{ "type": "bundle", "id": "bundle--5c4458f2-6270-4c17-8fe2-992402de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-02-28T09:18:28.000Z", "modified": "2019-02-28T09:18:28.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5c4458f2-6270-4c17-8fe2-992402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-02-28T09:18:28.000Z", "modified": "2019-02-28T09:18:28.000Z", "name": "OSINT - BitterRAT PATCHWORK", "context": "suspicious-activity", "object_refs": [ "indicator--5c4459da-6374-4f25-9bb6-a83202de0b81", "indicator--5c4459db-214c-4cf3-8bfc-a83202de0b81", "indicator--5c4459db-4f5c-4f63-8d30-a83202de0b81", "observed-data--5c445ae0-8b4c-44cf-973f-98d302de0b81", "url--5c445ae0-8b4c-44cf-973f-98d302de0b81", "observed-data--5c445ae0-af98-460b-b37c-98d302de0b81", "url--5c445ae0-af98-460b-b37c-98d302de0b81", "observed-data--5c445ae0-86f0-40ca-a041-98d302de0b81", "url--5c445ae0-86f0-40ca-a041-98d302de0b81", "indicator--5c445b0a-f430-49fb-9097-468002de0b81", "indicator--5c445b0a-ae24-4bed-8e2d-416e02de0b81", "indicator--5c445b0b-8f78-4d23-8027-46ab02de0b81", "indicator--5c445b0b-01d8-4b1d-81bb-472f02de0b81", "indicator--5c445b2d-b2ec-4067-8891-98d302de0b81", "indicator--5c445b2e-1280-4f6b-a51f-98d302de0b81", "indicator--5c445b54-b390-4847-8585-4c9802de0b81", "indicator--5c445b55-eff0-4fe7-aaff-427c02de0b81", "observed-data--5c445b83-6b80-43b2-a950-44b0e387cbd9", "network-traffic--5c445b83-6b80-43b2-a950-44b0e387cbd9", "ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9", "observed-data--5c445b84-c18c-404c-8f53-4cf3e387cbd9", "network-traffic--5c445b84-c18c-404c-8f53-4cf3e387cbd9", "ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9", "indicator--5c76b08c-f724-4322-a531-418e02de0b81", "indicator--5c77a701-6ed0-4e6b-a497-47cb02de0b81", "indicator--5c77a724-a98c-43d6-9335-452402de0b81", "x-misp-object--5c445998-17e4-4411-ac90-4c8902de0b81", "indicator--8cb15f0f-006b-4400-8fd1-e4ac9586b92e", "x-misp-object--b29e2cdc-6709-40b3-b08b-227aacd7503c", "indicator--9a14aeab-1cc6-4fad-b1db-007f193da4aa", "x-misp-object--baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f", "indicator--645535fc-0fe5-4f38-a8b0-a247d8f46d87", "x-misp-object--7cf96e54-0bab-47c1-a06a-6c3ea9173676", "indicator--5c445a91-96e4-4a76-81bf-4bb302de0b81", "indicator--db8c563d-74f7-492a-ab64-12d646b305ef", "x-misp-object--573e5323-af68-46ff-bf63-ab4367951a1a", "indicator--b30ed68b-1525-4bc7-a433-4ead4df9845c", "x-misp-object--d9e9def6-73c0-4b65-b2d3-1d382d809e1b", "indicator--80cdfaf6-8bf3-4374-9f68-992799ed3b70", "x-misp-object--6da3bd65-82d7-45c7-9a90-417575cca55d", "indicator--e1137dbb-bedf-4093-8391-b598b22d0a87", "x-misp-object--7df872cb-7f5d-4df9-b654-92c03908f4af", "indicator--57bc77e0-6e6a-4ac3-a678-4d620ca79902", "x-misp-object--be750522-8ad5-4911-8601-070557f5b9b2", "indicator--5a403b39-3b33-41e6-852f-277fe242197e", "x-misp-object--61c4a2cb-234e-4428-9dd5-e214916b1536", "relationship--25be4812-2caa-446c-83b4-1c91f7ff551d", "relationship--349d7f76-d867-460e-8e45-4be9b793a560", "relationship--452f7bb6-319d-4ffe-b66b-927736b4a984", "relationship--c0e80fb7-b86e-43ad-b623-7fd2056a0b5e", "relationship--5403829c-40f6-41a0-803f-3f1ce82696d2", "relationship--4f762cd2-e645-48cd-b134-9ca6b92f5f54", "relationship--8e9c6a04-4363-4a3a-90e5-18d514b9d5b5", "relationship--e502b11f-6a43-4855-8d23-8f5b6e2ada74", "relationship--2e51b6c6-4a8d-4159-b8e0-eec8c851f802" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Patchwork - G0040\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:threat-actor=\"Dropping Elephant\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4459da-6374-4f25-9bb6-a83202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:22:02.000Z", "modified": "2019-01-20T11:22:02.000Z", "description": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group.", "pattern": "[file:hashes.MD5 = '7845d817e021db8cde06a8437693b3b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:22:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4459db-214c-4cf3-8bfc-a83202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:22:03.000Z", "modified": "2019-01-20T11:22:03.000Z", "description": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group.", "pattern": "[file:hashes.MD5 = 'd34fc3a5df544d90ed1933b79deb1868']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:22:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4459db-4f5c-4f63-8d30-a83202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:22:03.000Z", "modified": "2019-01-20T11:22:03.000Z", "description": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group.", "pattern": "[file:hashes.MD5 = '59ca69647eeceab0193d88b8b72e3d60']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:22:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c445ae0-8b4c-44cf-973f-98d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:26:24.000Z", "modified": "2019-01-20T11:26:24.000Z", "first_observed": "2019-01-20T11:26:24Z", "last_observed": "2019-01-20T11:26:24Z", "number_observed": 1, "object_refs": [ "url--5c445ae0-8b4c-44cf-973f-98d302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5c445ae0-8b4c-44cf-973f-98d302de0b81", "value": "https://analyze.intezer.com/#/analyses/314c7fb5-7d2e-4e3c-93d8-84c2064672d3" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c445ae0-af98-460b-b37c-98d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:26:24.000Z", "modified": "2019-01-20T11:26:24.000Z", "first_observed": "2019-01-20T11:26:24Z", "last_observed": "2019-01-20T11:26:24Z", "number_observed": 1, "object_refs": [ "url--5c445ae0-af98-460b-b37c-98d302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5c445ae0-af98-460b-b37c-98d302de0b81", "value": "https://analyze.intezer.com/#/analyses/5dcad879-8bf6-45ed-a10f-53313aaf32a0" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c445ae0-86f0-40ca-a041-98d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:26:24.000Z", "modified": "2019-01-20T11:26:24.000Z", "first_observed": "2019-01-20T11:26:24Z", "last_observed": "2019-01-20T11:26:24Z", "number_observed": 1, "object_refs": [ "url--5c445ae0-86f0-40ca-a041-98d302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5c445ae0-86f0-40ca-a041-98d302de0b81", "value": "https://analyze.intezer.com/#/analyses/5dcad879-8bf6-45ed-a10f-53313aaf32a0" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c445b0a-f430-49fb-9097-468002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:27:06.000Z", "modified": "2019-01-20T11:27:06.000Z", "description": "RTF file", "pattern": "[file:hashes.MD5 = 'e4abdd40f7d1adb3f139940438484695']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:27:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c445b0a-ae24-4bed-8e2d-416e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:27:06.000Z", "modified": "2019-01-20T11:27:06.000Z", "description": "Payload", "pattern": "[file:hashes.MD5 = 'a098d91f04eb259bf27432e81a9c523b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:27:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c445b0b-8f78-4d23-8027-46ab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:27:07.000Z", "modified": "2019-01-20T11:27:07.000Z", "description": "Payload", "pattern": "[file:hashes.MD5 = '53d6ed9a3e56785ccbee9b73b14ec62c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:27:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c445b0b-01d8-4b1d-81bb-472f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:27:07.000Z", "modified": "2019-01-20T11:27:07.000Z", "description": "Payload", "pattern": "[file:hashes.MD5 = '26d175ac27b4554885b5c3d2ec9c6769']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:27:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c445b2d-b2ec-4067-8891-98d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:27:41.000Z", "modified": "2019-01-20T11:27:41.000Z", "description": "Additional Payload can also be seen in the below screenshot. Looks like the threat actors have a pattern of sequentially naming folders.", "pattern": "[file:hashes.MD5 = '3dcc9ac06cd5318f247be0d73c8c1d1d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:27:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c445b2e-1280-4f6b-a51f-98d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:27:42.000Z", "modified": "2019-01-20T11:27:42.000Z", "description": "Additional Payload can also be seen in the below screenshot. Looks like the threat actors have a pattern of sequentially naming folders.", "pattern": "[domain-name:value = 'wcnsservice.ddns.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:27:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c445b54-b390-4847-8585-4c9802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:20.000Z", "modified": "2019-01-20T11:28:20.000Z", "description": "Additional URL - Couldn't find it in any writeups:", "pattern": "[url:value = 'rmmun.org.pk/svch']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:28:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c445b55-eff0-4fe7-aaff-427c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:21.000Z", "modified": "2019-01-20T11:28:21.000Z", "description": "Additional URL - Couldn't find it in any writeups:", "pattern": "[file:hashes.MD5 = 'b694f3b1ef7ff302c339a51c3f0f50f3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:28:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c445b83-6b80-43b2-a950-44b0e387cbd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:29:07.000Z", "modified": "2019-01-20T11:29:07.000Z", "first_observed": "2019-01-20T11:29:07Z", "last_observed": "2019-01-20T11:29:07Z", "number_observed": 1, "object_refs": [ "network-traffic--5c445b83-6b80-43b2-a950-44b0e387cbd9", "ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5c445b83-6b80-43b2-a950-44b0e387cbd9", "src_ref": "ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5c445b83-6b80-43b2-a950-44b0e387cbd9", "value": "185.45.193.10" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c445b84-c18c-404c-8f53-4cf3e387cbd9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:29:08.000Z", "modified": "2019-01-20T11:29:08.000Z", "first_observed": "2019-01-20T11:29:08Z", "last_observed": "2019-01-20T11:29:08Z", "number_observed": 1, "object_refs": [ "network-traffic--5c445b84-c18c-404c-8f53-4cf3e387cbd9", "ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5c445b84-c18c-404c-8f53-4cf3e387cbd9", "src_ref": "ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5c445b84-c18c-404c-8f53-4cf3e387cbd9", "value": "185.121.139.53" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c76b08c-f724-4322-a531-418e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-02-27T15:45:16.000Z", "modified": "2019-02-27T15:45:16.000Z", "description": "rtf exploit", "pattern": "[rule dropper_elephant {\r\n\tstrings:\r\n\t\t$head = \"{\\\\rt\"\r\n\t\t$water = { 33 35 33 32 33 34 36 36 36 31 33 36 33 33 36 31 33 35 33 30 30 30}\r\n\tcondition:\r\n\t\t$head at 0 and $water \r\n\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-02-27T15:45:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c77a701-6ed0-4e6b-a497-47cb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-02-28T09:16:49.000Z", "modified": "2019-02-28T09:16:49.000Z", "description": "rtf file", "pattern": "[file:hashes.SHA256 = 'd3122d94a7fde33bc1f35ab49f56408a19a46847cce3686ff40c7a5f2ff71ca1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-02-28T09:16:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c77a724-a98c-43d6-9335-452402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-02-28T09:17:24.000Z", "modified": "2019-02-28T09:17:24.000Z", "description": "rtf file", "pattern": "[file:hashes.SHA256 = '52c10f300f15e6b4f7e3e1989a35c7d2719217f4d3d64fe0afcf83bb922ec61f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-02-28T09:17:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5c445998-17e4-4411-ac90-4c8902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:20:56.000Z", "modified": "2019-01-20T11:20:56.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"", "osint:source-type=\"microblog-post\"", "osint:certainty=\"93\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "While digging into a sample that @thor_scanner fired for #BitterRAT #PATCHWORK on @virustotal I confirmed that the following samples are from the same group. Hashes: 7845d817e021db8cde06a8437693b3b2 d34fc3a5df544d90ed1933b79deb1868 59ca69647eeceab0193d88b8b72e3d60", "category": "Other", "uuid": "5c445998-bcb8-4f80-8d60-437002de0b81" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5c445998-e110-4f97-917a-4f0802de0b81" }, { "type": "url", "object_relation": "url", "value": "https://twitter.com/shotgunner101/status/1086792700114948096", "category": "Network activity", "to_ids": true, "uuid": "5c445998-ea68-4dae-a03e-492f02de0b81" }, { "type": "text", "object_relation": "username", "value": "shotgunner101", "category": "Other", "uuid": "5c445999-3450-4150-8196-459102de0b81" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8cb15f0f-006b-4400-8fd1-e4ac9586b92e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:22:32.000Z", "modified": "2019-01-20T11:22:32.000Z", "pattern": "[file:hashes.MD5 = 'd34fc3a5df544d90ed1933b79deb1868' AND file:hashes.SHA1 = '6c5d2012f58ee390500c515506f67e43e491818f' AND file:hashes.SHA256 = '386350a786e325844875dfffa5286f904a3ecce22845f3d3685e2abf68d79b55']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:22:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--b29e2cdc-6709-40b3-b08b-227aacd7503c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:22:34.000Z", "modified": "2019-01-20T11:22:34.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-12-17 11:42:39", "category": "Other", "uuid": "cd5abe05-07bc-49f1-834b-984f412fd69b" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/386350a786e325844875dfffa5286f904a3ecce22845f3d3685e2abf68d79b55/analysis/1545046959/", "category": "External analysis", "uuid": "b46db101-5b99-4641-bacc-c1488b6b1c13" }, { "type": "text", "object_relation": "detection-ratio", "value": "40/70", "category": "Other", "uuid": "7e191cc5-c4b9-41b7-9370-30af876f9087" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9a14aeab-1cc6-4fad-b1db-007f193da4aa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:22:35.000Z", "modified": "2019-01-20T11:22:35.000Z", "pattern": "[file:hashes.MD5 = '59ca69647eeceab0193d88b8b72e3d60' AND file:hashes.SHA1 = '4d441ba024b5fba0c2d02a30c00cd1ba63aaa1f0' AND file:hashes.SHA256 = '80cc095d582ee7e7a370b1967c4ad0b336622a2f4f4a04c515b014bc3be78377']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:22:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:22:37.000Z", "modified": "2019-01-20T11:22:37.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-20 05:28:41", "category": "Other", "uuid": "b6767065-40ce-4769-b41d-d80c76e36f6b" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/80cc095d582ee7e7a370b1967c4ad0b336622a2f4f4a04c515b014bc3be78377/analysis/1547962121/", "category": "External analysis", "uuid": "dd19c19d-8f28-4860-9592-8899a91a9f44" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/67", "category": "Other", "uuid": "a5e53653-a585-48dc-a595-12b67dae1846" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--645535fc-0fe5-4f38-a8b0-a247d8f46d87", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:22:38.000Z", "modified": "2019-01-20T11:22:38.000Z", "pattern": "[file:hashes.MD5 = '7845d817e021db8cde06a8437693b3b2' AND file:hashes.SHA1 = 'bdb21b57c572744b58f8dc4f4020e32e1787f46d' AND file:hashes.SHA256 = '57fb48d43f5363798aee52635e0bbc393141940e60dbc0fda298898984556a8e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:22:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--7cf96e54-0bab-47c1-a06a-6c3ea9173676", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:22:40.000Z", "modified": "2019-01-20T11:22:40.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-20 05:31:17", "category": "Other", "uuid": "263b4bfc-fee6-4604-8ad6-3e718c0bbd60" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/57fb48d43f5363798aee52635e0bbc393141940e60dbc0fda298898984556a8e/analysis/1547962277/", "category": "External analysis", "uuid": "2a347a59-cf7a-4973-bd1c-5fb4c1b1488d" }, { "type": "text", "object_relation": "detection-ratio", "value": "32/70", "category": "Other", "uuid": "6fb014a0-3fbe-4f2a-9ab4-e54bf354e276" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c445a91-96e4-4a76-81bf-4bb302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:25:05.000Z", "modified": "2019-01-20T11:25:05.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.45.193.10') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'netwareservice.ddns.net') AND network-traffic:x_misp_text = 'There is also another domain and IP Address that I couldn\\'t find linked with any PATCHWORK/Bitter RAT reports.']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:25:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--db8c563d-74f7-492a-ab64-12d646b305ef", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:30.000Z", "modified": "2019-01-20T11:28:30.000Z", "pattern": "[file:hashes.MD5 = 'a098d91f04eb259bf27432e81a9c523b' AND file:hashes.SHA1 = 'a359d15c1055fe8574eb0a68f429c6ee4f0894ff' AND file:hashes.SHA256 = 'b0d974b590a67ff642a60033b1acdbec37f9dc13b3bf49aead70bd3ef96a0d42']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:28:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--573e5323-af68-46ff-bf63-ab4367951a1a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:32.000Z", "modified": "2019-01-20T11:28:32.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-10 01:04:42", "category": "Other", "uuid": "a044a306-15d0-435d-aeec-dd77d24f9e2e" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b0d974b590a67ff642a60033b1acdbec37f9dc13b3bf49aead70bd3ef96a0d42/analysis/1547082282/", "category": "External analysis", "uuid": "50958fd2-c56f-44ea-999e-03c8428dc48b" }, { "type": "text", "object_relation": "detection-ratio", "value": "43/70", "category": "Other", "uuid": "cc0dce63-893d-4ba6-ba93-d620445ebc17" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b30ed68b-1525-4bc7-a433-4ead4df9845c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:33.000Z", "modified": "2019-01-20T11:28:33.000Z", "pattern": "[file:hashes.MD5 = '26d175ac27b4554885b5c3d2ec9c6769' AND file:hashes.SHA1 = '205e77e7f708b5c2f3f6370547255ae4c6b61b5b' AND file:hashes.SHA256 = '4d5290e7e30ef25b7cb265784b1507f756b938af3a4d915225b708e5e44a5ed4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:28:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--d9e9def6-73c0-4b65-b2d3-1d382d809e1b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:34.000Z", "modified": "2019-01-20T11:28:34.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-12-26 06:32:20", "category": "Other", "uuid": "13e649fd-ebb4-4f6e-a7e5-4cd02ab8e4df" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/4d5290e7e30ef25b7cb265784b1507f756b938af3a4d915225b708e5e44a5ed4/analysis/1545805940/", "category": "External analysis", "uuid": "ab8369e4-bd22-4d44-9904-59d1520d6b88" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/69", "category": "Other", "uuid": "4aaec601-7d0d-45f8-9c5f-6018bb4cf450" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--80cdfaf6-8bf3-4374-9f68-992799ed3b70", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:37.000Z", "modified": "2019-01-20T11:28:37.000Z", "pattern": "[file:hashes.MD5 = 'b694f3b1ef7ff302c339a51c3f0f50f3' AND file:hashes.SHA1 = '02a5aaa1956b437f1066a4793cc079201c02603b' AND file:hashes.SHA256 = '523a17f6892c2558ac4765959df4af938e56a94fa6ed39636b8b7315def3a1b4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:28:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6da3bd65-82d7-45c7-9a90-417575cca55d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:38.000Z", "modified": "2019-01-20T11:28:38.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-12-20 20:38:41", "category": "Other", "uuid": "bd626c6a-66b1-41d4-9803-d7be0957d811" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/523a17f6892c2558ac4765959df4af938e56a94fa6ed39636b8b7315def3a1b4/analysis/1545338321/", "category": "External analysis", "uuid": "542b3ccc-7a07-4b00-9213-a1287036339e" }, { "type": "text", "object_relation": "detection-ratio", "value": "46/70", "category": "Other", "uuid": "f69ec892-9c22-4f81-9fba-9c59c550efab" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e1137dbb-bedf-4093-8391-b598b22d0a87", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:39.000Z", "modified": "2019-01-20T11:28:39.000Z", "pattern": "[file:hashes.MD5 = 'e4abdd40f7d1adb3f139940438484695' AND file:hashes.SHA1 = 'fddfb467c6d04f7333206591a2105881be985d5c' AND file:hashes.SHA256 = 'e835280daa9d93f38ef7707a2672912515669f971c8e994754486d40524371db']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:28:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--7df872cb-7f5d-4df9-b654-92c03908f4af", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:41.000Z", "modified": "2019-01-20T11:28:41.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-17 11:33:07", "category": "Other", "uuid": "4800929b-92d6-42d9-a7e0-a3390c4f821e" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e835280daa9d93f38ef7707a2672912515669f971c8e994754486d40524371db/analysis/1547724787/", "category": "External analysis", "uuid": "294505dc-8126-4e47-9eef-3721f0086fbf" }, { "type": "text", "object_relation": "detection-ratio", "value": "25/57", "category": "Other", "uuid": "e83fe184-6c74-4558-97de-f741bc1b94ba" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57bc77e0-6e6a-4ac3-a678-4d620ca79902", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:42.000Z", "modified": "2019-01-20T11:28:42.000Z", "pattern": "[file:hashes.MD5 = '53d6ed9a3e56785ccbee9b73b14ec62c' AND file:hashes.SHA1 = '2075cddc453492a349de81e4aae309a376c1147a' AND file:hashes.SHA256 = 'aa0e4216867d68fca3e6b0bafcabd871657abda9820aaee0c72d89f365163d75']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:28:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--be750522-8ad5-4911-8601-070557f5b9b2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:43.000Z", "modified": "2019-01-20T11:28:43.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-20 05:27:08", "category": "Other", "uuid": "ce177d9a-fdaf-447f-9628-969f55f142eb" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/aa0e4216867d68fca3e6b0bafcabd871657abda9820aaee0c72d89f365163d75/analysis/1547962028/", "category": "External analysis", "uuid": "41820a0e-61aa-4b65-8672-b2985cdf6a1a" }, { "type": "text", "object_relation": "detection-ratio", "value": "38/66", "category": "Other", "uuid": "88ad0b3d-a8ab-45f8-b782-228493b9ad39" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5a403b39-3b33-41e6-852f-277fe242197e", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:45.000Z", "modified": "2019-01-20T11:28:45.000Z", "pattern": "[file:hashes.MD5 = '3dcc9ac06cd5318f247be0d73c8c1d1d' AND file:hashes.SHA1 = '969fc7f9b770215ce2ad3fe38451d286fda4e7cb' AND file:hashes.SHA256 = '5ea68ecd5e68a83b3c1a1249f8ca895ad107a4c780d9d3c3430fcc4d3007a299']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-20T11:28:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--61c4a2cb-234e-4428-9dd5-e214916b1536", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-20T11:28:47.000Z", "modified": "2019-01-20T11:28:47.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-18 18:25:53", "category": "Other", "uuid": "896b9522-f5fa-4ffd-8ef2-76826c41225b" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/5ea68ecd5e68a83b3c1a1249f8ca895ad107a4c780d9d3c3430fcc4d3007a299/analysis/1547835953/", "category": "External analysis", "uuid": "cfa6606b-9b09-4da3-8675-1f1e9b067030" }, { "type": "text", "object_relation": "detection-ratio", "value": "16/70", "category": "Other", "uuid": "6269f302-e585-4ca1-8cab-bed4ad17f06b" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--25be4812-2caa-446c-83b4-1c91f7ff551d", "created": "2019-01-20T11:22:41.000Z", "modified": "2019-01-20T11:22:41.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--8cb15f0f-006b-4400-8fd1-e4ac9586b92e", "target_ref": "x-misp-object--b29e2cdc-6709-40b3-b08b-227aacd7503c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--349d7f76-d867-460e-8e45-4be9b793a560", "created": "2019-01-20T11:22:41.000Z", "modified": "2019-01-20T11:22:41.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9a14aeab-1cc6-4fad-b1db-007f193da4aa", "target_ref": "x-misp-object--baeb4e2d-2b52-4f76-a2d8-ffd3f8fbf96f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--452f7bb6-319d-4ffe-b66b-927736b4a984", "created": "2019-01-20T11:22:41.000Z", "modified": "2019-01-20T11:22:41.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--645535fc-0fe5-4f38-a8b0-a247d8f46d87", "target_ref": "x-misp-object--7cf96e54-0bab-47c1-a06a-6c3ea9173676" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c0e80fb7-b86e-43ad-b623-7fd2056a0b5e", "created": "2019-01-20T11:28:48.000Z", "modified": "2019-01-20T11:28:48.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--db8c563d-74f7-492a-ab64-12d646b305ef", "target_ref": "x-misp-object--573e5323-af68-46ff-bf63-ab4367951a1a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5403829c-40f6-41a0-803f-3f1ce82696d2", "created": "2019-01-20T11:28:48.000Z", "modified": "2019-01-20T11:28:48.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b30ed68b-1525-4bc7-a433-4ead4df9845c", "target_ref": "x-misp-object--d9e9def6-73c0-4b65-b2d3-1d382d809e1b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4f762cd2-e645-48cd-b134-9ca6b92f5f54", "created": "2019-01-20T11:28:48.000Z", "modified": "2019-01-20T11:28:48.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--80cdfaf6-8bf3-4374-9f68-992799ed3b70", "target_ref": "x-misp-object--6da3bd65-82d7-45c7-9a90-417575cca55d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8e9c6a04-4363-4a3a-90e5-18d514b9d5b5", "created": "2019-01-20T11:28:48.000Z", "modified": "2019-01-20T11:28:48.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--e1137dbb-bedf-4093-8391-b598b22d0a87", "target_ref": "x-misp-object--7df872cb-7f5d-4df9-b654-92c03908f4af" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e502b11f-6a43-4855-8d23-8f5b6e2ada74", "created": "2019-01-20T11:28:48.000Z", "modified": "2019-01-20T11:28:48.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--57bc77e0-6e6a-4ac3-a678-4d620ca79902", "target_ref": "x-misp-object--be750522-8ad5-4911-8601-070557f5b9b2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2e51b6c6-4a8d-4159-b8e0-eec8c851f802", "created": "2019-01-20T11:28:48.000Z", "modified": "2019-01-20T11:28:48.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5a403b39-3b33-41e6-852f-277fe242197e", "target_ref": "x-misp-object--61c4a2cb-234e-4428-9dd5-e214916b1536" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }