{ "type": "bundle", "id": "bundle--58975d16-ec0c-4d21-88bd-41eb02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:47.000Z", "modified": "2017-02-05T17:23:47.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58975d16-ec0c-4d21-88bd-41eb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:47.000Z", "modified": "2017-02-05T17:23:47.000Z", "name": "OSINT - From RTF to Cobalt Strike passing via Flash", "published": "2017-02-05T17:25:04Z", "object_refs": [ "observed-data--58975d3c-caf0-4a77-9002-4b8002de0b81", "url--58975d3c-caf0-4a77-9002-4b8002de0b81", "x-misp-attribute--58975d51-c544-4264-afff-04a402de0b81", "indicator--58975d66-bef0-44f2-9073-444502de0b81", "indicator--58975da5-2764-4039-8d46-408302de0b81", "indicator--58975dc4-52e4-489b-bf43-409202de0b81", "indicator--58975dc5-8268-450b-850d-461c02de0b81", "indicator--58975ddc-d404-4a6f-8e95-4b6c02de0b81", "indicator--58975e36-6cb0-4f7d-ad7a-4a0b02de0b81", "indicator--58975e36-b704-437c-9c38-4ca302de0b81", "indicator--58975e37-51e8-49c6-a2b1-403302de0b81", "indicator--58975e38-9bd0-4bf4-9a87-415b02de0b81", "indicator--58975e39-5fa4-4cfd-abff-4c0702de0b81", "indicator--58975e3a-5940-400e-9815-43e202de0b81", "indicator--58975e3a-06c4-451d-b8db-475e02de0b81", "indicator--58975fa3-9c0c-437f-997b-402902de0b81", "indicator--58975fa4-1374-4b9b-baee-459f02de0b81", "observed-data--58975fa5-87dc-4cce-a592-48bf02de0b81", "url--58975fa5-87dc-4cce-a592-48bf02de0b81", "indicator--58975fa6-5168-4935-9c13-4ea002de0b81", "indicator--58975fa6-b790-4925-b617-423002de0b81", "observed-data--58975fa7-004c-4268-a8d3-41de02de0b81", "url--58975fa7-004c-4268-a8d3-41de02de0b81", "indicator--58975fa8-f164-4057-a063-413f02de0b81", "indicator--58975fa8-2e30-4a60-b6b8-411102de0b81", "observed-data--58975fa9-aea4-4c97-9fa7-481702de0b81", "url--58975fa9-aea4-4c97-9fa7-481702de0b81", "indicator--58975faa-65d0-4034-bbee-440c02de0b81", "indicator--58975fab-0564-4123-879b-491902de0b81", "observed-data--58975fab-1eb0-49aa-88b8-46f802de0b81", "url--58975fab-1eb0-49aa-88b8-46f802de0b81", "indicator--58975fac-a404-4333-be15-410102de0b81", "indicator--58975fad-d3d4-4eac-aaab-4c0602de0b81", "observed-data--58975fad-3aa8-4fd0-af23-4cb502de0b81", "url--58975fad-3aa8-4fd0-af23-4cb502de0b81", "indicator--58975fae-d838-4f3e-871c-4e8602de0b81", "indicator--58975faf-f7cc-470f-82fd-42dc02de0b81", "observed-data--58975fb0-40e8-4db7-88e6-45d302de0b81", "url--58975fb0-40e8-4db7-88e6-45d302de0b81", "indicator--58975fb1-fb64-4fb9-a961-4ef202de0b81", "indicator--58975fb1-7c74-45ff-a4b8-4f6d02de0b81", "observed-data--58975fb2-e3f4-4538-93cf-41e402de0b81", "url--58975fb2-e3f4-4538-93cf-41e402de0b81", "indicator--58975fb3-05dc-4249-a5d7-44b802de0b81", "indicator--58975fb4-8fac-4a73-b782-495502de0b81", "observed-data--58975fb5-2fb4-47cc-bc58-45c802de0b81", "url--58975fb5-2fb4-47cc-bc58-45c802de0b81", "indicator--58975fb5-da7c-413a-bf5b-4c9c02de0b81", "indicator--58975fb6-508c-4404-b75b-463d02de0b81", "observed-data--58975fb7-7838-40f2-a5e6-457002de0b81", "url--58975fb7-7838-40f2-a5e6-457002de0b81", "indicator--58975fb8-adc4-4972-a42a-4de302de0b81", "indicator--58975fb8-2444-468b-916a-4e7702de0b81", "observed-data--58975fb9-63ac-4da5-a0b2-4fc702de0b81", "url--58975fb9-63ac-4da5-a0b2-4fc702de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975d3c-caf0-4a77-9002-4b8002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:16:55.000Z", "modified": "2017-02-05T17:16:55.000Z", "first_observed": "2017-02-05T17:16:55Z", "last_observed": "2017-02-05T17:16:55Z", "number_observed": 1, "object_refs": [ "url--58975d3c-caf0-4a77-9002-4b8002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"f\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975d3c-caf0-4a77-9002-4b8002de0b81", "value": "https://zairon.wordpress.com/2017/02/05/from-rtf-to-cobalt-strike-passing-via-flash/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58975d51-c544-4264-afff-04a402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:13:53.000Z", "modified": "2017-02-05T17:13:53.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Quick Sunday morning blog post, analysis of an unknown rtf file. This article is a result of an initial investigation, no attribution is done but you\u00e2\u20ac\u2122ll have all the necessary info for a deeper investigation.\r\nThe malicious document has SHA256: 5D9E1F4DAB6929BC699BA7E5C4FD09F2BBFD6B59D04CEFD8F4BF06710E684A5E.\r\n\r\nAfter a first glance I thought to know what\u00e2\u20ac\u2122s behind the rft, but running a specific script I got disappointed by the result. For a quick response, a submission to a sandbox could be the best option you have, but you\u00e2\u20ac\u2122ll miss all the fun! I decided to manually check using an hex editor because it\u00e2\u20ac\u2122s incredible how you can extract objects in a fast way." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975d66-bef0-44f2-9073-444502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:22:31.000Z", "modified": "2017-02-05T17:22:31.000Z", "description": "malicious document - RTF file", "pattern": "[file:hashes.SHA256 = '5d9e1f4dab6929bc699ba7e5c4fd09f2bbfd6b59d04cefd8f4bf06710e684a5e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:22:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "veris:action:social:vector=\"Documents\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975da5-2764-4039-8d46-408302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:22:32.000Z", "modified": "2017-02-05T17:22:32.000Z", "description": "Extracted payload from RTF", "pattern": "[file:hashes.SHA256 = '4c72df74a1e8039c94b188f1c5c59f30ddcc7107647689e4d908e55d04ff8b52']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:22:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "veris:action:social:vector=\"Documents\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975dc4-52e4-489b-bf43-409202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:23.000Z", "modified": "2017-02-05T17:23:23.000Z", "description": "Cobalt Strike artifact url", "pattern": "[url:value = 'https://193.238.152.198/OeeC']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-type=\"unknown\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975dc5-8268-450b-850d-461c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:15:49.000Z", "modified": "2017-02-05T17:15:49.000Z", "description": "Cobalt Strike", "pattern": "[file:hashes.SHA256 = '2fa6ec644b0a05c0cbe7ebaf4cc4905281e65764e91ed299d5cb3f54ab4943bf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:15:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975ddc-d404-4a6f-8e95-4b6c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:16:35.000Z", "modified": "2017-02-05T17:16:35.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.238.152.198']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:16:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"", "adversary:infrastructure-state=\"active\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975e36-6cb0-4f7d-ad7a-4a0b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:22:32.000Z", "modified": "2017-02-05T17:22:32.000Z", "description": "Possible related rtf file", "pattern": "[file:hashes.SHA256 = '7a63fc5253deb672036e018750fd40dc3e8502f3b07ef225e7e6bc1144d1d7ee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:22:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "veris:action:social:vector=\"Documents\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975e36-b704-437c-9c38-4ca302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:22:33.000Z", "modified": "2017-02-05T17:22:33.000Z", "description": "Possible related rtf file", "pattern": "[file:hashes.SHA256 = '08c9bd7b7b8361c5d217570019ff012773407337c9083910f2ae3a09b5401345']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:22:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "veris:action:social:vector=\"Documents\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975e37-51e8-49c6-a2b1-403302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:22:34.000Z", "modified": "2017-02-05T17:22:34.000Z", "description": "Possible related rtf file", "pattern": "[file:hashes.SHA256 = '8e27a641684da744a0882d3664cf84d5a88b8e82ac0070d3602af0b7c103eeeb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:22:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "veris:action:social:vector=\"Documents\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975e38-9bd0-4bf4-9a87-415b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:22:35.000Z", "modified": "2017-02-05T17:22:35.000Z", "description": "Possible related rtf file", "pattern": "[file:hashes.SHA256 = '9c7208c5c0d431738c8682cf6a2bd81df66977cbabffa0570f9d70518bece912']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:22:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "veris:action:social:vector=\"Documents\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975e39-5fa4-4cfd-abff-4c0702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:22:35.000Z", "modified": "2017-02-05T17:22:35.000Z", "description": "Possible related rtf file", "pattern": "[file:hashes.SHA256 = '21dda5c82e5aa5c8545b96dc2d6d63e6786fea73453f5acaa571fd5c0466363d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:22:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "veris:action:social:vector=\"Documents\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975e3a-5940-400e-9815-43e202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:22:36.000Z", "modified": "2017-02-05T17:22:36.000Z", "description": "Possible related rtf file", "pattern": "[file:hashes.SHA256 = 'af178ff11088ff59640f74191785adf134aee296652080f397cf282db36fad46']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:22:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "veris:action:social:vector=\"Documents\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975e3a-06c4-451d-b8db-475e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:22:37.000Z", "modified": "2017-02-05T17:22:37.000Z", "description": "Possible related rtf file", "pattern": "[file:hashes.SHA256 = 'cb743f5057c77069a10ecd9e6b4fd48be096b1502e9fb3548e8a742e284eeae2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:22:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "veris:action:social:vector=\"Documents\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fa3-9c0c-437f-997b-402902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:47.000Z", "modified": "2017-02-05T17:23:47.000Z", "description": "Possible related rtf file - Xchecked via VT: cb743f5057c77069a10ecd9e6b4fd48be096b1502e9fb3548e8a742e284eeae2", "pattern": "[file:hashes.SHA1 = '862b1f9115c757e27d8c68f4a50341dbab1b15b1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fa4-1374-4b9b-baee-459f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:48.000Z", "modified": "2017-02-05T17:23:48.000Z", "description": "Possible related rtf file - Xchecked via VT: cb743f5057c77069a10ecd9e6b4fd48be096b1502e9fb3548e8a742e284eeae2", "pattern": "[file:hashes.MD5 = '6fdcb2847df6939f1e73c68d5cbd573f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975fa5-87dc-4cce-a592-48bf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:49.000Z", "modified": "2017-02-05T17:23:49.000Z", "first_observed": "2017-02-05T17:23:49Z", "last_observed": "2017-02-05T17:23:49Z", "number_observed": 1, "object_refs": [ "url--58975fa5-87dc-4cce-a592-48bf02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975fa5-87dc-4cce-a592-48bf02de0b81", "value": "https://www.virustotal.com/file/cb743f5057c77069a10ecd9e6b4fd48be096b1502e9fb3548e8a742e284eeae2/analysis/1486307052/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fa6-5168-4935-9c13-4ea002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:50.000Z", "modified": "2017-02-05T17:23:50.000Z", "description": "Possible related rtf file - Xchecked via VT: af178ff11088ff59640f74191785adf134aee296652080f397cf282db36fad46", "pattern": "[file:hashes.SHA1 = 'e46e43116e35581eaeb26eee22d36bbb6bde032d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fa6-b790-4925-b617-423002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:50.000Z", "modified": "2017-02-05T17:23:50.000Z", "description": "Possible related rtf file - Xchecked via VT: af178ff11088ff59640f74191785adf134aee296652080f397cf282db36fad46", "pattern": "[file:hashes.MD5 = 'bc68d2a2b56789cf399e7530f1352fdc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975fa7-004c-4268-a8d3-41de02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:51.000Z", "modified": "2017-02-05T17:23:51.000Z", "first_observed": "2017-02-05T17:23:51Z", "last_observed": "2017-02-05T17:23:51Z", "number_observed": 1, "object_refs": [ "url--58975fa7-004c-4268-a8d3-41de02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975fa7-004c-4268-a8d3-41de02de0b81", "value": "https://www.virustotal.com/file/af178ff11088ff59640f74191785adf134aee296652080f397cf282db36fad46/analysis/1485937101/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fa8-f164-4057-a063-413f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:52.000Z", "modified": "2017-02-05T17:23:52.000Z", "description": "Possible related rtf file - Xchecked via VT: 21dda5c82e5aa5c8545b96dc2d6d63e6786fea73453f5acaa571fd5c0466363d", "pattern": "[file:hashes.SHA1 = 'f8bf4c87ec8eabad4dbf916328f50b02a5898c00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fa8-2e30-4a60-b6b8-411102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:52.000Z", "modified": "2017-02-05T17:23:52.000Z", "description": "Possible related rtf file - Xchecked via VT: 21dda5c82e5aa5c8545b96dc2d6d63e6786fea73453f5acaa571fd5c0466363d", "pattern": "[file:hashes.MD5 = '3d4f5b714a19b7545e57743ee0003337']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975fa9-aea4-4c97-9fa7-481702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:53.000Z", "modified": "2017-02-05T17:23:53.000Z", "first_observed": "2017-02-05T17:23:53Z", "last_observed": "2017-02-05T17:23:53Z", "number_observed": 1, "object_refs": [ "url--58975fa9-aea4-4c97-9fa7-481702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975fa9-aea4-4c97-9fa7-481702de0b81", "value": "https://www.virustotal.com/file/21dda5c82e5aa5c8545b96dc2d6d63e6786fea73453f5acaa571fd5c0466363d/analysis/1485331419/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975faa-65d0-4034-bbee-440c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:54.000Z", "modified": "2017-02-05T17:23:54.000Z", "description": "Possible related rtf file - Xchecked via VT: 9c7208c5c0d431738c8682cf6a2bd81df66977cbabffa0570f9d70518bece912", "pattern": "[file:hashes.SHA1 = 'c51a1ef7e599150437fc8947d94e6d9edea18be6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fab-0564-4123-879b-491902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:55.000Z", "modified": "2017-02-05T17:23:55.000Z", "description": "Possible related rtf file - Xchecked via VT: 9c7208c5c0d431738c8682cf6a2bd81df66977cbabffa0570f9d70518bece912", "pattern": "[file:hashes.MD5 = 'fd3f5a495a8d573f9b6add69a6af9b7d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975fab-1eb0-49aa-88b8-46f802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:55.000Z", "modified": "2017-02-05T17:23:55.000Z", "first_observed": "2017-02-05T17:23:55Z", "last_observed": "2017-02-05T17:23:55Z", "number_observed": 1, "object_refs": [ "url--58975fab-1eb0-49aa-88b8-46f802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975fab-1eb0-49aa-88b8-46f802de0b81", "value": "https://www.virustotal.com/file/9c7208c5c0d431738c8682cf6a2bd81df66977cbabffa0570f9d70518bece912/analysis/1485841113/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fac-a404-4333-be15-410102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:56.000Z", "modified": "2017-02-05T17:23:56.000Z", "description": "Possible related rtf file - Xchecked via VT: 8e27a641684da744a0882d3664cf84d5a88b8e82ac0070d3602af0b7c103eeeb", "pattern": "[file:hashes.SHA1 = 'a963103fb9802a59c99f0ced333586a33f1f5d5d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fad-d3d4-4eac-aaab-4c0602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:57.000Z", "modified": "2017-02-05T17:23:57.000Z", "description": "Possible related rtf file - Xchecked via VT: 8e27a641684da744a0882d3664cf84d5a88b8e82ac0070d3602af0b7c103eeeb", "pattern": "[file:hashes.MD5 = 'a5a507f41a217097d6394256ee401977']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975fad-3aa8-4fd0-af23-4cb502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:57.000Z", "modified": "2017-02-05T17:23:57.000Z", "first_observed": "2017-02-05T17:23:57Z", "last_observed": "2017-02-05T17:23:57Z", "number_observed": 1, "object_refs": [ "url--58975fad-3aa8-4fd0-af23-4cb502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975fad-3aa8-4fd0-af23-4cb502de0b81", "value": "https://www.virustotal.com/file/8e27a641684da744a0882d3664cf84d5a88b8e82ac0070d3602af0b7c103eeeb/analysis/1485962308/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fae-d838-4f3e-871c-4e8602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:58.000Z", "modified": "2017-02-05T17:23:58.000Z", "description": "Possible related rtf file - Xchecked via VT: 08c9bd7b7b8361c5d217570019ff012773407337c9083910f2ae3a09b5401345", "pattern": "[file:hashes.SHA1 = '463344f0ad46323fa191237db21e8e46a019fbfc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975faf-f7cc-470f-82fd-42dc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:23:59.000Z", "modified": "2017-02-05T17:23:59.000Z", "description": "Possible related rtf file - Xchecked via VT: 08c9bd7b7b8361c5d217570019ff012773407337c9083910f2ae3a09b5401345", "pattern": "[file:hashes.MD5 = '60cab9d4211216b82e6430a7c51157fa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:23:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975fb0-40e8-4db7-88e6-45d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:00.000Z", "modified": "2017-02-05T17:24:00.000Z", "first_observed": "2017-02-05T17:24:00Z", "last_observed": "2017-02-05T17:24:00Z", "number_observed": 1, "object_refs": [ "url--58975fb0-40e8-4db7-88e6-45d302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975fb0-40e8-4db7-88e6-45d302de0b81", "value": "https://www.virustotal.com/file/08c9bd7b7b8361c5d217570019ff012773407337c9083910f2ae3a09b5401345/analysis/1485865450/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fb1-fb64-4fb9-a961-4ef202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:01.000Z", "modified": "2017-02-05T17:24:01.000Z", "description": "Possible related rtf file - Xchecked via VT: 7a63fc5253deb672036e018750fd40dc3e8502f3b07ef225e7e6bc1144d1d7ee", "pattern": "[file:hashes.SHA1 = 'c90fdf1e20aa39cd84479543101d2b4f299b3485']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:24:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fb1-7c74-45ff-a4b8-4f6d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:01.000Z", "modified": "2017-02-05T17:24:01.000Z", "description": "Possible related rtf file - Xchecked via VT: 7a63fc5253deb672036e018750fd40dc3e8502f3b07ef225e7e6bc1144d1d7ee", "pattern": "[file:hashes.MD5 = 'b254fe605efdcc2aa235d431b1a30fa9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:24:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975fb2-e3f4-4538-93cf-41e402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:02.000Z", "modified": "2017-02-05T17:24:02.000Z", "first_observed": "2017-02-05T17:24:02Z", "last_observed": "2017-02-05T17:24:02Z", "number_observed": 1, "object_refs": [ "url--58975fb2-e3f4-4538-93cf-41e402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975fb2-e3f4-4538-93cf-41e402de0b81", "value": "https://www.virustotal.com/file/7a63fc5253deb672036e018750fd40dc3e8502f3b07ef225e7e6bc1144d1d7ee/analysis/1485428950/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fb3-05dc-4249-a5d7-44b802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:03.000Z", "modified": "2017-02-05T17:24:03.000Z", "description": "Cobalt Strike - Xchecked via VT: 2fa6ec644b0a05c0cbe7ebaf4cc4905281e65764e91ed299d5cb3f54ab4943bf", "pattern": "[file:hashes.SHA1 = '2ee7db02a2a0a7b0666fe544d803384cbbdfba9c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:24:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fb4-8fac-4a73-b782-495502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:04.000Z", "modified": "2017-02-05T17:24:04.000Z", "description": "Cobalt Strike - Xchecked via VT: 2fa6ec644b0a05c0cbe7ebaf4cc4905281e65764e91ed299d5cb3f54ab4943bf", "pattern": "[file:hashes.MD5 = '992722358935ce18c759333fee0588e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:24:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975fb5-2fb4-47cc-bc58-45c802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:05.000Z", "modified": "2017-02-05T17:24:05.000Z", "first_observed": "2017-02-05T17:24:05Z", "last_observed": "2017-02-05T17:24:05Z", "number_observed": 1, "object_refs": [ "url--58975fb5-2fb4-47cc-bc58-45c802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975fb5-2fb4-47cc-bc58-45c802de0b81", "value": "https://www.virustotal.com/file/2fa6ec644b0a05c0cbe7ebaf4cc4905281e65764e91ed299d5cb3f54ab4943bf/analysis/1486218685/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fb5-da7c-413a-bf5b-4c9c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:05.000Z", "modified": "2017-02-05T17:24:05.000Z", "description": "Extracted payload from RTF - Xchecked via VT: 4c72df74a1e8039c94b188f1c5c59f30ddcc7107647689e4d908e55d04ff8b52", "pattern": "[file:hashes.SHA1 = 'b7b53be3e38408ca9c0269cace71ae23994f168b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:24:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fb6-508c-4404-b75b-463d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:06.000Z", "modified": "2017-02-05T17:24:06.000Z", "description": "Extracted payload from RTF - Xchecked via VT: 4c72df74a1e8039c94b188f1c5c59f30ddcc7107647689e4d908e55d04ff8b52", "pattern": "[file:hashes.MD5 = '6faf7bf340105e5a119520761149c13f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:24:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975fb7-7838-40f2-a5e6-457002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:07.000Z", "modified": "2017-02-05T17:24:07.000Z", "first_observed": "2017-02-05T17:24:07Z", "last_observed": "2017-02-05T17:24:07Z", "number_observed": 1, "object_refs": [ "url--58975fb7-7838-40f2-a5e6-457002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975fb7-7838-40f2-a5e6-457002de0b81", "value": "https://www.virustotal.com/file/4c72df74a1e8039c94b188f1c5c59f30ddcc7107647689e4d908e55d04ff8b52/analysis/1486194786/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fb8-adc4-4972-a42a-4de302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:08.000Z", "modified": "2017-02-05T17:24:08.000Z", "description": "malicious document - RTF file - Xchecked via VT: 5d9e1f4dab6929bc699ba7e5c4fd09f2bbfd6b59d04cefd8f4bf06710e684a5e", "pattern": "[file:hashes.SHA1 = '7fe6cc2412b97fd27ca1bfb42ac811933c948f61']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:24:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58975fb8-2444-468b-916a-4e7702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:08.000Z", "modified": "2017-02-05T17:24:08.000Z", "description": "malicious document - RTF file - Xchecked via VT: 5d9e1f4dab6929bc699ba7e5c4fd09f2bbfd6b59d04cefd8f4bf06710e684a5e", "pattern": "[file:hashes.MD5 = '81f829be44598ccf33382920f2597104']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-05T17:24:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58975fb9-63ac-4da5-a0b2-4fc702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-05T17:24:09.000Z", "modified": "2017-02-05T17:24:09.000Z", "first_observed": "2017-02-05T17:24:09Z", "last_observed": "2017-02-05T17:24:09Z", "number_observed": 1, "object_refs": [ "url--58975fb9-63ac-4da5-a0b2-4fc702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58975fb9-63ac-4da5-a0b2-4fc702de0b81", "value": "https://www.virustotal.com/file/5d9e1f4dab6929bc699ba7e5c4fd09f2bbfd6b59d04cefd8f4bf06710e684a5e/analysis/1485944570/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }