{ "type": "bundle", "id": "bundle--5a3bcbe0-3d70-427d-8744-4bdb950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-10T03:01:13.000Z", "modified": "2018-02-10T03:01:13.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5a3bcbe0-3d70-427d-8744-4bdb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-10T03:01:13.000Z", "modified": "2018-02-10T03:01:13.000Z", "name": "OSINT - DownAndExec: Banking malware utilizes CDNs in Brazil", "published": "2018-02-16T08:57:17Z", "object_refs": [ "observed-data--5a3cc4fd-5fd0-4c16-a65a-4c62950d210f", "url--5a3cc4fd-5fd0-4c16-a65a-4c62950d210f", "x-misp-attribute--5a5c6f2a-afc8-41e1-8a1f-43b9950d210f", "indicator--5a5c771a-0068-47dc-8e20-47ad950d210f", "indicator--5a5c771b-1804-42f0-9701-4e5d950d210f", "indicator--5a5c771b-5054-4f25-914e-4aee950d210f", "indicator--5a5c771b-6a2c-45ff-8d55-47b0950d210f", "indicator--5a5c771c-9a58-45ea-a3c7-4555950d210f", "indicator--5a5c7a0d-71d4-465e-b761-ae5c950d210f", "indicator--5a5c7a0e-4c48-42d5-acbc-ae5c950d210f", "indicator--5a5c7109-1514-4b03-aca8-c84f950d210f", "indicator--5a5c712c-c8f0-4033-a3c6-ae5c950d210f", "indicator--5a5c7153-7a80-4f92-a162-af7f950d210f", "indicator--5a5c7165-f8fc-41f9-84f1-4c94950d210f", "indicator--5a5c717d-7e58-4fbf-8c33-c84f950d210f", "indicator--5a5c7192-cb54-4a77-8f2f-ae1e950d210f", "indicator--352791b2-86bb-41ad-9481-10549ebea11f", "x-misp-object--db289675-d7e8-42b0-a80d-1d0f73eac08b", "indicator--323bf06e-4c08-4825-9e3d-490b985d27f1", "x-misp-object--3c950c89-f255-4ce4-bdf5-b3cb9a34eada", "indicator--989dca8a-94e7-414f-9bb9-299b6407cfe4", "x-misp-object--b8d9d264-06d8-465a-81c9-a4cd48c9deaa", "indicator--ec87a3b7-5f72-4b59-8d53-6e2767f4328f", "x-misp-object--8c9d5426-4f3b-4bfd-b166-40f4e69c8998", "indicator--5e44b32b-6d75-4ac9-a643-96970dee4e3e", "x-misp-object--532bbc5d-ad5f-4281-88f9-a027f31718ae", "indicator--362d20e1-90b1-45c8-b536-5e2fc281fe8a", "x-misp-object--0d641165-660b-4c56-a989-5f27840d94f1", "indicator--9e1132f7-a6f0-4966-8d8e-a8ba91337184", "x-misp-object--9ddbe62a-df3a-4968-8fb1-4b46e61d0abe", "indicator--a4602179-8407-4714-8ce8-73e739f8f93e", "x-misp-object--23e90ff7-f68e-4f1e-abfb-1d24b0480d18", "indicator--368ea62b-9c92-41fd-aa29-ad77f6f49144", "x-misp-object--ffa1925f-32e0-4ddf-ac99-db930609d495", "indicator--b4c72aed-63bf-4f2a-8794-047d36abe533", "x-misp-object--43e3402c-ec4a-4afc-859b-18cdd344f48f", "relationship--957fbde1-d4bb-49ad-a53c-0c27e4469ebb", "relationship--4c8a6c34-c3d8-43a4-8bb3-868dd42320ac", "relationship--1639588a-8957-4305-b904-69519b96faf2", "relationship--7e3fe4c5-527d-46e4-8fe8-37a37a534771", "relationship--fc2b5318-37cd-4964-bc9e-43012832d7d4", "relationship--6a0edb32-3fb0-4f47-a3d7-15c888c27fbc", "relationship--afd301d6-a8a8-4010-97c9-0feec2a623e6", "relationship--facb6641-8414-412a-995c-1726d8697937", "relationship--70db0546-b959-46ff-8691-ad5f43724b05", "relationship--f25a216b-4605-4f1c-a4c9-b6f2ec852a64" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:incident-classification=\"malware\"", "ms-caro-malware-full:malware-family=\"Banker\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5a3cc4fd-5fd0-4c16-a65a-4c62950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:47.000Z", "modified": "2018-02-09T14:04:47.000Z", "first_observed": "2018-02-09T14:04:47Z", "last_observed": "2018-02-09T14:04:47Z", "number_observed": 1, "object_refs": [ "url--5a3cc4fd-5fd0-4c16-a65a-4c62950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5a3cc4fd-5fd0-4c16-a65a-4c62950d210f", "value": "https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5a5c6f2a-afc8-41e1-8a1f-43b9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:47.000Z", "modified": "2018-02-09T14:04:47.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware.\r\n\r\nThe attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent \u00e2\u20ac\u0153fileless\u00e2\u20ac\u009d banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.\r\n\r\nThe purpose of this article is to offer an analysis of the downAndExec standard that is making extensive use of JS scripts to download and execute \u00e2\u20ac\u201d in this particular instance, banking malware on victims\u00e2\u20ac\u2122 computers." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c771a-0068-47dc-8e20-47ad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:40:42.000Z", "modified": "2018-01-15T09:40:42.000Z", "description": "NSIS/TrojanDropper.Agent.CL", "pattern": "[file:hashes.SHA1 = '30fc877887d6845007503f3abd44ec261a0d40c7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:40:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c771b-1804-42f0-9701-4e5d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:40:43.000Z", "modified": "2018-01-15T09:40:43.000Z", "description": "NSIS/TrojanDropper.Agent.CL", "pattern": "[file:hashes.SHA1 = '34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:40:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c771b-5054-4f25-914e-4aee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:40:43.000Z", "modified": "2018-01-15T09:40:43.000Z", "description": "NSIS/TrojanDropper.Agent.CL", "pattern": "[file:hashes.SHA1 = 'bffaabcce3f4cced896f745a7ec4eba207028683']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:40:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c771b-6a2c-45ff-8d55-47b0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:40:43.000Z", "modified": "2018-01-15T09:40:43.000Z", "description": "JS/TrojanDownloader.Agent.QPA", "pattern": "[file:hashes.MD5 = '2ad3b1669e8302035e24c838b3c08f2c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:40:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c771c-9a58-45ea-a3c7-4555950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:40:44.000Z", "modified": "2018-01-15T09:40:44.000Z", "description": "Win32/Spy.Banker.ADYV", "pattern": "[file:hashes.MD5 = '51aed47cc54e9671f3ea71f8ee584952']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:40:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c7a0d-71d4-465e-b761-ae5c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:48.000Z", "modified": "2018-02-09T14:04:48.000Z", "pattern": "[url:value = 'https://1402712571.rsc.cdn77.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:04:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c7a0e-4c48-42d5-acbc-ae5c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:48.000Z", "modified": "2018-02-09T14:04:48.000Z", "description": "inactive", "pattern": "[url:value = 'https://1356485243.rsc.cdn77.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:04:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c7109-1514-4b03-aca8-c84f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:14:49.000Z", "modified": "2018-01-15T09:14:49.000Z", "pattern": "[file:hashes.SHA1 = '37648e4b95636e3ee5a68e3fa8c0735125126c17' AND file:name = 'AppAdobeFPlayer_1497851813.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:14:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c712c-c8f0-4033-a3c6-ae5c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:15:24.000Z", "modified": "2018-01-15T09:15:24.000Z", "pattern": "[file:hashes.SHA1 = '38b7611bb20985512f86dc2c38247593e58a1df6' AND file:name = 'Consulta_Resultado05062017.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:15:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c7153-7a80-4f92-a162-af7f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:16:03.000Z", "modified": "2018-01-15T09:16:03.000Z", "pattern": "[file:hashes.SHA1 = '67458b503047852dd603080946842472e575b856' AND file:name = 'NotaFiscal.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:16:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c7165-f8fc-41f9-84f1-4c94950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:16:21.000Z", "modified": "2018-01-15T09:16:21.000Z", "pattern": "[file:hashes.SHA1 = '8ea2c548bcb974a380fece046a7e3f0218632ff2' AND file:name = 'n\u00c3\u00a3o confirmado 923337.crdownload' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:16:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c717d-7e58-4fbf-8c33-c84f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:16:45.000Z", "modified": "2018-01-15T09:16:45.000Z", "pattern": "[file:hashes.SHA1 = 'bffaabcce3f4cced896f745a7ec4eba2070286b3' AND file:name = '5ae9e0f3867ae8a317031fc9a5ed886e.virus' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:16:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a5c7192-cb54-4a77-8f2f-ae1e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-01-15T09:17:06.000Z", "modified": "2018-01-15T09:17:06.000Z", "pattern": "[file:hashes.SHA1 = 'effb36259accdfff07c036c5a41b357692577265' AND file:name = 'Consulta_Resultado05062017.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-01-15T09:17:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--352791b2-86bb-41ad-9481-10549ebea11f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:51.000Z", "modified": "2018-02-09T14:04:51.000Z", "pattern": "[file:hashes.MD5 = '51aed47cc54e9671f3ea71f8ee584952' AND file:hashes.SHA1 = '5c5d23fcb759d900c0158948695b43f63df4a99d' AND file:hashes.SHA256 = '08895e31448976adfbe419d1db92650bfb8b937f13597e6222fba965d3e999e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:04:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--db289675-d7e8-42b0-a80d-1d0f73eac08b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:50.000Z", "modified": "2018-02-09T14:04:50.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/08895e31448976adfbe419d1db92650bfb8b937f13597e6222fba965d3e999e0/analysis/1509045877/", "category": "External analysis", "comment": "Win32/Spy.Banker.ADYV", "uuid": "5a7daa82-5084-4e96-b1b7-481e02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/66", "category": "Other", "comment": "Win32/Spy.Banker.ADYV", "uuid": "5a7daa82-ce04-4a13-b4dc-4dd902de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-10-26T19:24:37", "category": "Other", "comment": "Win32/Spy.Banker.ADYV", "uuid": "5a7daa83-7f20-42ba-9919-459c02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--323bf06e-4c08-4825-9e3d-490b985d27f1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:54.000Z", "modified": "2018-02-09T14:04:54.000Z", "pattern": "[file:hashes.MD5 = '2ad3b1669e8302035e24c838b3c08f2c' AND file:hashes.SHA1 = '21e6bfad68531acefa1a059015fb008742b5aeec' AND file:hashes.SHA256 = '15a739c1e02245e4f686ff46ca616ab73663fffac9c4de4290a1af4668405878']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:04:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--3c950c89-f255-4ce4-bdf5-b3cb9a34eada", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:53.000Z", "modified": "2018-02-09T14:04:53.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/15a739c1e02245e4f686ff46ca616ab73663fffac9c4de4290a1af4668405878/analysis/1509155544/", "category": "External analysis", "comment": "JS/TrojanDownloader.Agent.QPA", "uuid": "5a7daa85-4e94-4767-b81b-491502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "26/59", "category": "Other", "comment": "JS/TrojanDownloader.Agent.QPA", "uuid": "5a7daa85-34f4-42de-856c-427902de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-10-28T01:52:24", "category": "Other", "comment": "JS/TrojanDownloader.Agent.QPA", "uuid": "5a7daa86-e0c4-4f48-a687-466c02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--989dca8a-94e7-414f-9bb9-299b6407cfe4", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:57.000Z", "modified": "2018-02-09T14:04:57.000Z", "pattern": "[file:hashes.MD5 = 'c5d56198560f2e263c7ae1af6fccae6c' AND file:hashes.SHA1 = '37648e4b95636e3ee5a68e3fa8c0735125126c17' AND file:hashes.SHA256 = 'ce300e38c0adbba46b1d46066cc3be3e5ce990c6406cb3e1713936acd124d174']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:04:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--b8d9d264-06d8-465a-81c9-a4cd48c9deaa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:55.000Z", "modified": "2018-02-09T14:04:55.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/ce300e38c0adbba46b1d46066cc3be3e5ce990c6406cb3e1713936acd124d174/analysis/1509045679/", "category": "External analysis", "uuid": "5a7daa87-4afc-47dd-876d-492602de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "45/67", "category": "Other", "uuid": "5a7daa88-e2ac-4bd7-a8c1-484502de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-10-26T19:21:19", "category": "Other", "uuid": "5a7daa88-7f20-461d-890d-44bc02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ec87a3b7-5f72-4b59-8d53-6e2767f4328f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:00.000Z", "modified": "2018-02-09T14:05:00.000Z", "pattern": "[file:hashes.MD5 = '1a5748d445565bf35a3cb6e6b6959fe2' AND file:hashes.SHA1 = '67458b503047852dd603080946842472e575b856' AND file:hashes.SHA256 = 'd7b430e18426fad00576add9e88c6b0c78eb194376dfa416ab805f5757188990']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:05:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8c9d5426-4f3b-4bfd-b166-40f4e69c8998", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:04:58.000Z", "modified": "2018-02-09T14:04:58.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d7b430e18426fad00576add9e88c6b0c78eb194376dfa416ab805f5757188990/analysis/1509045752/", "category": "External analysis", "uuid": "5a7daa8a-7c2c-4d8b-b395-413b02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "40/67", "category": "Other", "uuid": "5a7daa8b-6934-465e-8d8e-4ff202de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-10-26T19:22:32", "category": "Other", "uuid": "5a7daa8b-a6c8-404d-af6d-4e1302de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e44b32b-6d75-4ac9-a643-96970dee4e3e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:02.000Z", "modified": "2018-02-09T14:05:02.000Z", "pattern": "[file:hashes.MD5 = 'ab4832be975c95ce0348416741225143' AND file:hashes.SHA1 = '30fc877887d6845007503f3abd44ec261a0d40c7' AND file:hashes.SHA256 = '74c115091077182b4e9f1dc141fd2c91c50b0c61fd22117f71f880ebc4fe72bc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:05:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--532bbc5d-ad5f-4281-88f9-a027f31718ae", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:01.000Z", "modified": "2018-02-09T14:05:01.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/74c115091077182b4e9f1dc141fd2c91c50b0c61fd22117f71f880ebc4fe72bc/analysis/1509045590/", "category": "External analysis", "comment": "NSIS/TrojanDropper.Agent.CL", "uuid": "5a7daa8d-995c-4415-90b2-41a602de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "36/66", "category": "Other", "comment": "NSIS/TrojanDropper.Agent.CL", "uuid": "5a7daa8d-7378-4f23-913b-467a02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-10-26T19:19:50", "category": "Other", "comment": "NSIS/TrojanDropper.Agent.CL", "uuid": "5a7daa8d-bf5c-453b-8111-49d202de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--362d20e1-90b1-45c8-b536-5e2fc281fe8a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:05.000Z", "modified": "2018-02-09T14:05:05.000Z", "pattern": "[file:hashes.MD5 = '71b6a493388e7d0b40c83ce903bc6b04' AND file:hashes.SHA1 = '34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d' AND file:hashes.SHA256 = '027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:05:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--0d641165-660b-4c56-a989-5f27840d94f1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:03.000Z", "modified": "2018-02-09T14:05:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/1517914078/", "category": "External analysis", "comment": "NSIS/TrojanDropper.Agent.CL", "uuid": "5a7daa8f-e930-4c13-b96f-493d02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "59/65", "category": "Other", "comment": "NSIS/TrojanDropper.Agent.CL", "uuid": "5a7daa90-99dc-4e0c-b651-4bbc02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2018-02-06T10:47:58", "category": "Other", "comment": "NSIS/TrojanDropper.Agent.CL", "uuid": "5a7daa90-e0ec-488b-87f7-418802de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9e1132f7-a6f0-4966-8d8e-a8ba91337184", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:08.000Z", "modified": "2018-02-09T14:05:08.000Z", "pattern": "[file:hashes.MD5 = '5ae9e0f3867ae8a317031fc9a5ed886e' AND file:hashes.SHA1 = 'bffaabcce3f4cced896f745a7ec4eba2070286b3' AND file:hashes.SHA256 = '45211c815cac28a399e3ad01d742b5811dae54d93918e969c685d4e8356d7c28']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:05:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--9ddbe62a-df3a-4968-8fb1-4b46e61d0abe", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:06.000Z", "modified": "2018-02-09T14:05:06.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/45211c815cac28a399e3ad01d742b5811dae54d93918e969c685d4e8356d7c28/analysis/1505331152/", "category": "External analysis", "uuid": "5a7daa92-a268-4a80-8fe2-422502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "39/64", "category": "Other", "uuid": "5a7daa92-9ac8-48be-a710-4ceb02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-09-13T19:32:32", "category": "Other", "uuid": "5a7daa93-b3d4-4672-b604-454802de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a4602179-8407-4714-8ce8-73e739f8f93e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:10.000Z", "modified": "2018-02-09T14:05:10.000Z", "pattern": "[file:hashes.MD5 = 'e383d317b3c7bbd65a7c303746b7f12d' AND file:hashes.SHA1 = '38b7611bb20985512f86dc2c38247593e58a1df6' AND file:hashes.SHA256 = '6b08e5d92c7067eae8e222f2d13ba2a59fe36421eb2ece5054b5d97c593a38e2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:05:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--23e90ff7-f68e-4f1e-abfb-1d24b0480d18", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:08.000Z", "modified": "2018-02-09T14:05:08.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/6b08e5d92c7067eae8e222f2d13ba2a59fe36421eb2ece5054b5d97c593a38e2/analysis/1509045704/", "category": "External analysis", "uuid": "5a7daa95-e77c-431d-bc9c-4cdc02de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "39/67", "category": "Other", "uuid": "5a7daa95-db80-4bcf-8c20-450a02de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-10-26T19:21:44", "category": "Other", "uuid": "5a7daa95-88e8-49fe-be81-421b02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--368ea62b-9c92-41fd-aa29-ad77f6f49144", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:13.000Z", "modified": "2018-02-09T14:05:13.000Z", "pattern": "[file:hashes.MD5 = '782eace45e76c28862396a2b6d5b3f1c' AND file:hashes.SHA1 = '8ea2c548bcb974a380fece046a7e3f0218632ff2' AND file:hashes.SHA256 = '66d9360a2a41a119a9337539e110d79f6e74e405755029d9241bf9afc20beed6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:05:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--ffa1925f-32e0-4ddf-ac99-db930609d495", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:11.000Z", "modified": "2018-02-09T14:05:11.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/66d9360a2a41a119a9337539e110d79f6e74e405755029d9241bf9afc20beed6/analysis/1510180391/", "category": "External analysis", "uuid": "5a7daa97-96ac-4b57-877e-4cc502de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "41/67", "category": "Other", "uuid": "5a7daa97-1e08-4336-bef5-44c302de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-11-08T22:33:11", "category": "Other", "uuid": "5a7daa98-6474-4cc5-85d9-481a02de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b4c72aed-63bf-4f2a-8794-047d36abe533", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:15.000Z", "modified": "2018-02-09T14:05:15.000Z", "pattern": "[file:hashes.MD5 = 'b917b09c778d7aa7e5a2d98a5fba5b1e' AND file:hashes.SHA1 = 'effb36259accdfff07c036c5a41b357692577265' AND file:hashes.SHA256 = '91301d3daab1a87dfc8b4e39f8a120ea5523e04ac86fee970cecc6760e05c8fe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-02-09T14:05:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--43e3402c-ec4a-4afc-859b-18cdd344f48f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-02-09T14:05:13.000Z", "modified": "2018-02-09T14:05:13.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/91301d3daab1a87dfc8b4e39f8a120ea5523e04ac86fee970cecc6760e05c8fe/analysis/1509045798/", "category": "External analysis", "uuid": "5a7daa9a-b7e8-4340-a315-416602de0b81" }, { "type": "text", "object_relation": "detection-ratio", "value": "38/67", "category": "Other", "uuid": "5a7daa9a-f554-4959-827d-4d0702de0b81" }, { "type": "datetime", "object_relation": "last-submission", "value": "2017-10-26T19:23:18", "category": "Other", "uuid": "5a7daa9a-d1fc-4984-9be0-45e902de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--957fbde1-d4bb-49ad-a53c-0c27e4469ebb", "created": "2018-02-16T08:57:16.000Z", "modified": "2018-02-16T08:57:16.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--352791b2-86bb-41ad-9481-10549ebea11f", "target_ref": "x-misp-object--db289675-d7e8-42b0-a80d-1d0f73eac08b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4c8a6c34-c3d8-43a4-8bb3-868dd42320ac", "created": "2018-02-16T08:57:17.000Z", "modified": "2018-02-16T08:57:17.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--323bf06e-4c08-4825-9e3d-490b985d27f1", "target_ref": "x-misp-object--3c950c89-f255-4ce4-bdf5-b3cb9a34eada" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1639588a-8957-4305-b904-69519b96faf2", "created": "2018-02-16T08:57:17.000Z", "modified": "2018-02-16T08:57:17.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--989dca8a-94e7-414f-9bb9-299b6407cfe4", "target_ref": "x-misp-object--b8d9d264-06d8-465a-81c9-a4cd48c9deaa" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7e3fe4c5-527d-46e4-8fe8-37a37a534771", "created": "2018-02-16T08:57:17.000Z", "modified": "2018-02-16T08:57:17.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--ec87a3b7-5f72-4b59-8d53-6e2767f4328f", "target_ref": "x-misp-object--8c9d5426-4f3b-4bfd-b166-40f4e69c8998" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fc2b5318-37cd-4964-bc9e-43012832d7d4", "created": "2018-02-16T08:57:17.000Z", "modified": "2018-02-16T08:57:17.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5e44b32b-6d75-4ac9-a643-96970dee4e3e", "target_ref": "x-misp-object--532bbc5d-ad5f-4281-88f9-a027f31718ae" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6a0edb32-3fb0-4f47-a3d7-15c888c27fbc", "created": "2018-02-16T08:57:17.000Z", "modified": "2018-02-16T08:57:17.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--362d20e1-90b1-45c8-b536-5e2fc281fe8a", "target_ref": "x-misp-object--0d641165-660b-4c56-a989-5f27840d94f1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--afd301d6-a8a8-4010-97c9-0feec2a623e6", "created": "2018-02-16T08:57:17.000Z", "modified": "2018-02-16T08:57:17.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9e1132f7-a6f0-4966-8d8e-a8ba91337184", "target_ref": "x-misp-object--9ddbe62a-df3a-4968-8fb1-4b46e61d0abe" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--facb6641-8414-412a-995c-1726d8697937", "created": "2018-02-16T08:57:17.000Z", "modified": "2018-02-16T08:57:17.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--a4602179-8407-4714-8ce8-73e739f8f93e", "target_ref": "x-misp-object--23e90ff7-f68e-4f1e-abfb-1d24b0480d18" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--70db0546-b959-46ff-8691-ad5f43724b05", "created": "2018-02-16T08:57:17.000Z", "modified": "2018-02-16T08:57:17.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--368ea62b-9c92-41fd-aa29-ad77f6f49144", "target_ref": "x-misp-object--ffa1925f-32e0-4ddf-ac99-db930609d495" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f25a216b-4605-4f1c-a4c9-b6f2ec852a64", "created": "2018-02-16T08:57:17.000Z", "modified": "2018-02-16T08:57:17.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b4c72aed-63bf-4f2a-8794-047d36abe533", "target_ref": "x-misp-object--43e3402c-ec4a-4afc-859b-18cdd344f48f" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }