{ "type": "bundle", "id": "bundle--59f6f4a5-0e10-4c36-9c71-5690c25ed030", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2019-09-23T13:15:30.000Z", "modified": "2019-09-23T13:15:30.000Z", "name": "CERT-RLP", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59f6f4a5-0e10-4c36-9c71-5690c25ed030", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2019-09-23T13:15:30.000Z", "modified": "2019-09-23T13:15:30.000Z", "name": "Evasive Sage 2.2 Ransomware", "published": "2019-10-08T21:45:05Z", "object_refs": [ "observed-data--59f6f515-043c-4947-8052-568dc25ed030", "url--59f6f515-043c-4947-8052-568dc25ed030", "indicator--5a002e66-0924-4cc1-ba34-4d2c950d210f", "indicator--5a002e66-2624-4b10-9db5-420a950d210f", "indicator--5a002e66-874c-4c64-a1a3-4d2d950d210f", "indicator--5a002e66-e384-4470-9a48-49d5950d210f", "indicator--5a002e66-935c-4180-8284-4b63950d210f", "indicator--5a002f24-0bf4-4910-8082-48b5950d210f", "indicator--5a002f24-3040-4e33-bc00-4530950d210f", "indicator--5a002f24-635c-4359-a94d-4c28950d210f", "indicator--5a002f24-6610-4fa9-8f2a-41bc950d210f", "indicator--5a002f24-681c-4eb7-9d01-4499950d210f", "indicator--5a002f24-a3f8-450d-ac12-4783950d210f", "indicator--5a002f24-f914-4587-a4c7-407d950d210f", "indicator--5a002f24-da2c-4cd1-9d67-4bec950d210f", "indicator--5a002f24-a744-4583-b461-462d950d210f", "indicator--5a002f24-9798-4245-a328-4f08950d210f", "indicator--5a002f24-8a44-4657-844e-4ff3950d210f", "indicator--5a002f24-0888-4dc2-995f-461a950d210f", "indicator--5a002f24-db50-4692-aa75-41b2950d210f", "indicator--5a002f24-8064-4962-8e89-4248950d210f", "indicator--5a002f24-4e7c-4224-9ae2-4219950d210f", "indicator--5a002f24-b67c-4fc0-930c-4b88950d210f", "indicator--5a002f24-5310-4e69-9e0c-45a4950d210f", "indicator--5a01b247-4698-4534-994b-0d3302de0b81", "indicator--5a01b247-e2bc-4bc2-8db6-0d3302de0b81", "observed-data--5a01b247-4c64-4243-aed8-0d3302de0b81", "url--5a01b247-4c64-4243-aed8-0d3302de0b81", "indicator--5a01b247-56f4-4ce5-a856-0d3302de0b81", "indicator--5a01b247-5750-42d7-b685-0d3302de0b81", "observed-data--5a01b247-bd24-4446-83c4-0d3302de0b81", "url--5a01b247-bd24-4446-83c4-0d3302de0b81", "indicator--5a01b247-2b64-4301-a912-0d3302de0b81", "indicator--5a01b247-6eac-4ad9-9ed4-0d3302de0b81", "observed-data--5a01b247-d9a8-4623-8093-0d3302de0b81", "url--5a01b247-d9a8-4623-8093-0d3302de0b81", "indicator--5a01b247-6314-4f76-966e-0d3302de0b81", "indicator--5a01b247-0fd4-43c8-8b1c-0d3302de0b81", "observed-data--5a01b247-fa04-4911-8b0e-0d3302de0b81", "url--5a01b247-fa04-4911-8b0e-0d3302de0b81", "indicator--5a01b247-ad70-4630-b11f-0d3302de0b81", "indicator--5a01b247-f12c-45af-aa87-0d3302de0b81", "observed-data--5a01b247-8ad0-4725-921c-0d3302de0b81", "url--5a01b247-8ad0-4725-921c-0d3302de0b81", "indicator--5a01b247-12d4-49cd-abad-0d3302de0b81", "indicator--5a01b247-e968-4459-b1ab-0d3302de0b81", "observed-data--5a01b247-2180-4c50-a3a3-0d3302de0b81", "url--5a01b247-2180-4c50-a3a3-0d3302de0b81", "indicator--5a01b247-ae84-4c02-bbb3-0d3302de0b81", "indicator--5a01b247-30d4-471b-ac42-0d3302de0b81", "observed-data--5a01b247-4d0c-47f9-a482-0d3302de0b81", "url--5a01b247-4d0c-47f9-a482-0d3302de0b81", "indicator--5a01b247-875c-474a-acec-0d3302de0b81", "indicator--5a01b247-355c-49e7-a274-0d3302de0b81", "observed-data--5a01b247-a468-4fdd-83f6-0d3302de0b81", "url--5a01b247-a468-4fdd-83f6-0d3302de0b81", "indicator--5a01b247-8118-44b5-bae8-0d3302de0b81", "indicator--5a01b247-78fc-48d5-822c-0d3302de0b81", "observed-data--5a01b247-bb2c-41fe-9282-0d3302de0b81", "url--5a01b247-bb2c-41fe-9282-0d3302de0b81", "indicator--5a01b247-73c0-47c4-b479-0d3302de0b81", "indicator--5a01b247-9c80-40b2-a921-0d3302de0b81", "observed-data--5a01b247-6cf8-4d12-aae2-0d3302de0b81", "url--5a01b247-6cf8-4d12-aae2-0d3302de0b81", "indicator--5a01b247-adac-4729-a3ff-0d3302de0b81", "indicator--5a01b248-59d0-49ca-a977-0d3302de0b81", "observed-data--5a01b248-4658-4e34-bfe5-0d3302de0b81", "url--5a01b248-4658-4e34-bfe5-0d3302de0b81", "indicator--5a01b248-4870-4f78-8a6d-0d3302de0b81", "indicator--5a01b248-3460-44db-917b-0d3302de0b81", "observed-data--5a01b248-8b0c-4301-9503-0d3302de0b81", "url--5a01b248-8b0c-4301-9503-0d3302de0b81", "indicator--5a01b248-76b0-48e0-9e28-0d3302de0b81", "indicator--5a01b248-08d4-44de-97f1-0d3302de0b81", "observed-data--5a01b248-7488-419b-bd1d-0d3302de0b81", "url--5a01b248-7488-419b-bd1d-0d3302de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "osint:source-type=\"technical-report\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"", "misp-galaxy:ransomware=\"Sage 2.2\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59f6f515-043c-4947-8052-568dc25ed030", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:54.000Z", "modified": "2017-11-07T13:16:54.000Z", "first_observed": "2017-11-07T13:16:54Z", "last_observed": "2017-11-07T13:16:54Z", "number_observed": 1, "object_refs": [ "url--59f6f515-043c-4947-8052-568dc25ed030" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59f6f515-043c-4947-8052-568dc25ed030", "value": "http://blog.fortinet.com/2017/10/29/evasive-sage-2-2-ransomware-variant-targets-more-countries" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002e66-0924-4cc1-ba34-4d2c950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "download URL", "pattern": "[url:value = 'http://sutranjsdf.info/1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002e66-2624-4b10-9db5-420a950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "download URL", "pattern": "[url:value = 'http://xxxkeyoplw.top/2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002e66-874c-4c64-a1a3-4d2d950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "download URL", "pattern": "[url:value = 'http://johnmoplan.top/1.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002e66-e384-4470-9a48-49d5950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "download URL", "pattern": "[url:value = 'http://indiasoujapa.info/7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002e66-935c-4180-8284-4b63950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "download URL", "pattern": "[url:value = 'http://mondayyesha.info/7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-0bf4-4910-8082-48b5950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = '00f1e3b698488519bb6e5f723854ee89eb9f98bdfa4a7fe5137804f79829838e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-3040-4e33-bc00-4530950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = '0eb72241462c8bfda3ece4e6ebbde88778a33d8c69ce1e22153a3ed8cf47cc17']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-635c-4359-a94d-4c28950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = '2b0b7c732177a0dd8f4e9c153b1975bbc29eef673c8d1b4665312b8f1b3fb114']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-6610-4fa9-8f2a-41bc950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = '43921c3406d7b1a546334e324bdf46c279fdac928de810a86263ce7aa9eb1b83']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-681c-4eb7-9d01-4499950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = '47a67a6fb50097491fd5ebad5e81b19bda303ececc6a83281eddbd6bd508b783']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-a3f8-450d-ac12-4783950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = '5b7d2b261f29ddef9fda21061362729a9417b8ef2874cc9a2a3495181fc466d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-f914-4587-a4c7-407d950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = 'a14ee6e8d2baa577a181cd0bb0e5c2c833a4de972f2679ca3a9e410d5de97d7e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-da2c-4cd1-9d67-4bec950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = 'b381d871fcb6c16317a068be01a7cb147960419995e8068db4e9b11ea2087457']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-a744-4583-b461-462d950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = 'bbc0e8981bfca4891d99eab5195cc1f158471b90b21d1a3f1abc0ee05bf60e93']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-9798-4245-a328-4f08950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = 'cb6b6941ec104ab125a7d42cfe560cd9946ca4d5b1d1a8d5beb6b6ceb083bb29']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-8a44-4657-844e-4ff3950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = 'df64fcde1c38aa2a0696fc11eb6ca7489aa861d64bbe4e59e44d83ff92734005']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-0888-4dc2-995f-461a950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = 'eff34c229bc82823a8d31af8fc0b3baac4ebe626d15511dcd0832e455bed1765']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-db50-4692-aa75-41b2950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr", "pattern": "[file:hashes.SHA256 = 'f5f875061c9aa07a7d55c37f28b34d84e49d5d97bd66de48f74869cb984bcb61']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-8064-4962-8e89-4248950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Kryptik.FXNL!tr", "pattern": "[file:hashes.SHA256 = 'f93c77fd1c3ee16a28ef390d71f2c0af95f5bfc8ec4fe98b1d1352aeb77323e7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-4e7c-4224-9ae2-4219950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Kryptik.DMBP!tr", "pattern": "[file:hashes.SHA256 = '903b0e894ec0583ada12e647ac3bcb3433d37dc440e7613e141c03f545fd0ddd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-b67c-4fc0-930c-4b88950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/GenKryptik.AZLB!tr", "pattern": "[file:hashes.SHA256 = 'c4e208618d13f11d4a9ed6efb805943debe3bee0581eeebe22254a2b3a259b29']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a002f24-5310-4e69-9e0c-45a4950d210f", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Kryptik.FXNL!tr", "pattern": "[file:hashes.SHA256 = 'e0a9b6d54ab277e6d4b411d776b130624eac7f7a40affb67c544cc1414e22b19']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-4698-4534-994b-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Kryptik.FXNL!tr - Xchecked via VT: e0a9b6d54ab277e6d4b411d776b130624eac7f7a40affb67c544cc1414e22b19", "pattern": "[file:hashes.SHA1 = 'b93039baa64a21ed90457a80a636a9e5c56f1a00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-e2bc-4bc2-8db6-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Kryptik.FXNL!tr - Xchecked via VT: e0a9b6d54ab277e6d4b411d776b130624eac7f7a40affb67c544cc1414e22b19", "pattern": "[file:hashes.MD5 = '42550d2c763c023869aebe866ede77e9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b247-4c64-4243-aed8-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "first_observed": "2017-11-07T13:16:55Z", "last_observed": "2017-11-07T13:16:55Z", "number_observed": 1, "object_refs": [ "url--5a01b247-4c64-4243-aed8-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b247-4c64-4243-aed8-0d3302de0b81", "value": "https://www.virustotal.com/file/e0a9b6d54ab277e6d4b411d776b130624eac7f7a40affb67c544cc1414e22b19/analysis/1510019719/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-56f4-4ce5-a856-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Kryptik.DMBP!tr - Xchecked via VT: 903b0e894ec0583ada12e647ac3bcb3433d37dc440e7613e141c03f545fd0ddd", "pattern": "[file:hashes.SHA1 = 'ee88d90a47dc738ea2e505b3e226e129c70c939a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-5750-42d7-b685-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Kryptik.DMBP!tr - Xchecked via VT: 903b0e894ec0583ada12e647ac3bcb3433d37dc440e7613e141c03f545fd0ddd", "pattern": "[file:hashes.MD5 = 'b3a5732c4a3bfe4781a2a5d93111b99d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b247-bd24-4446-83c4-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "first_observed": "2017-11-07T13:16:55Z", "last_observed": "2017-11-07T13:16:55Z", "number_observed": 1, "object_refs": [ "url--5a01b247-bd24-4446-83c4-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b247-bd24-4446-83c4-0d3302de0b81", "value": "https://www.virustotal.com/file/903b0e894ec0583ada12e647ac3bcb3433d37dc440e7613e141c03f545fd0ddd/analysis/1509780134/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-2b64-4301-a912-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Kryptik.FXNL!tr - Xchecked via VT: f93c77fd1c3ee16a28ef390d71f2c0af95f5bfc8ec4fe98b1d1352aeb77323e7", "pattern": "[file:hashes.SHA1 = 'feeae3fddb606fa45cbcf6b0b2c12fd4cf785113']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-6eac-4ad9-9ed4-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Kryptik.FXNL!tr - Xchecked via VT: f93c77fd1c3ee16a28ef390d71f2c0af95f5bfc8ec4fe98b1d1352aeb77323e7", "pattern": "[file:hashes.MD5 = 'f7432080c1f41af950a86655a6af6833']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b247-d9a8-4623-8093-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "first_observed": "2017-11-07T13:16:55Z", "last_observed": "2017-11-07T13:16:55Z", "number_observed": 1, "object_refs": [ "url--5a01b247-d9a8-4623-8093-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b247-d9a8-4623-8093-0d3302de0b81", "value": "https://www.virustotal.com/file/f93c77fd1c3ee16a28ef390d71f2c0af95f5bfc8ec4fe98b1d1352aeb77323e7/analysis/1510020302/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-6314-4f76-966e-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: f5f875061c9aa07a7d55c37f28b34d84e49d5d97bd66de48f74869cb984bcb61", "pattern": "[file:hashes.SHA1 = '2a5035826371551552287ee2713906dba65ce3d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-0fd4-43c8-8b1c-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: f5f875061c9aa07a7d55c37f28b34d84e49d5d97bd66de48f74869cb984bcb61", "pattern": "[file:hashes.MD5 = '5cb7852dff9d0a6ffae7be5097ec14fd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b247-fa04-4911-8b0e-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "first_observed": "2017-11-07T13:16:55Z", "last_observed": "2017-11-07T13:16:55Z", "number_observed": 1, "object_refs": [ "url--5a01b247-fa04-4911-8b0e-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b247-fa04-4911-8b0e-0d3302de0b81", "value": "https://www.virustotal.com/file/f5f875061c9aa07a7d55c37f28b34d84e49d5d97bd66de48f74869cb984bcb61/analysis/1510019822/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-ad70-4630-b11f-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: eff34c229bc82823a8d31af8fc0b3baac4ebe626d15511dcd0832e455bed1765", "pattern": "[file:hashes.SHA1 = '377dc00f646b7c871c62efa7b84d0fbb54095e93']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-f12c-45af-aa87-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: eff34c229bc82823a8d31af8fc0b3baac4ebe626d15511dcd0832e455bed1765", "pattern": "[file:hashes.MD5 = 'cf707cb91b8e6a3fd076c3ac0fbe7b89']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b247-8ad0-4725-921c-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "first_observed": "2017-11-07T13:16:55Z", "last_observed": "2017-11-07T13:16:55Z", "number_observed": 1, "object_refs": [ "url--5a01b247-8ad0-4725-921c-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b247-8ad0-4725-921c-0d3302de0b81", "value": "https://www.virustotal.com/file/eff34c229bc82823a8d31af8fc0b3baac4ebe626d15511dcd0832e455bed1765/analysis/1510020158/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-12d4-49cd-abad-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: df64fcde1c38aa2a0696fc11eb6ca7489aa861d64bbe4e59e44d83ff92734005", "pattern": "[file:hashes.SHA1 = 'ec046b0d74e2b245f1d2ae4cce5e4a4a47263c31']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-e968-4459-b1ab-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: df64fcde1c38aa2a0696fc11eb6ca7489aa861d64bbe4e59e44d83ff92734005", "pattern": "[file:hashes.MD5 = '6916c7e84a54c0d6960d716b8e8bffd2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b247-2180-4c50-a3a3-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "first_observed": "2017-11-07T13:16:55Z", "last_observed": "2017-11-07T13:16:55Z", "number_observed": 1, "object_refs": [ "url--5a01b247-2180-4c50-a3a3-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b247-2180-4c50-a3a3-0d3302de0b81", "value": "https://www.virustotal.com/file/df64fcde1c38aa2a0696fc11eb6ca7489aa861d64bbe4e59e44d83ff92734005/analysis/1510019848/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-ae84-4c02-bbb3-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: cb6b6941ec104ab125a7d42cfe560cd9946ca4d5b1d1a8d5beb6b6ceb083bb29", "pattern": "[file:hashes.SHA1 = '640aeed9a8d88f35affd46c23374620edaa58e3e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-30d4-471b-ac42-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: cb6b6941ec104ab125a7d42cfe560cd9946ca4d5b1d1a8d5beb6b6ceb083bb29", "pattern": "[file:hashes.MD5 = '35c73da756c08dbcfba4cecb1bf93830']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b247-4d0c-47f9-a482-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "first_observed": "2017-11-07T13:16:55Z", "last_observed": "2017-11-07T13:16:55Z", "number_observed": 1, "object_refs": [ "url--5a01b247-4d0c-47f9-a482-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b247-4d0c-47f9-a482-0d3302de0b81", "value": "https://www.virustotal.com/file/cb6b6941ec104ab125a7d42cfe560cd9946ca4d5b1d1a8d5beb6b6ceb083bb29/analysis/1509779839/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-875c-474a-acec-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: b381d871fcb6c16317a068be01a7cb147960419995e8068db4e9b11ea2087457", "pattern": "[file:hashes.SHA1 = 'd2200be3ec8510dd529531058e2e24e164809e72']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-355c-49e7-a274-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: b381d871fcb6c16317a068be01a7cb147960419995e8068db4e9b11ea2087457", "pattern": "[file:hashes.MD5 = '4d8a0e28d39d34a97bc8f0470a26073f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b247-a468-4fdd-83f6-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "first_observed": "2017-11-07T13:16:55Z", "last_observed": "2017-11-07T13:16:55Z", "number_observed": 1, "object_refs": [ "url--5a01b247-a468-4fdd-83f6-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b247-a468-4fdd-83f6-0d3302de0b81", "value": "https://www.virustotal.com/file/b381d871fcb6c16317a068be01a7cb147960419995e8068db4e9b11ea2087457/analysis/1510019749/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-8118-44b5-bae8-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: a14ee6e8d2baa577a181cd0bb0e5c2c833a4de972f2679ca3a9e410d5de97d7e", "pattern": "[file:hashes.SHA1 = 'c8a6ce85af6442b8d7202abd1023a90e24f782f9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-78fc-48d5-822c-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: a14ee6e8d2baa577a181cd0bb0e5c2c833a4de972f2679ca3a9e410d5de97d7e", "pattern": "[file:hashes.MD5 = '9b224075f4a4366beb66cabbc18b7137']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b247-bb2c-41fe-9282-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "first_observed": "2017-11-07T13:16:55Z", "last_observed": "2017-11-07T13:16:55Z", "number_observed": 1, "object_refs": [ "url--5a01b247-bb2c-41fe-9282-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b247-bb2c-41fe-9282-0d3302de0b81", "value": "https://www.virustotal.com/file/a14ee6e8d2baa577a181cd0bb0e5c2c833a4de972f2679ca3a9e410d5de97d7e/analysis/1510020027/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-73c0-47c4-b479-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: 5b7d2b261f29ddef9fda21061362729a9417b8ef2874cc9a2a3495181fc466d0", "pattern": "[file:hashes.SHA1 = '87a1603e8f9a1f5193932fd3f74a4a740b2e68e3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-9c80-40b2-a921-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: 5b7d2b261f29ddef9fda21061362729a9417b8ef2874cc9a2a3495181fc466d0", "pattern": "[file:hashes.MD5 = 'aedd0bf1d7b94b163827aec2f4c64d15']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b247-6cf8-4d12-aae2-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "first_observed": "2017-11-07T13:16:55Z", "last_observed": "2017-11-07T13:16:55Z", "number_observed": 1, "object_refs": [ "url--5a01b247-6cf8-4d12-aae2-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b247-6cf8-4d12-aae2-0d3302de0b81", "value": "https://www.virustotal.com/file/5b7d2b261f29ddef9fda21061362729a9417b8ef2874cc9a2a3495181fc466d0/analysis/1509779516/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b247-adac-4729-a3ff-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: 43921c3406d7b1a546334e324bdf46c279fdac928de810a86263ce7aa9eb1b83", "pattern": "[file:hashes.SHA1 = 'b8dd2eb66f33c895883ec2d20e411d3287ba8e33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b248-59d0-49ca-a977-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:55.000Z", "modified": "2017-11-07T13:16:55.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: 43921c3406d7b1a546334e324bdf46c279fdac928de810a86263ce7aa9eb1b83", "pattern": "[file:hashes.MD5 = '568f85f776c9cd061f56b7f4393b2eb5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b248-4658-4e34-bfe5-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:56.000Z", "modified": "2017-11-07T13:16:56.000Z", "first_observed": "2017-11-07T13:16:56Z", "last_observed": "2017-11-07T13:16:56Z", "number_observed": 1, "object_refs": [ "url--5a01b248-4658-4e34-bfe5-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b248-4658-4e34-bfe5-0d3302de0b81", "value": "https://www.virustotal.com/file/43921c3406d7b1a546334e324bdf46c279fdac928de810a86263ce7aa9eb1b83/analysis/1509779455/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b248-4870-4f78-8a6d-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:56.000Z", "modified": "2017-11-07T13:16:56.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: 2b0b7c732177a0dd8f4e9c153b1975bbc29eef673c8d1b4665312b8f1b3fb114", "pattern": "[file:hashes.SHA1 = '12c96f09d25cd6349d6e2395699dcae9be80401a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b248-3460-44db-917b-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:56.000Z", "modified": "2017-11-07T13:16:56.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: 2b0b7c732177a0dd8f4e9c153b1975bbc29eef673c8d1b4665312b8f1b3fb114", "pattern": "[file:hashes.MD5 = '94f37e6331d1d9172034fbdc27b447a6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b248-8b0c-4301-9503-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:56.000Z", "modified": "2017-11-07T13:16:56.000Z", "first_observed": "2017-11-07T13:16:56Z", "last_observed": "2017-11-07T13:16:56Z", "number_observed": 1, "object_refs": [ "url--5a01b248-8b0c-4301-9503-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b248-8b0c-4301-9503-0d3302de0b81", "value": "https://www.virustotal.com/file/2b0b7c732177a0dd8f4e9c153b1975bbc29eef673c8d1b4665312b8f1b3fb114/analysis/1510019973/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b248-76b0-48e0-9e28-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:56.000Z", "modified": "2017-11-07T13:16:56.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: 0eb72241462c8bfda3ece4e6ebbde88778a33d8c69ce1e22153a3ed8cf47cc17", "pattern": "[file:hashes.SHA1 = 'd103a0032b7847a405f65d98af0a6c56c1622f67']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a01b248-08d4-44de-97f1-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:56.000Z", "modified": "2017-11-07T13:16:56.000Z", "description": "W32/Sage.KAD!tr - Xchecked via VT: 0eb72241462c8bfda3ece4e6ebbde88778a33d8c69ce1e22153a3ed8cf47cc17", "pattern": "[file:hashes.MD5 = 'ce9b4fe0e4053369f1a172a9838ad8b8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-11-07T13:16:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a01b248-7488-419b-bd1d-0d3302de0b81", "created_by_ref": "identity--593798b3-3924-4c43-9742-0d9fc25ed030", "created": "2017-11-07T13:16:56.000Z", "modified": "2017-11-07T13:16:56.000Z", "first_observed": "2017-11-07T13:16:56Z", "last_observed": "2017-11-07T13:16:56Z", "number_observed": 1, "object_refs": [ "url--5a01b248-7488-419b-bd1d-0d3302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a01b248-7488-419b-bd1d-0d3302de0b81", "value": "https://www.virustotal.com/file/0eb72241462c8bfda3ece4e6ebbde88778a33d8c69ce1e22153a3ed8cf47cc17/analysis/1510020155/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }