{ "type": "bundle", "id": "bundle--5c463bd0-63bc-41f1-91dc-622168f8e8cf", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2021-05-24T09:53:13.000Z", "modified": "2021-05-24T09:53:13.000Z", "name": "VK-Intel", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5c463bd0-63bc-41f1-91dc-622168f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2021-05-24T09:53:13.000Z", "modified": "2021-05-24T09:53:13.000Z", "name": "2019-01-21: APT28 Autoit Zebrocy Progression", "published": "2021-05-26T09:07:29Z", "object_refs": [ "indicator--5c463bd0-a7c8-4670-8a27-622168f8e8cf", "indicator--5c463bd0-2174-48b9-bfe3-622168f8e8cf", "indicator--5c463c0a-0f30-4502-9cf3-79aa68f8e8cf", "indicator--5c463c0a-de14-441b-8ec9-79aa68f8e8cf", "indicator--5c463c0a-eb38-4d29-9bf5-79aa68f8e8cf", "indicator--5c463c55-d144-426e-a69c-622168f8e8cf", "indicator--5c463c55-ee08-441f-bd1a-622168f8e8cf", "indicator--5c463c55-d868-4e4b-9235-622168f8e8cf", "x-misp-attribute--5c47f9d7-5f30-4893-a12d-1cfe68f8e8cf", "indicator--5c49639e-7110-4d64-8050-631968f8e8cf", "indicator--5c4963d0-3650-436c-b82e-631868f8e8cf", "x-misp-attribute--5c5c8b3e-49cc-4e88-9a48-0ff9354b4518", "x-misp-attribute--5c5c8b3e-fcc8-4845-8bcd-0ff9354b4518", "x-misp-attribute--5c5c8b3e-b370-4841-863a-0ff9354b4518", "x-misp-attribute--5c5c8b3e-807c-4433-93b2-0ff9354b4518", "x-misp-attribute--5c5c8b3f-6948-461b-bd88-0ff9354b4518", "x-misp-attribute--5c5c8b3f-f40c-409c-bb03-0ff9354b4518", "x-misp-attribute--5c5c8b3f-3110-4eed-af28-0ff9354b4518", "observed-data--5c5c8b3f-ffa8-4e17-91a3-0ff9354b4518", "file--5c5c8b3f-ffa8-4e17-91a3-0ff9354b4518", "x-misp-attribute--5c5c8b40-e5a0-453c-80a6-0ff9354b4518", "observed-data--5c5c8b40-94cc-4c28-ad64-0ff9354b4518", "file--5c5c8b40-94cc-4c28-ad64-0ff9354b4518", "x-misp-attribute--5c5c8b40-4604-4e08-a5b0-0ff9354b4518", "observed-data--5c5c8b40-0508-4724-9882-0ff9354b4518", "file--5c5c8b40-0508-4724-9882-0ff9354b4518", "x-misp-attribute--5c5c8b40-d5bc-4e51-8a0f-0ff9354b4518", "x-misp-attribute--5c5c8b41-8ee0-4dd4-af84-0ff9354b4518", "observed-data--5c5c8b41-ff7c-4eef-82f2-0ff9354b4518", "file--5c5c8b41-ff7c-4eef-82f2-0ff9354b4518", "indicator--b800728f-5a34-4730-a91b-f138e14c98c7", "x-misp-object--99c1af3e-6e2a-4e7e-ae0d-785719b629de", "indicator--d89b9e2c-fbdb-4504-858e-2cac4f989268", "x-misp-object--4b15b1fa-1951-422f-8212-1f96c5f99af3", "indicator--14b16764-ddf9-4007-b47e-3aef5cc6f36a", "x-misp-object--587de82f-4aae-4200-b88f-a8d0fcfc24ed", "indicator--63b96bc9-33bc-4ac2-b26b-077bf4180ab3", "x-misp-object--80a7973b-8573-413c-a2be-73b4062f2654", "indicator--18ba115d-3fa8-4ea6-b0aa-b84d71f314c5", "x-misp-object--ad488ad1-01c8-4a0e-80ee-a7f7257b1f13", "relationship--12803bbe-ec19-482c-81a5-1bef1bd9cb7e", "relationship--2e25ecc3-f2d7-4fc4-89df-239b732cbf79", "relationship--0c1953b7-28a6-4bc9-b5ad-7d95ae5c7405", "relationship--7f45e505-230f-446d-b177-a41c8e30e668", "relationship--b53fd499-b648-40ad-9e84-390de1ee0526" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "Actor: APT28", "Autoit", "Actor: Sofacy", "Downloader", "Malware: Zebrocy", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Command-Line Interface - T1059\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Registry Run Keys / Start Folder - T1060\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"System Information Discovery - T1082\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Standard Application Layer Protocol - T1071\"", "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Windows Management Instrumentation - T1047\"", "misp-galaxy:threat-actor=\"Sofacy\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c463bd0-a7c8-4670-8a27-622168f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-21T21:39:41.000Z", "modified": "2019-01-21T21:39:41.000Z", "description": "APT28 Zebrocy Autoit Samples", "pattern": "[file:hashes.MD5 = 'd6751b148461e0f863548be84020b879']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-21T21:39:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c463bd0-2174-48b9-bfe3-622168f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-22T04:49:50.000Z", "modified": "2019-01-22T04:49:50.000Z", "description": "APT28 Zebrocy Autoit C2 AS9009 M247, GB @m247.com", "pattern": "[url:value = 'http://194.187.249.126']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-22T04:49:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "External analysis" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"External analysis\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c463c0a-0f30-4502-9cf3-79aa68f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-21T21:39:22.000Z", "modified": "2019-01-21T21:39:22.000Z", "description": "APT28 Zebrocy Autoit Samples", "pattern": "[file:hashes.MD5 = '311f24eb2dda26c26f572c727a25503b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-21T21:39:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c463c0a-de14-441b-8ec9-79aa68f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-21T21:39:22.000Z", "modified": "2019-01-21T21:39:22.000Z", "description": "APT28 Zebrocy Autoit Samples", "pattern": "[file:hashes.MD5 = '7b1974e61795e84b6aacf33571320c2a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-21T21:39:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c463c0a-eb38-4d29-9bf5-79aa68f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-21T21:39:22.000Z", "modified": "2019-01-21T21:39:22.000Z", "description": "APT28 Zebrocy Autoit Samples", "pattern": "[file:hashes.MD5 = 'c2e1f2cf18ca987ebb3e8f4c09a4ef7e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-21T21:39:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c463c55-d144-426e-a69c-622168f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-22T04:47:32.000Z", "modified": "2019-01-22T04:47:32.000Z", "description": "APT28 Zebrocy C2 AS201011 NETZBETRIEB-GMBH, DE @core-backbone.com", "pattern": "[url:value = 'http://80.255.6.5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-22T04:47:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c463c55-ee08-441f-bd1a-622168f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-22T04:47:55.000Z", "modified": "2019-01-22T04:47:55.000Z", "description": "APT28 Zebrocy C2 AS49544 I3DNET, NL Qhoster", "pattern": "[url:value = 'http://220.158.216.127']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-22T04:47:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c463c55-d868-4e4b-9235-622168f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-22T04:46:58.000Z", "modified": "2019-01-22T04:46:58.000Z", "description": "APT28 Zebrocy C2 AS29073 QUASINETWORKS, NL @libertyvps.net", "pattern": "[url:value = 'https://145.249.106.198/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-22T04:46:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c47f9d7-5f30-4893-a12d-1cfe68f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-23T05:21:27.000Z", "modified": "2019-01-23T05:21:27.000Z", "labels": [ "misp:type=\"threat-actor\"", "misp:category=\"Attribution\"" ], "x_misp_category": "Attribution", "x_misp_type": "threat-actor", "x_misp_value": "APT28" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c49639e-7110-4d64-8050-631968f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T07:05:02.000Z", "modified": "2019-01-24T07:05:02.000Z", "description": "Zebrocy AutoIt Jan 16, 2019", "pattern": "[file:hashes.MD5 = 'ec57bb4980ea0190f4ad05d0ea9c9447']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-24T07:05:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c4963d0-3650-436c-b82e-631868f8e8cf", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T07:05:52.000Z", "modified": "2019-01-24T07:05:52.000Z", "description": "Zebrocy January 16, 2019 URL", "pattern": "[url:value = 'http://185.236.203.53']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-24T07:05:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b3e-49cc-4e88-9a48-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:51:47.000Z", "modified": "2019-02-07T19:51:47.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "text", "x_misp_value": "virus (suspicious);AVG;" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b3e-fcc8-4845-8bcd-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:53:10.000Z", "modified": "2019-02-07T19:53:10.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "text", "x_misp_value": "PUA.Win.Packer.AcprotectUltraprotect-1;ClamAV;" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b3e-b370-4841-863a-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:51:40.000Z", "modified": "2019-02-07T19:51:40.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "text", "x_misp_value": "Win32/Spy.Autoit.EK trojan;ESETnod32;" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b3e-807c-4433-93b2-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:53:20.000Z", "modified": "2019-02-07T19:53:20.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "text", "x_misp_value": "W32/Autoit.EK!tr.spy;Fortinet;" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b3f-6948-461b-bd88-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:49:55.000Z", "modified": "2019-02-07T19:49:55.000Z", "labels": [ "misp:type=\"size-in-bytes\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "size-in-bytes", "x_misp_value": "1150976" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b3f-f40c-409c-bb03-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:52:23.000Z", "modified": "2019-02-07T19:52:23.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Payload type\"" ], "x_misp_category": "Payload type", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "text", "x_misp_value": "9ea0c70001000000f1c6cd0033000000f1c6ce00ae000000f1c6cf003200000009788300090000000978930025000000000001001402000066eed8004d00000066eecd000200000066eec90001000000000097000100000066eecc0001000000;0;" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b3f-3110-4eed-af28-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:53:05.000Z", "modified": "2019-02-07T19:53:05.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Payload type\"" ], "x_misp_category": "Payload type", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "text", "x_misp_value": "VC8 -> Microsoft Corporation" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c5c8b3f-ffa8-4e17-91a3-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:49:34.000Z", "modified": "2019-02-07T19:49:34.000Z", "first_observed": "2019-02-07T19:49:34Z", "last_observed": "2019-02-07T19:49:34Z", "number_observed": 1, "object_refs": [ "file--5c5c8b3f-ffa8-4e17-91a3-0ff9354b4518" ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5c5c8b3f-ffa8-4e17-91a3-0ff9354b4518", "hashes": { "SHA-256": "121407a9bced8297fbbdfb76ae79f16fe9fa0574deee21a44dfb56d5b1deb999" } }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b40-e5a0-453c-80a6-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:49:29.000Z", "modified": "2019-02-07T19:49:29.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Payload delivery\"" ], "x_misp_category": "Payload delivery", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "text", "x_misp_value": "MS certificate checker 3.3.12.0 12.5.34.0 Certificate verify checker Certificate verify checker" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c5c8b40-94cc-4c28-ad64-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:48:51.000Z", "modified": "2019-02-07T19:48:51.000Z", "first_observed": "2019-02-07T19:48:51Z", "last_observed": "2019-02-07T19:48:51Z", "number_observed": 1, "object_refs": [ "file--5c5c8b40-94cc-4c28-ad64-0ff9354b4518" ], "labels": [ "misp:type=\"imphash\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5c5c8b40-94cc-4c28-ad64-0ff9354b4518", "hashes": { "IMPHASH": "c1d258acab237961164a925272293413" } }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b40-4604-4e08-a5b0-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:49:21.000Z", "modified": "2019-02-07T19:49:21.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "text", "x_misp_value": "%WINDIR%\\temp\\Invoice-59947267.exe" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c5c8b40-0508-4724-9882-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:49:13.000Z", "modified": "2019-02-07T19:49:13.000Z", "first_observed": "2019-02-07T19:49:13Z", "last_observed": "2019-02-07T19:49:13Z", "number_observed": 1, "object_refs": [ "file--5c5c8b40-0508-4724-9882-0ff9354b4518" ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5c5c8b40-0508-4724-9882-0ff9354b4518", "hashes": { "SHA-1": "ce3b60fbad031c9bd5a10779cc8beb185035d407" } }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b40-d5bc-4e51-8a0f-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:48:58.000Z", "modified": "2019-02-07T19:48:58.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Attribution\"" ], "x_misp_category": "Attribution", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "text", "x_misp_value": "LANG_ENGLISH/SUBLANG_ENGLISH_UK" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5c5c8b41-8ee0-4dd4-af84-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:48:42.000Z", "modified": "2019-02-07T19:48:42.000Z", "labels": [ "misp:type=\"datetime\"", "misp:category=\"Other\"" ], "x_misp_category": "Other", "x_misp_comment": "7b1974e61795e84b6aacf33571320c2a: Enriched", "x_misp_type": "datetime", "x_misp_value": "2018-03-02T01:31:48" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5c5c8b41-ff7c-4eef-82f2-0ff9354b4518", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-02-07T19:48:31.000Z", "modified": "2019-02-07T19:48:31.000Z", "first_observed": "2019-02-07T19:48:31Z", "last_observed": "2019-02-07T19:48:31Z", "number_observed": 1, "object_refs": [ "file--5c5c8b41-ff7c-4eef-82f2-0ff9354b4518" ], "labels": [ "misp:type=\"pehash\"", "misp:category=\"Payload delivery\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5c5c8b41-ff7c-4eef-82f2-0ff9354b4518", "hashes": { "PEHASH": "791574aad9b238c5093e3c83a5db553ef45b01f1" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b800728f-5a34-4730-a91b-f138e14c98c7", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T21:38:08.000Z", "modified": "2019-01-24T21:38:08.000Z", "pattern": "[file:hashes.MD5 = 'd6751b148461e0f863548be84020b879' AND file:hashes.SHA1 = 'bab1d2c668e597d19f9ee9395944c1ce0f34f279' AND file:hashes.SHA256 = '1aa4ad5a3f8929d61f559df656c84326d1fe0ca82a4be299fa758a26e14b1b27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-24T21:38:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--99c1af3e-6e2a-4e7e-ae0d-785719b629de", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T21:38:09.000Z", "modified": "2019-01-24T21:38:09.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-24T11:36:53", "category": "Other", "uuid": "2fe07c1b-96ab-4f81-987a-8db6f28c9942" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/1aa4ad5a3f8929d61f559df656c84326d1fe0ca82a4be299fa758a26e14b1b27/analysis/1548329813/", "category": "External analysis", "uuid": "5b56cfbc-246d-4782-b0bf-8fe1c528f788" }, { "type": "text", "object_relation": "detection-ratio", "value": "43/69", "category": "Other", "uuid": "792b941e-1e36-488a-bc89-bfd79ada3391" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d89b9e2c-fbdb-4504-858e-2cac4f989268", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T21:38:09.000Z", "modified": "2019-01-24T21:38:09.000Z", "pattern": "[file:hashes.MD5 = 'c2e1f2cf18ca987ebb3e8f4c09a4ef7e' AND file:hashes.SHA1 = 'e757ea599a1d6f1d06d90589d7f19dd1c1bf8b7b' AND file:hashes.SHA256 = '5b52bc196bfc207d43eedfe585df96fcfabbdead087ff79fcdcdd4d08c7806db']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-24T21:38:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--4b15b1fa-1951-422f-8212-1f96c5f99af3", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T21:38:09.000Z", "modified": "2019-01-24T21:38:09.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-25T17:04:30", "category": "Other", "uuid": "6da72563-3cc7-4780-a07e-55ff265b9308" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/5b52bc196bfc207d43eedfe585df96fcfabbdead087ff79fcdcdd4d08c7806db/analysis/1540487070/", "category": "External analysis", "uuid": "71f1982a-d31f-42ea-8e9f-ef485841b836" }, { "type": "text", "object_relation": "detection-ratio", "value": "40/65", "category": "Other", "uuid": "3ec5fc33-7d0b-4ae9-a429-670577bea696" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--14b16764-ddf9-4007-b47e-3aef5cc6f36a", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T21:38:09.000Z", "modified": "2019-01-24T21:38:09.000Z", "pattern": "[file:hashes.MD5 = 'ec57bb4980ea0190f4ad05d0ea9c9447' AND file:hashes.SHA1 = '6b300486d17d07a02365d32b673cd6638bd384f3' AND file:hashes.SHA256 = 'e6e93c7744d20e2cac2c2b257868686c861d43c6cf3de146b8812778c8283f7d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-24T21:38:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--587de82f-4aae-4200-b88f-a8d0fcfc24ed", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T21:38:10.000Z", "modified": "2019-01-24T21:38:10.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-23T17:12:32", "category": "Other", "uuid": "5a292dc8-ad4d-40ac-8462-bc25b6767fb9" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e6e93c7744d20e2cac2c2b257868686c861d43c6cf3de146b8812778c8283f7d/analysis/1548263552/", "category": "External analysis", "uuid": "8c6e54b1-8393-4723-9851-47466fe07a81" }, { "type": "text", "object_relation": "detection-ratio", "value": "34/70", "category": "Other", "uuid": "0028b781-c4c6-4957-846f-b9a97cd4afe9" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--63b96bc9-33bc-4ac2-b26b-077bf4180ab3", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T21:38:10.000Z", "modified": "2019-01-24T21:38:10.000Z", "pattern": "[file:hashes.MD5 = '311f24eb2dda26c26f572c727a25503b' AND file:hashes.SHA1 = '74e12fbcac14b2f1b2d83cabb057f8e059c95d68' AND file:hashes.SHA256 = '01bca6481a3a55dc5de5bfa4124bba47d37018d8ee93e5dbb80a60a14f243889']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-24T21:38:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--80a7973b-8573-413c-a2be-73b4062f2654", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T21:38:10.000Z", "modified": "2019-01-24T21:38:10.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-11-06T17:34:50", "category": "Other", "uuid": "fc0041a5-dc4f-4fcf-a5b6-6a9fcb978a7f" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/01bca6481a3a55dc5de5bfa4124bba47d37018d8ee93e5dbb80a60a14f243889/analysis/1541525690/", "category": "External analysis", "uuid": "3640584d-273d-4d8f-8976-37156c0a0593" }, { "type": "text", "object_relation": "detection-ratio", "value": "33/67", "category": "Other", "uuid": "89221de2-e8a5-433e-93aa-ee73006ae663" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--18ba115d-3fa8-4ea6-b0aa-b84d71f314c5", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T21:38:10.000Z", "modified": "2019-01-24T21:38:10.000Z", "pattern": "[file:hashes.MD5 = '7b1974e61795e84b6aacf33571320c2a' AND file:hashes.SHA1 = 'ce3b60fbad031c9bd5a10779cc8beb185035d407' AND file:hashes.SHA256 = '121407a9bced8297fbbdfb76ae79f16fe9fa0574deee21a44dfb56d5b1deb999']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-24T21:38:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--ad488ad1-01c8-4a0e-80ee-a7f7257b1f13", "created_by_ref": "identity--5bfa439e-c978-4dcd-b474-73f568f8e8cf", "created": "2019-01-24T21:38:10.000Z", "modified": "2019-01-24T21:38:10.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-12T06:28:05", "category": "Other", "uuid": "ea4f7140-d3c9-46cb-8d71-627dc47ee8e1" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/121407a9bced8297fbbdfb76ae79f16fe9fa0574deee21a44dfb56d5b1deb999/analysis/1547274485/", "category": "External analysis", "uuid": "3897fb76-7663-4961-8bc6-27bd0f697402" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/69", "category": "Other", "uuid": "d7b594d5-8ae7-4c4e-bb62-9d0a9f402523" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--12803bbe-ec19-482c-81a5-1bef1bd9cb7e", "created": "2021-05-24T09:53:13.000Z", "modified": "2021-05-24T09:53:13.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b800728f-5a34-4730-a91b-f138e14c98c7", "target_ref": "x-misp-object--99c1af3e-6e2a-4e7e-ae0d-785719b629de" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2e25ecc3-f2d7-4fc4-89df-239b732cbf79", "created": "2021-05-24T09:53:13.000Z", "modified": "2021-05-24T09:53:13.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d89b9e2c-fbdb-4504-858e-2cac4f989268", "target_ref": "x-misp-object--4b15b1fa-1951-422f-8212-1f96c5f99af3" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0c1953b7-28a6-4bc9-b5ad-7d95ae5c7405", "created": "2021-05-24T09:53:13.000Z", "modified": "2021-05-24T09:53:13.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--14b16764-ddf9-4007-b47e-3aef5cc6f36a", "target_ref": "x-misp-object--587de82f-4aae-4200-b88f-a8d0fcfc24ed" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7f45e505-230f-446d-b177-a41c8e30e668", "created": "2021-05-24T09:53:13.000Z", "modified": "2021-05-24T09:53:13.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--63b96bc9-33bc-4ac2-b26b-077bf4180ab3", "target_ref": "x-misp-object--80a7973b-8573-413c-a2be-73b4062f2654" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b53fd499-b648-40ad-9e84-390de1ee0526", "created": "2021-05-24T09:53:13.000Z", "modified": "2021-05-24T09:53:13.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--18ba115d-3fa8-4ea6-b0aa-b84d71f314c5", "target_ref": "x-misp-object--ad488ad1-01c8-4a0e-80ee-a7f7257b1f13" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }