{ "type": "bundle", "id": "bundle--59a25cc4-e870-4bef-a7d1-48a802de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59a25cc4-e870-4bef-a7d1-48a802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "name": "OSINT - Ukrainian Financial Institutions Targeted by Wave of Malicious EPS File Attacks", "published": "2017-08-27T05:56:47Z", "object_refs": [ "vulnerability--59a25cf6-d7a0-4d00-8b4e-45f902de0b81", "vulnerability--59a25cf6-9670-4c50-a443-409202de0b81", "vulnerability--59a25cf6-affc-42cf-948f-4f5b02de0b81", "indicator--59a25d41-4b6c-4cbc-8e15-44a602de0b81", "indicator--59a25d41-974c-4dad-b1d5-40fc02de0b81", "indicator--59a25d41-d920-44d6-a046-4bf002de0b81", "indicator--59a25d41-8a74-4e53-a3bb-43ab02de0b81", "indicator--59a25d41-ac30-47e6-832d-411102de0b81", "indicator--59a25d7d-17d8-48c9-9f7a-45aa02de0b81", "x-misp-attribute--59a25da6-2424-4517-af23-4b6702de0b81", "x-misp-attribute--59a25da6-eea4-46cf-a439-400c02de0b81", "observed-data--59a25dc1-ee70-4f02-9db8-b60e02de0b81", "email-message--59a25dc1-ee70-4f02-9db8-b60e02de0b81", "file--59a25dc1-ee70-4f02-9db8-b60e02de0b81", "observed-data--59a25dc1-7764-4a0b-89c0-b60e02de0b81", "email-message--59a25dc1-7764-4a0b-89c0-b60e02de0b81", "file--59a25dc1-7764-4a0b-89c0-b60e02de0b81", "observed-data--59a25dc1-db3c-46fb-bd1c-b60e02de0b81", "email-message--59a25dc1-db3c-46fb-bd1c-b60e02de0b81", "file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81", "observed-data--59a25dc1-36c4-412d-8b6d-b60e02de0b81", "email-message--59a25dc1-36c4-412d-8b6d-b60e02de0b81", "file--59a25dc1-36c4-412d-8b6d-b60e02de0b81", "observed-data--59a25dc1-9058-4d49-b0e9-b60e02de0b81", "email-message--59a25dc1-9058-4d49-b0e9-b60e02de0b81", "file--59a25dc1-9058-4d49-b0e9-b60e02de0b81", "x-misp-attribute--59a25dd9-bf68-45c0-9374-494302de0b81", "indicator--59a25dec-e044-4ab0-a56f-b60e02de0b81", "indicator--59a25dec-a75c-45e3-89eb-b60e02de0b81", "observed-data--59a25dec-f1ac-4268-8c34-b60e02de0b81", "url--59a25dec-f1ac-4268-8c34-b60e02de0b81", "indicator--59a25dec-cd54-489e-ada2-b60e02de0b81", "indicator--59a25dec-eb38-4439-88b3-b60e02de0b81", "observed-data--59a25dec-7f9c-4fd1-8047-b60e02de0b81", "url--59a25dec-7f9c-4fd1-8047-b60e02de0b81", "indicator--59a25dec-5794-402f-a588-b60e02de0b81", "indicator--59a25dec-2500-44c2-b562-b60e02de0b81", "observed-data--59a25dec-0d44-442b-b613-b60e02de0b81", "url--59a25dec-0d44-442b-b613-b60e02de0b81", "indicator--59a25dec-a084-4101-8ba1-b60e02de0b81", "indicator--59a25dec-2e20-4de3-90c2-b60e02de0b81", "observed-data--59a25dec-6aa8-4213-a915-b60e02de0b81", "url--59a25dec-6aa8-4213-a915-b60e02de0b81", "indicator--59a25dec-bc48-4a8a-8977-b60e02de0b81", "indicator--59a25dec-355c-4c9b-8590-b60e02de0b81", "observed-data--59a25dec-c0d8-4432-a038-b60e02de0b81", "url--59a25dec-c0d8-4432-a038-b60e02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:topic=\"finance\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--59a25cf6-d7a0-4d00-8b4e-45f902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "name": "CVE-2015-2545", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"", "circl:incident-classification=\"vulnerability\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2015-2545" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--59a25cf6-9670-4c50-a443-409202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "name": "CVE-2017-0261", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"", "circl:incident-classification=\"vulnerability\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-0261" } ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--59a25cf6-affc-42cf-948f-4f5b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "name": "CVE-2017-0262", "labels": [ "misp:type=\"vulnerability\"", "misp:category=\"Payload delivery\"", "circl:incident-classification=\"vulnerability\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-0262" } ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25d41-4b6c-4cbc-8e15-44a602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "pattern": "[file:hashes.SHA256 = 'ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25d41-974c-4dad-b1d5-40fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "pattern": "[file:hashes.SHA256 = '430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25d41-d920-44d6-a046-4bf002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "pattern": "[file:hashes.SHA256 = '1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25d41-8a74-4e53-a3bb-43ab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "pattern": "[file:hashes.SHA256 = 'e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25d41-ac30-47e6-832d-411102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "pattern": "[file:hashes.SHA256 = '647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25d7d-17d8-48c9-9f7a-45aa02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "Once the malware has managed to infect a system, it tries to connect to a server based in France over TCP port 80", "pattern": "[url:value = 'http://137.74.224.142/z/get.php?name=3c6*****']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59a25da6-2424-4517-af23-4b6702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "labels": [ "misp:type=\"pattern-in-file\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "When we dug deeper into the details of the \u00e2\u20ac\u02dcimage1.eps\u00e2\u20ac\u2122 file, we noticed two awkward strings that you normally wouldn\u00e2\u20ac\u2122t see in malware", "x_misp_type": "pattern-in-file", "x_misp_value": "%%Icantdestroywhatisntthere" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59a25da6-eea4-46cf-a439-400c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "labels": [ "misp:type=\"pattern-in-file\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ], "x_misp_category": "Artifacts dropped", "x_misp_comment": "When we dug deeper into the details of the \u00e2\u20ac\u02dcimage1.eps\u00e2\u20ac\u2122 file, we noticed two awkward strings that you normally wouldn\u00e2\u20ac\u2122t see in malware", "x_misp_type": "pattern-in-file", "x_misp_value": "%%Myheartisjusttoodarktocare" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a25dc1-ee70-4f02-9db8-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "first_observed": "2017-08-27T05:51:40Z", "last_observed": "2017-08-27T05:51:40Z", "number_observed": 1, "object_refs": [ "email-message--59a25dc1-ee70-4f02-9db8-b60e02de0b81", "file--59a25dc1-ee70-4f02-9db8-b60e02de0b81" ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--59a25dc1-ee70-4f02-9db8-b60e02de0b81", "is_multipart": true, "body_multipart": [ { "body_raw_ref": "file--59a25dc1-ee70-4f02-9db8-b60e02de0b81", "content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0.docx'" } ] }, { "type": "file", "spec_version": "2.1", "id": "file--59a25dc1-ee70-4f02-9db8-b60e02de0b81", "name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0.docx" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a25dc1-7764-4a0b-89c0-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "first_observed": "2017-08-27T05:51:40Z", "last_observed": "2017-08-27T05:51:40Z", "number_observed": 1, "object_refs": [ "email-message--59a25dc1-7764-4a0b-89c0-b60e02de0b81", "file--59a25dc1-7764-4a0b-89c0-b60e02de0b81" ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--59a25dc1-7764-4a0b-89c0-b60e02de0b81", "is_multipart": true, "body_multipart": [ { "body_raw_ref": "file--59a25dc1-7764-4a0b-89c0-b60e02de0b81", "content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d1\u0081\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u0192.docx'" } ] }, { "type": "file", "spec_version": "2.1", "id": "file--59a25dc1-7764-4a0b-89c0-b60e02de0b81", "name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d1\u0081\u00d1\u2021\u00d0\u00b5\u00d1\u201a\u00d1\u0192.docx" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a25dc1-db3c-46fb-bd1c-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "first_observed": "2017-08-27T05:51:40Z", "last_observed": "2017-08-27T05:51:40Z", "number_observed": 1, "object_refs": [ "email-message--59a25dc1-db3c-46fb-bd1c-b60e02de0b81", "file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81" ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--59a25dc1-db3c-46fb-bd1c-b60e02de0b81", "is_multipart": true, "body_multipart": [ { "body_raw_ref": "file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81", "content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5.docx'" } ] }, { "type": "file", "spec_version": "2.1", "id": "file--59a25dc1-db3c-46fb-bd1c-b60e02de0b81", "name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5.docx" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a25dc1-36c4-412d-8b6d-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "first_observed": "2017-08-27T05:51:40Z", "last_observed": "2017-08-27T05:51:40Z", "number_observed": 1, "object_refs": [ "email-message--59a25dc1-36c4-412d-8b6d-b60e02de0b81", "file--59a25dc1-36c4-412d-8b6d-b60e02de0b81" ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--59a25dc1-36c4-412d-8b6d-b60e02de0b81", "is_multipart": true, "body_multipart": [ { "body_raw_ref": "file--59a25dc1-36c4-412d-8b6d-b60e02de0b81", "content_disposition": "attachment; filename='\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5 \u00d0\u00ba\u00d0\u00bb\u00d0\u00b8\u00d0\u00b5\u00d0\u00bd\u00d1\u201a\u00d0\u00b0.docx'" } ] }, { "type": "file", "spec_version": "2.1", "id": "file--59a25dc1-36c4-412d-8b6d-b60e02de0b81", "name": "\u00d0\u2019\u00d1\u2039\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00ba\u00d0\u00b0 \u00d0\u00bf\u00d0\u00be \u00d0\u00ba\u00d0\u00b0\u00d1\u20ac\u00d1\u201a\u00d0\u00b5 \u00d0\u00ba\u00d0\u00bb\u00d0\u00b8\u00d0\u00b5\u00d0\u00bd\u00d1\u201a\u00d0\u00b0.docx" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a25dc1-9058-4d49-b0e9-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "first_observed": "2017-08-27T05:51:40Z", "last_observed": "2017-08-27T05:51:40Z", "number_observed": 1, "object_refs": [ "email-message--59a25dc1-9058-4d49-b0e9-b60e02de0b81", "file--59a25dc1-9058-4d49-b0e9-b60e02de0b81" ], "labels": [ "misp:type=\"email-attachment\"", "misp:category=\"Payload delivery\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--59a25dc1-9058-4d49-b0e9-b60e02de0b81", "is_multipart": true, "body_multipart": [ { "body_raw_ref": "file--59a25dc1-9058-4d49-b0e9-b60e02de0b81", "content_disposition": "attachment; filename='12.docx'" } ] }, { "type": "file", "spec_version": "2.1", "id": "file--59a25dc1-9058-4d49-b0e9-b60e02de0b81", "name": "12.docx" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59a25dd9-bf68-45c0-9374-494302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Last week, the Ukrainian Central Bank issued a warning around an attack being launched against Ukrainian banks. Thanks to one of our contacts in the region, we received the malware at an early stage and were able to provide coverage for our customers\u00e2\u20ac\u201dalways our first priority. Now that local authorities have publicly disclosed the matter, we would like to share some insights into the campaign.\r\n\r\nThe attacks appear to have targeted banks in Russia as well as Ukraine, and we are aware of reports of similar attack vectors and payloads in other countries.\r\n\r\nThe initial threat started with emails sent to the banks around August 10, 2017, and a second wave on August 18 that carried attachments containing a payload. The subject of the emails were triggered to get the attention of the users and lure them into opening the attachments." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25dec-e044-4ab0-a56f-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "- Xchecked via VT: 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51", "pattern": "[file:hashes.SHA1 = '583570d92cc49ec7661c055c4900c439446307f9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25dec-a75c-45e3-89eb-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "- Xchecked via VT: 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51", "pattern": "[file:hashes.MD5 = '4eee1c5db5c4678cfa7ad6262a18253d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a25dec-f1ac-4268-8c34-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "first_observed": "2017-08-27T05:51:40Z", "last_observed": "2017-08-27T05:51:40Z", "number_observed": 1, "object_refs": [ "url--59a25dec-f1ac-4268-8c34-b60e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a25dec-f1ac-4268-8c34-b60e02de0b81", "value": "https://www.virustotal.com/file/647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51/analysis/1503366922/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25dec-cd54-489e-ada2-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "- Xchecked via VT: e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f", "pattern": "[file:hashes.SHA1 = 'dfaa3825b6bf2fc21978bf3234f38ffbd2966b96']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25dec-eb38-4439-88b3-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "- Xchecked via VT: e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f", "pattern": "[file:hashes.MD5 = '98c5c33f5c0bd07ac3e24935edab202a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a25dec-7f9c-4fd1-8047-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "first_observed": "2017-08-27T05:51:40Z", "last_observed": "2017-08-27T05:51:40Z", "number_observed": 1, "object_refs": [ "url--59a25dec-7f9c-4fd1-8047-b60e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a25dec-7f9c-4fd1-8047-b60e02de0b81", "value": "https://www.virustotal.com/file/e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f/analysis/1503021378/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25dec-5794-402f-a588-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "- Xchecked via VT: 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6", "pattern": "[file:hashes.SHA1 = 'a85e66a654ca056a14f64516af62e82c07036e06']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25dec-2500-44c2-b562-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "- Xchecked via VT: 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6", "pattern": "[file:hashes.MD5 = 'cfc0b41a7cde01333f10d48e9997d293']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a25dec-0d44-442b-b613-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "first_observed": "2017-08-27T05:51:40Z", "last_observed": "2017-08-27T05:51:40Z", "number_observed": 1, "object_refs": [ "url--59a25dec-0d44-442b-b613-b60e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a25dec-0d44-442b-b613-b60e02de0b81", "value": "https://www.virustotal.com/file/1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6/analysis/1503475768/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25dec-a084-4101-8ba1-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "- Xchecked via VT: 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952", "pattern": "[file:hashes.SHA1 = 'a8bcbaedfbd3eff1e3d5005c35bd8f4c4f6f325c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25dec-2e20-4de3-90c2-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "- Xchecked via VT: 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952", "pattern": "[file:hashes.MD5 = '5df8067a6fcb6c45c3b5c14adb944806']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a25dec-6aa8-4213-a915-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "first_observed": "2017-08-27T05:51:40Z", "last_observed": "2017-08-27T05:51:40Z", "number_observed": 1, "object_refs": [ "url--59a25dec-6aa8-4213-a915-b60e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a25dec-6aa8-4213-a915-b60e02de0b81", "value": "https://www.virustotal.com/file/430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952/analysis/1503474922/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25dec-bc48-4a8a-8977-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "- Xchecked via VT: ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d", "pattern": "[file:hashes.SHA1 = '5983b31b80b7f3d84d9d0436574a7351d8522e9c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a25dec-355c-4c9b-8590-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "description": "- Xchecked via VT: ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d", "pattern": "[file:hashes.MD5 = 'c43f1716d6dbb243f0b8cd92944a04bd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-27T05:51:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a25dec-c0d8-4432-a038-b60e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-27T05:51:40.000Z", "modified": "2017-08-27T05:51:40.000Z", "first_observed": "2017-08-27T05:51:40Z", "last_observed": "2017-08-27T05:51:40Z", "number_observed": 1, "object_refs": [ "url--59a25dec-c0d8-4432-a038-b60e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a25dec-c0d8-4432-a038-b60e02de0b81", "value": "https://www.virustotal.com/file/ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d/analysis/1503475773/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }