{ "type": "bundle", "id": "bundle--588df693-0480-41bd-b8fd-4e9302de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:32:35.000Z", "modified": "2017-01-29T14:32:35.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--588df693-0480-41bd-b8fd-4e9302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:32:35.000Z", "modified": "2017-01-29T14:32:35.000Z", "name": "OSINT - #OCJP-133: Hancitor\u00e3\u0192\u017e\u00e3\u0192\u00ab\u00e3\u201a\u00a6\u00e3\u201a\u00a7\u00e3\u201a\u00a2\u00e6\u201e\u0178\u00e6\u0178\u201c \u00e3\u0081\u00a8 \u00e3\u0192\u008f\u00e3\u0192\u0192\u00e3\u201a\u00ad\u00e3\u0192\u00b3\u00e3\u201a\u00b0\u00e3\u0081\u2022\u00e3\u201a\u0152\u00e3\u0081\u0178Wordpress", "published": "2017-01-29T14:58:16Z", "object_refs": [ "observed-data--588df77f-b26c-4985-9fbc-8c6f02de0b81", "url--588df77f-b26c-4985-9fbc-8c6f02de0b81", "observed-data--588df837-b088-4518-9cd0-404a02de0b81", "url--588df837-b088-4518-9cd0-404a02de0b81", "indicator--588dfbdc-32e0-4688-a878-424202de0b81", "indicator--588dfbdd-0c94-439c-9612-4d8002de0b81", "indicator--588dfbde-0244-46c1-8a74-47b602de0b81", "indicator--588dfbde-eee8-4585-b7d1-4d9f02de0b81", "indicator--588dfbdf-aa44-4f47-ad24-49a702de0b81", "indicator--588dfbe0-f6cc-4473-a496-4cd902de0b81", "indicator--588dfbe1-e7d0-4a5c-99ee-4a7802de0b81", "indicator--588dfbe1-5db4-4f29-b1f9-412a02de0b81", "indicator--588dfbe2-e548-4a27-aed8-476702de0b81", "indicator--588dfbe3-c8a8-40c3-84e1-482f02de0b81", "indicator--588dfbe4-c12c-4d5c-9e82-427a02de0b81", "indicator--588dfbe4-1738-4dd0-aa7f-4c0502de0b81", "indicator--588dfbe5-8160-441b-ad1b-44f602de0b81", "indicator--588dfc1f-1c44-41e7-8248-8c6c02de0b81", "indicator--588dfc1f-6304-454c-86b0-8c6c02de0b81", "observed-data--588dfc20-fa44-4d8d-b90d-8c6c02de0b81", "url--588dfc20-fa44-4d8d-b90d-8c6c02de0b81", "indicator--588dfc21-d5f0-45fa-98f5-8c6c02de0b81", "indicator--588dfc21-a46c-49f3-8ef5-8c6c02de0b81", "observed-data--588dfc22-003c-4f2b-a084-8c6c02de0b81", "url--588dfc22-003c-4f2b-a084-8c6c02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:tool=\"Hancitor\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588df77f-b26c-4985-9fbc-8c6f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:11:15.000Z", "modified": "2017-01-29T14:11:15.000Z", "first_observed": "2017-01-29T14:11:15Z", "last_observed": "2017-01-29T14:11:15Z", "number_observed": 1, "object_refs": [ "url--588df77f-b26c-4985-9fbc-8c6f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"b\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--588df77f-b26c-4985-9fbc-8c6f02de0b81", "value": "http://blog.0day.jp/2017/01/ocjp-133-hancitorwordpress.html" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588df837-b088-4518-9cd0-404a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:23:57.000Z", "modified": "2017-01-29T14:23:57.000Z", "first_observed": "2017-01-29T14:23:57Z", "last_observed": "2017-01-29T14:23:57Z", "number_observed": 1, "object_refs": [ "url--588df837-b088-4518-9cd0-404a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"block-or-filter-list\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--588df837-b088-4518-9cd0-404a02de0b81", "value": "https://otx.alienvault.com/pulse/588dc57f5aa00d150559d1e1/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbdc-32e0-4688-a878-424202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:32:35.000Z", "modified": "2017-01-29T14:32:35.000Z", "description": "Hancitor CNC, Trojan Fareit CNC", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.169.190.104']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:32:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-type=\"proxy\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbdd-0c94-439c-9612-4d8002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:27:41.000Z", "modified": "2017-01-29T14:27:41.000Z", "description": "Zeus/Pony Panel/CNC", "pattern": "[domain-name:value = 'rowatterding.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:27:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbde-0244-46c1-8a74-47b602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:27:42.000Z", "modified": "2017-01-29T14:27:42.000Z", "description": "Zeus/Pony Panel/CNC", "pattern": "[domain-name:value = 'fortrittotfor.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:27:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbde-eee8-4585-b7d1-4d9f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:27:42.000Z", "modified": "2017-01-29T14:27:42.000Z", "description": "Zeus/Pony Panel/CNC", "pattern": "[domain-name:value = 'fortmamuchco.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:27:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbdf-aa44-4f47-ad24-49a702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:27:43.000Z", "modified": "2017-01-29T14:27:43.000Z", "description": "Hancitor CNC, Trojan Fareit CNC", "pattern": "[domain-name:value = 'howbetmarow.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:27:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbe0-f6cc-4473-a496-4cd902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:31:53.000Z", "modified": "2017-01-29T14:31:53.000Z", "description": "Zeus/Pony Panel/CNC", "pattern": "[domain-name:value = 'aningronbut.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:31:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-type=\"panel\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbe1-e7d0-4a5c-99ee-4a7802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:32:03.000Z", "modified": "2017-01-29T14:32:03.000Z", "description": "Zeus/Pony Panel/CNC", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.166.172.105']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:32:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-type=\"panel\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbe1-5db4-4f29-b1f9-412a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:32:15.000Z", "modified": "2017-01-29T14:32:15.000Z", "description": "ZeusPanel and also Trojan Fareit CNC", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '62.76.89.178']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:32:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-type=\"panel\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbe2-e548-4a27-aed8-476702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:27:46.000Z", "modified": "2017-01-29T14:27:46.000Z", "description": "Hancitor DOC Malware Hash", "pattern": "[file:hashes.SHA1 = '7085d46b2fb3763464c63918f16f534e2d86a7fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:27:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbe3-c8a8-40c3-84e1-482f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:27:47.000Z", "modified": "2017-01-29T14:27:47.000Z", "description": "Hancitor DLL Malware Hash", "pattern": "[file:hashes.SHA1 = '8b3a8d24022fe6ee4292b36efa62f95ae4bdda53']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:27:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbe4-c12c-4d5c-9e82-427a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:27:48.000Z", "modified": "2017-01-29T14:27:48.000Z", "pattern": "[url:value = 'http://howbetmarow.ru/ls5/forum.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:27:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbe4-1738-4dd0-aa7f-4c0502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:27:48.000Z", "modified": "2017-01-29T14:27:48.000Z", "pattern": "[url:value = 'http://howbetmarow.ru/klu/forum.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:27:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfbe5-8160-441b-ad1b-44f602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:27:49.000Z", "modified": "2017-01-29T14:27:49.000Z", "pattern": "[url:value = 'http://aningronbut.ru/bdk/gate.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:27:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfc1f-1c44-41e7-8248-8c6c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:28:47.000Z", "modified": "2017-01-29T14:28:47.000Z", "description": "Hancitor DLL Malware Hash - Xchecked via VT: 8b3a8d24022fe6ee4292b36efa62f95ae4bdda53", "pattern": "[file:hashes.SHA256 = 'edd954f233c0f72ecf4beb0e63177969a297c6ee8e1da2bcc90924b922da0d88']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:28:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfc1f-6304-454c-86b0-8c6c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:28:47.000Z", "modified": "2017-01-29T14:28:47.000Z", "description": "Hancitor DLL Malware Hash - Xchecked via VT: 8b3a8d24022fe6ee4292b36efa62f95ae4bdda53", "pattern": "[file:hashes.MD5 = 'fb436eeb13a673a30cbadbf781db4add']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:28:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588dfc20-fa44-4d8d-b90d-8c6c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:28:48.000Z", "modified": "2017-01-29T14:28:48.000Z", "first_observed": "2017-01-29T14:28:48Z", "last_observed": "2017-01-29T14:28:48Z", "number_observed": 1, "object_refs": [ "url--588dfc20-fa44-4d8d-b90d-8c6c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--588dfc20-fa44-4d8d-b90d-8c6c02de0b81", "value": "https://www.virustotal.com/file/edd954f233c0f72ecf4beb0e63177969a297c6ee8e1da2bcc90924b922da0d88/analysis/1485679503/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfc21-d5f0-45fa-98f5-8c6c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:28:49.000Z", "modified": "2017-01-29T14:28:49.000Z", "description": "Hancitor DOC Malware Hash - Xchecked via VT: 7085d46b2fb3763464c63918f16f534e2d86a7fb", "pattern": "[file:hashes.SHA256 = '190140f672fa138a01e4928714ff8b3c0bc0baabeb36ced9c9801dd032cdfe51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:28:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--588dfc21-a46c-49f3-8ef5-8c6c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:28:49.000Z", "modified": "2017-01-29T14:28:49.000Z", "description": "Hancitor DOC Malware Hash - Xchecked via VT: 7085d46b2fb3763464c63918f16f534e2d86a7fb", "pattern": "[file:hashes.MD5 = 'c0a0a6be5dbb5ce5ba08ea01fbd87e42']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-01-29T14:28:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--588dfc22-003c-4f2b-a084-8c6c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-01-29T14:28:50.000Z", "modified": "2017-01-29T14:28:50.000Z", "first_observed": "2017-01-29T14:28:50Z", "last_observed": "2017-01-29T14:28:50Z", "number_observed": 1, "object_refs": [ "url--588dfc22-003c-4f2b-a084-8c6c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--588dfc22-003c-4f2b-a084-8c6c02de0b81", "value": "https://www.virustotal.com/file/190140f672fa138a01e4928714ff8b3c0bc0baabeb36ced9c9801dd032cdfe51/analysis/1485523743/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }