{ "type": "bundle", "id": "bundle--5cd2ec29-16fc-4842-b954-282902de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T15:20:32.000Z", "modified": "2019-05-08T15:20:32.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5cd2ec29-16fc-4842-b954-282902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T15:20:32.000Z", "modified": "2019-05-08T15:20:32.000Z", "name": "OSINT - Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak", "published": "2019-05-08T15:20:40Z", "object_refs": [ "indicator--5cd2ed5b-ed08-4fe3-bf5d-2829950d210f", "indicator--5cd2ed5b-f164-4f34-8ecd-2829950d210f", "indicator--5cd2ed5b-b458-4acf-b636-2829950d210f", "indicator--5cd2ed5b-eca8-4834-a29a-2829950d210f", "indicator--5cd2ed5b-8ce0-4eab-bdf1-2829950d210f", "indicator--5cd2ed5b-639c-4e92-9ef1-2829950d210f", "indicator--5cd2ed5b-b7c4-45a4-8544-2829950d210f", "indicator--5cd2ed5b-75ac-4259-9dc9-2829950d210f", "indicator--5cd2ed5b-8600-4adf-8514-2829950d210f", "indicator--5cd2ed5b-6c24-4586-b546-2829950d210f", "indicator--5cd2ed5b-3434-4064-bf3c-2829950d210f", "indicator--5cd2ed5b-a248-4e3e-8892-2829950d210f", "indicator--5cd2ed5b-5860-4fbd-a655-2829950d210f", "indicator--5cd2ed5b-b054-4431-b920-2829950d210f", "indicator--5cd2ed5b-6b38-47d6-9a7c-2829950d210f", "indicator--5cd2ed5b-0258-45d5-930e-2829950d210f", "observed-data--5cd2f38f-2274-4de6-b0a0-482402de0b81", "url--5cd2f38f-2274-4de6-b0a0-482402de0b81", "x-misp-attribute--5cd2f3b2-d488-4322-b60c-445f02de0b81", "indicator--cb969a73-6e24-4be3-9e56-19d7b012bdf9", "x-misp-object--b8448b23-79bc-4adb-b285-e620e36372f9", "indicator--29707d14-8018-4c35-9bb4-2ee259cf9724", "x-misp-object--9f0f1973-38c8-4a2c-9ab8-0b71e5a37a2c", "indicator--6b996ac5-d722-4603-a955-0264c5081cb2", "x-misp-object--cdbb3fad-5a1c-4032-b488-71878e955d17", "relationship--617944cf-089a-4d31-938a-d3c035788b60", "relationship--292a65c5-4b8f-44b3-b388-0d25e399f797", "relationship--8be65713-49d0-447b-b40f-0d7ad5160e7b" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:threat-actor=\"UPS\"", "misp-galaxy:mitre-intrusion-set=\"APT3 - G0022\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-ed08-4fe3-bf5d-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Pirpi (first variant)", "pattern": "[file:hashes.MD5 = '7020bcb347404654e17f6303848b7ec4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-f164-4f34-8ecd-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Pirpi (first variant)", "pattern": "[file:hashes.SHA256 = 'cbe23daa9d2f8e1f5d59c8336dd5b7d7ba1d5cf3f0d45e66107668e80b073ac3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-b458-4acf-b636-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Pirpi (second variant)", "pattern": "[file:hashes.MD5 = 'aacfef51a4a242f52fbb838c1d063d9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-eca8-4834-a29a-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Pirpi (second variant)", "pattern": "[file:hashes.SHA256 = '53145f374299e673d82d108b133341dc7bee642530b560118e3cbcdb981ee92c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-8ce0-4eab-bdf1-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Command line utility to list user accounts on remote machine", "pattern": "[file:hashes.MD5 = 'c2f902f398783922a921df7d46590295']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-639c-4e92-9ef1-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Command line utility to list user accounts on remote machine", "pattern": "[file:hashes.SHA256 = '01f53953db8ba580ee606043a482f790082460c8cdbd7ff151d84e03fdc87e42']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-b7c4-45a4-8544-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Filensfer (C/C++)", "pattern": "[file:hashes.MD5 = '6458806a5071a7c4fefae084791e8c67']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-75ac-4259-9dc9-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Filensfer (C/C++)", "pattern": "[file:hashes.SHA256 = '6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-8600-4adf-8514-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Filensfer (Powershell)", "pattern": "[file:hashes.MD5 = '0d2d0d8f4989679f7c26b5531096b8b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-6c24-4586-b546-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Filensfer (Powershell)", "pattern": "[file:hashes.SHA256 = '7bfad342ce88de19d090a4cb2ce332022650abd68f34e83fdc694f10a4090d65']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-3434-4064-bf3c-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Filensfer (py2exe)", "pattern": "[file:hashes.MD5 = 'a3932533efc04ac3fe89fb5b3d60128a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-a248-4e3e-8892-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Filensfer (py2exe)", "pattern": "[file:hashes.SHA256 = '3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-5860-4fbd-a655-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Command line SMB client", "pattern": "[file:hashes.MD5 = '58f784c7a292103251930360f9ca713e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-b054-4431-b920-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "Command line SMB client", "pattern": "[file:hashes.SHA256 = '1c9f1c7056864b5fdd491d5daa49f920c3388cb8a8e462b2bc34181cef6c1f9c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-6b38-47d6-9a7c-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "HTran", "pattern": "[file:hashes.MD5 = 'a469d48e25e524cf0dec64f01c182b25']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5cd2ed5b-0258-45d5-930e-2829950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:53:15.000Z", "modified": "2019-05-08T14:53:15.000Z", "description": "HTran", "pattern": "[file:hashes.SHA256 = '951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:53:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5cd2f38f-2274-4de6-b0a0-482402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T15:19:43.000Z", "modified": "2019-05-08T15:19:43.000Z", "first_observed": "2019-05-08T15:19:43Z", "last_observed": "2019-05-08T15:19:43Z", "number_observed": 1, "object_refs": [ "url--5cd2f38f-2274-4de6-b0a0-482402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5cd2f38f-2274-4de6-b0a0-482402de0b81", "value": "https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5cd2f3b2-d488-4322-b60c-445f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T15:20:18.000Z", "modified": "2019-05-08T15:20:18.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak\r\nWindows zero day was exploited by Buckeye alongside Equation Group tools during 2016 attacks. Exploit and tools continued to be used after Buckeye's apparent disappearance in 2017.\r\nKey Findings\r\n\r\n The Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak.\r\n Variants of Equation Group tools used by Buckeye appear to be different from those released by Shadow Brokers, potentially indicating that they didn't originate from that leak.\r\n Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability. This zero day was reported by Symantec to Microsoft in September 2018 and patched in March 2019.\r\n While Buckeye appeared to cease operations in mid-2017, the Equation Group tools it used continued to be used in attacks until late 2018. It is unknown who continued to use the tools. They may have been passed to another group or Buckeye may have continued operating longer than supposed.\r\n\r\nThe 2017 leak of Equation Group tools by a mysterious group calling itself the Shadow Brokers was one of the most significant cyber security stories in recent years. Equation is regarded as one of the most technically adept espionage groups and the release of a trove of its tools had a major impact, with many attackers rushing to deploy the malware and exploits disclosed." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cb969a73-6e24-4be3-9e56-19d7b012bdf9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:55:15.000Z", "modified": "2019-05-08T14:55:15.000Z", "pattern": "[file:hashes.MD5 = '6458806a5071a7c4fefae084791e8c67' AND file:hashes.SHA1 = 'ec6cf407e4f791abb04a2bafde0980a2ba1fd2a8' AND file:hashes.SHA256 = '6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:55:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--b8448b23-79bc-4adb-b285-e620e36372f9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:55:15.000Z", "modified": "2019-05-08T14:55:15.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-05-08T05:07:44", "category": "Other", "comment": "Filensfer (C/C++)", "uuid": "94260963-ba53-478d-8521-3a62b6a411cb" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc/analysis/1557292064/", "category": "Payload delivery", "comment": "Filensfer (C/C++)", "uuid": "5701e708-1d8c-4670-8b47-0acb9670c276" }, { "type": "text", "object_relation": "detection-ratio", "value": "45/73", "category": "Payload delivery", "comment": "Filensfer (C/C++)", "uuid": "e950587d-ed19-426c-96ac-b93f8a0cd985" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--29707d14-8018-4c35-9bb4-2ee259cf9724", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:55:15.000Z", "modified": "2019-05-08T14:55:15.000Z", "pattern": "[file:hashes.MD5 = 'a3932533efc04ac3fe89fb5b3d60128a' AND file:hashes.SHA1 = '2a01d103b2bb66cba2cdb201f09933fee2055db3' AND file:hashes.SHA256 = '3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:55:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--9f0f1973-38c8-4a2c-9ab8-0b71e5a37a2c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:55:15.000Z", "modified": "2019-05-08T14:55:15.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-05-08T05:07:41", "category": "Other", "comment": "Filensfer (py2exe)", "uuid": "7773b23b-26f6-4274-9911-ff7ce63a8c4b" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e/analysis/1557292061/", "category": "Payload delivery", "comment": "Filensfer (py2exe)", "uuid": "7c4abf50-a135-4369-bc1c-12aeabe252b7" }, { "type": "text", "object_relation": "detection-ratio", "value": "19/73", "category": "Payload delivery", "comment": "Filensfer (py2exe)", "uuid": "a31469f5-82a2-4210-88a4-4ffc8a06fcdc" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6b996ac5-d722-4603-a955-0264c5081cb2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:55:15.000Z", "modified": "2019-05-08T14:55:15.000Z", "pattern": "[file:hashes.MD5 = 'a469d48e25e524cf0dec64f01c182b25' AND file:hashes.SHA1 = '312f62f4b6a6251a8b6501d665da3069ce21a3b6' AND file:hashes.SHA256 = '951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-05-08T14:55:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"", "misp-galaxy:malpedia=\"HTran\"", "misp-galaxy:tool=\"Htran\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--cdbb3fad-5a1c-4032-b488-71878e955d17", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-05-08T14:55:15.000Z", "modified": "2019-05-08T14:55:15.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-05-08T05:07:48", "category": "Other", "comment": "HTran", "uuid": "440ea4c6-db42-4154-b545-9a240b49dc79" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7/analysis/1557292068/", "category": "Payload delivery", "comment": "HTran", "uuid": "e1e619bf-cf06-4e72-bce0-1badbcceb720" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/73", "category": "Payload delivery", "comment": "HTran", "uuid": "129a5a26-1fe5-4fa8-a304-8b1e6b2c3e30" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--617944cf-089a-4d31-938a-d3c035788b60", "created": "2019-05-08T14:55:16.000Z", "modified": "2019-05-08T14:55:16.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--cb969a73-6e24-4be3-9e56-19d7b012bdf9", "target_ref": "x-misp-object--b8448b23-79bc-4adb-b285-e620e36372f9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--292a65c5-4b8f-44b3-b388-0d25e399f797", "created": "2019-05-08T14:55:16.000Z", "modified": "2019-05-08T14:55:16.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--29707d14-8018-4c35-9bb4-2ee259cf9724", "target_ref": "x-misp-object--9f0f1973-38c8-4a2c-9ab8-0b71e5a37a2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8be65713-49d0-447b-b40f-0d7ad5160e7b", "created": "2019-05-08T14:55:16.000Z", "modified": "2019-05-08T14:55:16.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--6b996ac5-d722-4603-a955-0264c5081cb2", "target_ref": "x-misp-object--cdbb3fad-5a1c-4032-b488-71878e955d17" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }