46b302de0b81", "value": "https://www.virustotal.com/file/904df5d6b900fcdac44c002f03ab1fbc698b8d421a22639819b3b208aaa6ea2c/analysis/1481552575/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504038-7214-4a85-a564-4ee102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:48.000Z", "modified": "2016-12-13T18:38:48.000Z", "description": "VBS backdoors - Xchecked via VT: f22cea7bc080e712e85549848d35e7d5908d9b49", "pattern": "[file:hashes.SHA256 = '1b2a5922b58c8060844b43e14dfa5b0c8b119f281f54a46f0f1c34accde71ddb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504038-e2c4-4186-96bf-4f3b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:48.000Z", "modified": "2016-12-13T18:38:48.000Z", "description": "VBS backdoors - Xchecked via VT: f22cea7bc080e712e85549848d35e7d5908d9b49", "pattern": "[file:hashes.MD5 = 'c404b959b51ad0425f1789f03e2c6ecf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504039-f2d8-419a-936a-4f4602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:49.000Z", "modified": "2016-12-13T18:38:49.000Z", "first_observed": "2016-12-13T18:38:49Z", "last_observed": "2016-12-13T18:38:49Z", "number_observed": 1, "object_refs": [ "url--58504039-f2d8-419a-936a-4f4602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504039-f2d8-419a-936a-4f4602de0b81", "value": "https://www.virustotal.com/file/1b2a5922b58c8060844b43e14dfa5b0c8b119f281f54a46f0f1c34accde71ddb/analysis/1481552577/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504039-15bc-45d6-b60f-4dc602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:49.000Z", "modified": "2016-12-13T18:38:49.000Z", "description": "VBS backdoors - Xchecked via VT: 35d71de3e665cf9d6a685ae02c3876b7d56b1687", "pattern": "[file:hashes.SHA256 = 'eb31a918ccc1643d069cf08b7958e2760e8551ba3b88ea9e5d496e07437273b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850403a-eec4-4723-a1e0-4ff902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:50.000Z", "modified": "2016-12-13T18:38:50.000Z", "description": "VBS backdoors - Xchecked via VT: 35d71de3e665cf9d6a685ae02c3876b7d56b1687", "pattern": "[file:hashes.MD5 = '2d7866989d659c1f8ae795e5cab40bf3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5850403a-fdf0-46d5-abcc-4bf802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:50.000Z", "modified": "2016-12-13T18:38:50.000Z", "first_observed": "2016-12-13T18:38:50Z", "last_observed": "2016-12-13T18:38:50Z", "number_observed": 1, "object_refs": [ "url--5850403a-fdf0-46d5-abcc-4bf802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5850403a-fdf0-46d5-abcc-4bf802de0b81", "value": "https://www.virustotal.com/file/eb31a918ccc1643d069cf08b7958e2760e8551ba3b88ea9e5d496e07437273b2/analysis/1481552576/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850403b-0c30-4fe4-b6f1-482e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:51.000Z", "modified": "2016-12-13T18:38:51.000Z", "description": "Modified Mimikatz - Xchecked via VT: d8614bc1d428ebabccbfae76a81037ff908a8f79", "pattern": "[file:hashes.SHA256 = 'b2edc9351b389f1cbcdf0ac52b9d0b3bd982a077e5a3df8cebebc32c450ffeec']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850403b-2be0-4103-8f8f-4ceb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:51.000Z", "modified": "2016-12-13T18:38:51.000Z", "description": "Modified Mimikatz - Xchecked via VT: d8614bc1d428ebabccbfae76a81037ff908a8f79", "pattern": "[file:hashes.MD5 = 'bde6c0dac3e594a4a859b490aaaf1217']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5850403c-4150-43c1-be39-482502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:52.000Z", "modified": "2016-12-13T18:38:52.000Z", "first_observed": "2016-12-13T18:38:52Z", "last_observed": "2016-12-13T18:38:52Z", "number_observed": 1, "object_refs": [ "url--5850403c-4150-43c1-be39-482502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5850403c-4150-43c1-be39-482502de0b81", "value": "https://www.virustotal.com/file/b2edc9351b389f1cbcdf0ac52b9d0b3bd982a077e5a3df8cebebc32c450ffeec/analysis/1471587292/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850403c-e308-48a9-b780-415702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:52.000Z", "modified": "2016-12-13T18:38:52.000Z", "description": "LDAP query tool - Xchecked via VT: 81f73c76fbf4ab3487d5e6e8629e83c0568de713", "pattern": "[file:hashes.SHA256 = 'a35951855503188a66c94019bd419cd97208291f05e382151fd3c2a9d1848857']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850403d-ac3c-4442-a474-4b2f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:52.000Z", "modified": "2016-12-13T18:38:52.000Z", "description": "LDAP query tool - Xchecked via VT: 81f73c76fbf4ab3487d5e6e8629e83c0568de713", "pattern": "[file:hashes.MD5 = '76691c58103431624d26f2b8384a57b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5850403d-507c-4196-b7e7-461702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:53.000Z", "modified": "2016-12-13T18:38:53.000Z", "first_observed": "2016-12-13T18:38:53Z", "last_observed": "2016-12-13T18:38:53Z", "number_observed": 1, "object_refs": [ "url--5850403d-507c-4196-b7e7-461702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5850403d-507c-4196-b7e7-461702de0b81", "value": "https://www.virustotal.com/file/a35951855503188a66c94019bd419cd97208291f05e382151fd3c2a9d1848857/analysis/1471530894/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850403d-6128-4f26-bf07-4fa102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:53.000Z", "modified": "2016-12-13T18:38:53.000Z", "description": "CredRaptor password stealer - Xchecked via VT: 58a45ef055b287bad7b81033e17446ee6b682e2d", "pattern": "[file:hashes.SHA256 = '50b990f6555055a265fde98324759dbc74619d6a7c49b9fd786775299bf77d26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850403e-5358-4e0c-be49-485202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:54.000Z", "modified": "2016-12-13T18:38:54.000Z", "description": "CredRaptor password stealer - Xchecked via VT: 58a45ef055b287bad7b81033e17446ee6b682e2d", "pattern": "[file:hashes.MD5 = '389ae3a4589e355e173e9b077d6f1a0a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5850403e-6d80-44e0-8c42-4b7102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:54.000Z", "modified": "2016-12-13T18:38:54.000Z", "first_observed": "2016-12-13T18:38:54Z", "last_observed": "2016-12-13T18:38:54Z", "number_observed": 1, "object_refs": [ "url--5850403e-6d80-44e0-8c42-4b7102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5850403e-6d80-44e0-8c42-4b7102de0b81", "value": "https://www.virustotal.com/file/50b990f6555055a265fde98324759dbc74619d6a7c49b9fd786775299bf77d26/analysis/1481650988/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850403f-49bc-4edb-9e43-451502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:55.000Z", "modified": "2016-12-13T18:38:55.000Z", "description": "Win64/Spy.KeyLogger.G trojan - Xchecked via VT: 7582de9e93e2f35f9a63b59317eba48846eea4c7", "pattern": "[file:hashes.SHA256 = 'e3f134ae88f05463c4707a80f956a689fba7066bb5357f6d45cba312ad0db68e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5850403f-b088-4448-b8aa-4f4702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:55.000Z", "modified": "2016-12-13T18:38:55.000Z", "description": "Win64/Spy.KeyLogger.G trojan - Xchecked via VT: 7582de9e93e2f35f9a63b59317eba48846eea4c7", "pattern": "[file:hashes.MD5 = '4919569cd19164c1f123f97c5b44b03b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504040-8818-4b41-b6f3-421502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:56.000Z", "modified": "2016-12-13T18:38:56.000Z", "first_observed": "2016-12-13T18:38:56Z", "last_observed": "2016-12-13T18:38:56Z", "number_observed": 1, "object_refs": [ "url--58504040-8818-4b41-b6f3-421502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504040-8818-4b41-b6f3-421502de0b81", "value": "https://www.virustotal.com/file/e3f134ae88f05463c4707a80f956a689fba7066bb5357f6d45cba312ad0db68e/analysis/1469022930/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504040-f9a4-4380-87a4-405a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:56.000Z", "modified": "2016-12-13T18:38:56.000Z", "description": "Intercepter-NG and silent WinPCAP installer - Xchecked via VT: 64cb897acc37e12e4f49c4da4dfad606b3976225", "pattern": "[file:hashes.SHA256 = '5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504041-d378-4427-aafb-415d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:57.000Z", "modified": "2016-12-13T18:38:57.000Z", "description": "Intercepter-NG and silent WinPCAP installer - Xchecked via VT: 64cb897acc37e12e4f49c4da4dfad606b3976225", "pattern": "[file:hashes.MD5 = '5bd6b79a4443afd27f7ed1fbf66060ea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504041-6110-4ca7-be7a-4fd602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:57.000Z", "modified": "2016-12-13T18:38:57.000Z", "first_observed": "2016-12-13T18:38:57Z", "last_observed": "2016-12-13T18:38:57Z", "number_observed": 1, "object_refs": [ "url--58504041-6110-4ca7-be7a-4fd602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504041-6110-4ca7-be7a-4fd602de0b81", "value": "https://www.virustotal.com/file/5f9fef7974d37922ac91365588fbe7b544e13abbbde7c262fe30bade7026e118/analysis/1471786034/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504042-c64c-4694-a0ff-47b902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:58.000Z", "modified": "2016-12-13T18:38:58.000Z", "description": "Win32/KillDisk - Xchecked via VT: 8eb8527562dda552fc6b8827c0ebf50968848f1a", "pattern": "[file:hashes.SHA256 = '8246f709efa922a485e1ca32d8b0d10dc752618e8b3fce4d3dd58d10e4a6a16d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504042-1fa8-423e-87d2-40ee02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:58.000Z", "modified": "2016-12-13T18:38:58.000Z", "description": "Win32/KillDisk - Xchecked via VT: 8eb8527562dda552fc6b8827c0ebf50968848f1a", "pattern": "[file:hashes.MD5 = 'b75c869561e014f4d384773427c879a6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504043-2dc4-43c6-9623-423f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:59.000Z", "modified": "2016-12-13T18:38:59.000Z", "first_observed": "2016-12-13T18:38:59Z", "last_observed": "2016-12-13T18:38:59Z", "number_observed": 1, "object_refs": [ "url--58504043-2dc4-43c6-9623-423f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504043-2dc4-43c6-9623-423f02de0b81", "value": "https://www.virustotal.com/file/8246f709efa922a485e1ca32d8b0d10dc752618e8b3fce4d3dd58d10e4a6a16d/analysis/1481528958/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504043-2408-4775-944a-4c1202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:38:59.000Z", "modified": "2016-12-13T18:38:59.000Z", "description": "Win32/KillDisk - Xchecked via VT: 71a2b3f48828e4552637fa9753f0324b7146f3af", "pattern": "[file:hashes.SHA256 = '26173c9ec8fd1c4f9f18f89683b23267f6f9d116196ed15655e9cb453af2890e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:38:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58504044-c16c-46f8-87e9-48bb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:39:00.000Z", "modified": "2016-12-13T18:39:00.000Z", "description": "Win32/KillDisk - Xchecked via VT: 71a2b3f48828e4552637fa9753f0324b7146f3af", "pattern": "[file:hashes.MD5 = 'ffb1e8babaecc4a8cb3d763412294469']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-12-13T18:39:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58504044-2238-4999-9bd4-471902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-12-13T18:39:00.000Z", "modified": "2016-12-13T18:39:00.000Z", "first_observed": "2016-12-13T18:39:00Z", "last_observed": "2016-12-13T18:39:00Z", "number_observed": 1, "object_refs": [ "url--58504044-2238-4999-9bd4-471902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58504044-2238-4999-9bd4-471902de0b81", "value": "https://www.virustotal.com/file/26173c9ec8fd1c4f9f18f89683b23267f6f9d116196ed15655e9cb453af2890e/analysis/1481554993/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }