{ "type": "bundle", "id": "bundle--5b58330e-b924-4828-b3a5-4986950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T07:17:17.000Z", "modified": "2018-07-26T07:17:17.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5b58330e-b924-4828-b3a5-4986950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T07:17:17.000Z", "modified": "2018-07-26T07:17:17.000Z", "name": "OSINT - Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware", "context": "suspicious-activity", "object_refs": [ "observed-data--5b58331e-7b14-4ec5-bf29-42e7950d210f", "url--5b58331e-7b14-4ec5-bf29-42e7950d210f", "indicator--5b583b7d-41d0-4051-8331-4746950d210f", "indicator--5b583b7e-9420-4436-9201-4f93950d210f", "indicator--5b583b7e-ac24-421f-83f7-48d7950d210f", "indicator--5b583b7e-3b34-4162-970f-4b59950d210f", "indicator--5b583b7f-80e8-4230-a77e-4453950d210f", "indicator--5b583b7f-aba8-44df-bee9-4880950d210f", "indicator--5b583b80-8898-45cc-a722-4932950d210f", "indicator--5b583b80-50c4-483b-a57b-4b34950d210f", "indicator--5b583b81-666c-47cc-82d7-418c950d210f", "indicator--5b583b81-0354-4c37-9f23-4699950d210f", "indicator--5b583b82-b2a0-4c3e-a7f6-4f40950d210f", "indicator--5b583b82-7384-4bc0-ad26-4fa1950d210f", "indicator--5b583b82-8e54-4390-b12a-42c1950d210f", "indicator--5b583b83-a568-4200-8c7a-48c2950d210f", "indicator--5b583b83-8390-470a-ae42-4e22950d210f", "indicator--5b5842d8-8e0c-45c9-ae13-451b950d210f", "x-misp-attribute--5b587469-3e60-43ba-91fb-9146950d210f", "indicator--5b583628-807c-4168-843b-43eb950d210f", "indicator--5b58365c-aa24-4e3d-a908-49e6950d210f", "indicator--5b583698-e9f8-428f-8754-4eed950d210f", "indicator--5b583727-3fe0-4c85-81b7-41a1950d210f", "indicator--5b58374c-d1a8-4736-8cea-42e9950d210f", "observed-data--5b58375c-ae60-4530-8186-425b950d210f", "file--5b58375c-ae60-4530-8186-425b950d210f", "indicator--5b58389b-2f00-49cc-b0ac-4454950d210f", "indicator--5b5838b0-acf8-4d3e-8b64-4fa7950d210f", "indicator--5b5838c7-ae6c-4367-903a-4975950d210f", "indicator--5b5838da-60ac-4477-be0d-41d4950d210f", "indicator--5b5838e9-b540-4e30-ad63-44aa950d210f", "indicator--a9d88727-e3a0-4095-b1d0-2b156670a502", "x-misp-object--edb2ae54-a660-4d51-ab66-8f27d9223543", "indicator--98a247a0-d160-4eee-be67-362795be9206", "x-misp-object--0d28ddad-c7aa-4a6b-a448-c253efd98a2f", "indicator--b0fd87a7-f7be-4f96-8ebc-90044b6c09ab", "x-misp-object--e548da40-21e0-44e7-8878-30051f1ffa04", "indicator--ef42d127-90f8-425a-8866-83310e33e640", "x-misp-object--6709cf8f-3627-407e-8485-e6218167d3c0", "indicator--f734d0d6-468b-4c5d-8883-d137f6140100", "x-misp-object--71d925d6-48ee-413d-bb73-c729eedd03f1", "indicator--31d38205-0b87-4063-a326-2e4f1a2459db", "x-misp-object--4ed5377e-7638-45ba-9377-a1aa31e4a4ae", "indicator--b6d5fe7e-b69f-4e54-942e-360486c7bfcb", "x-misp-object--776e2aba-176a-48be-895a-c6d665ffcd02", "indicator--d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4", "x-misp-object--3acaf083-3b2a-4b5f-9451-7c1ea9b39768", "indicator--16984ff8-41a2-42d9-a859-87df65432e94", "x-misp-object--8df7db4c-c0a1-495d-a400-6e134bf827a6", "indicator--18574ddd-6a89-41b7-924b-d9a1388d4fc0", "x-misp-object--77f014cd-c354-4167-86fa-78e315ba907b", "indicator--0d95e126-39c8-4048-be62-5470568b0f0f", "x-misp-object--11e88643-99a3-4053-b9bf-73f53056ebae", "relationship--95c49945-cdca-4019-b1e0-c067a4d32f16", "relationship--13191b36-c491-475f-8c70-13cb282229c8", "relationship--07b16923-0a92-4025-9007-d0efbcef7e9a", "relationship--62f895d3-6fbc-49a6-b01b-f0fa884ecc5b", "relationship--e524abdf-47b1-428b-ada4-2495a39a1dee", "relationship--a75b5f32-3bb7-43fd-91ac-4aca531fe0c1", "relationship--73a423e8-c9d2-4e84-9bf9-86f9adef88f3", "relationship--fdbb1028-e78c-4ead-af46-1f9778c657b3", "relationship--bb1c5730-e990-4437-83d8-a9e2adcb9e04", "relationship--84c9a2fc-7809-4f73-a677-03dd4a0daa00", "relationship--297a2c38-9cae-4e5d-bc9f-1f9e0b5a9c53" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "malware_classification:malware-category=\"Trojan\"", "ms-caro-malware-full:malware-family=\"Banker\"", "misp-galaxy:banker=\"Kronos\"", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b58331e-7b14-4ec5-bf29-42e7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T07:17:06.000Z", "modified": "2018-07-26T07:17:06.000Z", "first_observed": "2018-07-26T07:17:06Z", "last_observed": "2018-07-26T07:17:06Z", "number_observed": 1, "object_refs": [ "url--5b58331e-7b14-4ec5-bf29-42e7950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b58331e-7b14-4ec5-bf29-42e7950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b7d-41d0-4051-8331-4746950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T10:13:57.000Z", "modified": "2018-07-25T10:13:57.000Z", "description": "Phishing link on Nov 8", "pattern": "[url:value = 'http://invoice.docs-sharepoint.com/profile/profile.php?id=[base64 e-mail address]']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T10:13:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b7e-9420-4436-9201-4f93950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:34.000Z", "modified": "2018-07-25T08:57:34.000Z", "description": "Redirect from phishing link on Nov 8", "pattern": "[url:value = 'http://invoice.docs-sharepoint.com/profile/download.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b7e-ac24-421f-83f7-48d7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:34.000Z", "modified": "2018-07-25T08:57:34.000Z", "description": "ZeuS C&C on Nov 8", "pattern": "[url:value = 'https://feed.networksupdates.com/feed/webfeed.xml']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b7e-3b34-4162-970f-4b59950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:34.000Z", "modified": "2018-07-25T08:57:34.000Z", "description": "EmployeeID-847267.doc downloading payload (Kronos) on Nov 10", "pattern": "[url:value = 'http://info.docs-sharepoint.com/officeup.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b7f-80e8-4230-a77e-4453950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:35.000Z", "modified": "2018-07-25T08:57:35.000Z", "pattern": "[file:name = 'EmployeeID-847267.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b7f-aba8-44df-bee9-4880950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:35.000Z", "modified": "2018-07-25T08:57:35.000Z", "description": "Kronos C&C on Nov 10", "pattern": "[url:value = 'http://www.networkupdate.club/kbps/connect.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b80-8898-45cc-a722-4932950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:36.000Z", "modified": "2018-07-25T08:57:36.000Z", "description": "Payload DL by Kronos on Nov 10", "pattern": "[url:value = 'http://networkupdate.online/kbps/upload/c1c06f7d.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b80-50c4-483b-a57b-4b34950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:36.000Z", "modified": "2018-07-25T08:57:36.000Z", "description": "Payload DL by Kronos on Nov 10", "pattern": "[url:value = 'http://networkupdate.online/kbps/upload/1f80ff71.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b81-666c-47cc-82d7-418c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:37.000Z", "modified": "2018-07-25T08:57:37.000Z", "description": "Payload DL by Kronos on Nov 10", "pattern": "[url:value = 'http://networkupdate.online/kbps/upload/a8b05325.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b81-0354-4c37-9f23-4699950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T10:13:53.000Z", "modified": "2018-07-25T10:13:53.000Z", "description": "Phishing link on Nov 10", "pattern": "[url:value = 'http://intranet.excelsharepoint.com/profile/Employee.php?id=[base64 e-mail address]']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T10:13:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b82-b2a0-4c3e-a7f6-4f40950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:38.000Z", "modified": "2018-07-25T08:57:38.000Z", "description": "SmokeLoader C&C", "pattern": "[url:value = 'http://webfeed.updatesnetwork.com/feedweb/feed.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b82-7384-4bc0-ad26-4fa1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:38.000Z", "modified": "2018-07-25T08:57:38.000Z", "description": "ScanPOS C&C", "pattern": "[url:value = 'http://invoicesharepoint.com/gateway.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b82-8e54-4390-b12a-42c1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T10:13:34.000Z", "modified": "2018-07-25T10:13:34.000Z", "description": "Phishing link on Nov 14", "pattern": "[url:value = 'http://intranet.excel-sharepoint.com/doc/employee.php?id=[base64 e-mail address]']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T10:13:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b83-a568-4200-8c7a-48c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:39.000Z", "modified": "2018-07-25T08:57:39.000Z", "description": "EmployeeID-6283.doc downloading payload (Kronos) on Nov 14", "pattern": "[url:value = 'http://profile.excel-sharepoint.com/doc/office.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583b83-8390-470a-ae42-4e22950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:57:39.000Z", "modified": "2018-07-25T08:57:39.000Z", "pattern": "[file:name = 'EmployeeID-6283.doc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:57:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b5842d8-8e0c-45c9-ae13-451b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T09:28:56.000Z", "modified": "2018-07-25T09:28:56.000Z", "description": "RIG-v domain on Nov 8", "pattern": "[domain-name:value = 'add.souloventure.org']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T09:28:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5b587469-3e60-43ba-91fb-9146950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-26T07:17:14.000Z", "modified": "2018-07-26T07:17:14.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Banking Trojans continue to evolve and threat actors are using them in new ways, even as the massive Dridex campaigns of 2015 have given way to ransomware and other payloads. Most recently, we observed several relatively large email campaigns distributing the Kronos banking Trojan. In these campaigns, though, Kronos acted as a loader with a new Point-of-Sale (POS) malware dubbed ScanPOS as the secondary payload." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583628-807c-4168-843b-43eb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:34:48.000Z", "modified": "2018-07-25T08:34:48.000Z", "description": "containing SmokeLoader from /download.php on Nov 8", "pattern": "[file:hashes.SHA256 = '4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5' AND file:name = 'EmployeeID-47267.zip' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:34:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b58365c-aa24-4e3d-a908-49e6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:35:40.000Z", "modified": "2018-07-25T08:35:40.000Z", "description": "containing ZeuS from /download.php on Nov 8", "pattern": "[file:hashes.SHA256 = '711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c' AND file:name = 'EmployeeID-47267.zip' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:35:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583698-e9f8-428f-8754-4eed950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:36:40.000Z", "modified": "2018-07-25T08:36:40.000Z", "description": "SmokeLoader", "pattern": "[file:hashes.SHA256 = '90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0' AND file:name = 'EmployeeID-47267.pif' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:36:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b583727-3fe0-4c85-81b7-41a1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:39:03.000Z", "modified": "2018-07-25T08:39:03.000Z", "description": "ZeuS", "pattern": "[file:hashes.SHA256 = '4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74' AND file:name = 'EmployeeID-47267.pif' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:39:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b58374c-d1a8-4736-8cea-42e9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:39:40.000Z", "modified": "2018-07-25T08:39:40.000Z", "description": "downloaded from phishing links on Nov 10", "pattern": "[file:hashes.SHA256 = 'a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156' AND file:name = 'EmployeeID-847267.doc' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:39:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b58375c-ae60-4530-8186-425b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:40.000Z", "modified": "2018-07-25T21:02:40.000Z", "first_observed": "2018-07-25T21:02:40Z", "last_observed": "2018-07-25T21:02:40Z", "number_observed": 1, "object_refs": [ "file--5b58375c-ae60-4530-8186-425b950d210f" ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"False\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5b58375c-ae60-4530-8186-425b950d210f", "hashes": { "SHA-256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, "x_misp_state": "Malicious" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b58389b-2f00-49cc-b0ac-4454950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:45:15.000Z", "modified": "2018-07-25T08:45:15.000Z", "description": "SmokeLoader", "pattern": "[file:hashes.SHA256 = 'd0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984' AND file:name = 'c1c06f7d.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:45:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b5838b0-acf8-4d3e-8b64-4fa7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:45:36.000Z", "modified": "2018-07-25T08:45:36.000Z", "description": "SmokeLoader", "pattern": "[file:hashes.SHA256 = 'd9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98' AND file:name = '1f80ff71.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:45:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b5838c7-ae6c-4367-903a-4975950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:45:59.000Z", "modified": "2018-07-25T08:45:59.000Z", "description": "ScanPOS", "pattern": "[file:hashes.SHA256 = '093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e' AND file:name = 'a8b05325.exe' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:45:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b5838da-60ac-4477-be0d-41d4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:46:18.000Z", "modified": "2018-07-25T08:46:18.000Z", "description": "downloaded from phishing links on Nov 14", "pattern": "[file:hashes.SHA256 = 'fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:46:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b5838e9-b540-4e30-ad63-44aa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T08:46:33.000Z", "modified": "2018-07-25T08:46:33.000Z", "description": "Kronos on Nov 14 (same C&C as previous)", "pattern": "[file:hashes.SHA256 = '269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T08:46:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a9d88727-e3a0-4095-b1d0-2b156670a502", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:24.000Z", "modified": "2018-07-25T21:02:24.000Z", "pattern": "[file:hashes.MD5 = 'f99d1571ce9be023cc897522f82ec6cc' AND file:hashes.SHA1 = '9b931700d85a5fb986575f89c7c29d03dc5f4c1e' AND file:hashes.SHA256 = 'd0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:02:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--edb2ae54-a660-4d51-ab66-8f27d9223543", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:25.000Z", "modified": "2018-07-25T21:02:25.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-23 10:53:44", "category": "Other", "uuid": "87767aea-51ec-4953-993c-f4a3db01bf9a" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984/analysis/1532343224/", "category": "External analysis", "uuid": "b5192082-ba75-490e-abe7-4244a424182a" }, { "type": "text", "object_relation": "detection-ratio", "value": "51/68", "category": "Other", "uuid": "7fc96d39-bd29-47e8-be21-3bab9cd4738e" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--98a247a0-d160-4eee-be67-362795be9206", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:31.000Z", "modified": "2018-07-25T21:02:31.000Z", "pattern": "[file:hashes.MD5 = '73871970ccf1b551a29f255605d05f61' AND file:hashes.SHA1 = 'f74b2c624c6cffccec2680679a26fd863040828f' AND file:hashes.SHA256 = 'd9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:02:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--0d28ddad-c7aa-4a6b-a448-c253efd98a2f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:32.000Z", "modified": "2018-07-25T21:02:32.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-23 10:55:04", "category": "Other", "uuid": "5e3f9c64-39c9-4b35-b4e4-a8435f37c780" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98/analysis/1532343304/", "category": "External analysis", "uuid": "a96cf4aa-68b4-4c69-b511-928a17309792" }, { "type": "text", "object_relation": "detection-ratio", "value": "53/68", "category": "Other", "uuid": "ddfade3b-fda0-4c64-b533-d1c78daf7927" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b0fd87a7-f7be-4f96-8ebc-90044b6c09ab", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:38.000Z", "modified": "2018-07-25T21:02:38.000Z", "pattern": "[file:hashes.MD5 = '4a03b999b87cfe3c44e617ac911a2018' AND file:hashes.SHA1 = 'b1a62023dc97668ce5ad0ed78788c79f797753c3' AND file:hashes.SHA256 = '4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:02:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e548da40-21e0-44e7-8878-30051f1ffa04", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:38.000Z", "modified": "2018-07-25T21:02:38.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2017-09-27 17:35:43", "category": "Other", "uuid": "0d79d2bd-bd94-4ac7-983d-9d804def7917" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74/analysis/1506533743/", "category": "External analysis", "uuid": "e76cf28d-af73-426f-bdfe-0d795cc4ac0b" }, { "type": "text", "object_relation": "detection-ratio", "value": "43/65", "category": "Other", "uuid": "0e1d278b-6aa8-49d3-afe9-d32dd68d13cf" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ef42d127-90f8-425a-8866-83310e33e640", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:44.000Z", "modified": "2018-07-25T21:02:44.000Z", "pattern": "[file:hashes.MD5 = '5cac0a88767a301d7df64cfc84ccc951' AND file:hashes.SHA1 = '1e207f9cfadd92bf56a827cb6b7765abe0fa3bac' AND file:hashes.SHA256 = '4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:02:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6709cf8f-3627-407e-8485-e6218167d3c0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:46.000Z", "modified": "2018-07-25T21:02:46.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2016-11-17 19:05:53", "category": "Other", "uuid": "58be0aad-494f-48dc-a412-02bd982d577a" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5/analysis/1479409553/", "category": "External analysis", "uuid": "8f5efb1a-9343-4079-a3fe-3d8d9994f4eb" }, { "type": "text", "object_relation": "detection-ratio", "value": "31/57", "category": "Other", "uuid": "f93324bc-edc7-4330-9ec3-8c50d17168ab" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f734d0d6-468b-4c5d-8883-d137f6140100", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:51.000Z", "modified": "2018-07-25T21:02:51.000Z", "pattern": "[file:hashes.MD5 = 'dfef3c6bf91ddbc2784bda187670983b' AND file:hashes.SHA1 = 'd97139b60ec56ddf87d5a1798ca840fa872a580f' AND file:hashes.SHA256 = 'fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:02:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--71d925d6-48ee-413d-bb73-c729eedd03f1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:52.000Z", "modified": "2018-07-25T21:02:52.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2017-07-18 21:20:03", "category": "Other", "uuid": "31088d4b-45b8-4012-8414-4d6c62cf9959" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462/analysis/1500412803/", "category": "External analysis", "uuid": "a7973cf8-6939-41d7-8745-ada586d7accc" }, { "type": "text", "object_relation": "detection-ratio", "value": "17/58", "category": "Other", "uuid": "c7fa26cf-cf90-4317-95d6-e7cb733aae80" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--31d38205-0b87-4063-a326-2e4f1a2459db", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:58.000Z", "modified": "2018-07-25T21:02:58.000Z", "pattern": "[file:hashes.MD5 = '11180b265b010fbfa05c08681261ac57' AND file:hashes.SHA1 = '0eed43d63b6f3e5e696e7b99cfa538c12a13321d' AND file:hashes.SHA256 = '269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:02:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--4ed5377e-7638-45ba-9377-a1aa31e4a4ae", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:02:59.000Z", "modified": "2018-07-25T21:02:59.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2017-03-15 10:30:38", "category": "Other", "uuid": "bb0f567b-3154-4c7a-9f5d-478efc6fa6b8" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3/analysis/1489573838/", "category": "External analysis", "uuid": "bff87e3b-7d19-4641-94ca-2d92f7683cde" }, { "type": "text", "object_relation": "detection-ratio", "value": "52/60", "category": "Other", "uuid": "44855b6c-b687-4d04-8cd0-a297a0f47c32" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b6d5fe7e-b69f-4e54-942e-360486c7bfcb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:03:05.000Z", "modified": "2018-07-25T21:03:05.000Z", "pattern": "[file:hashes.MD5 = 'dc31516a473d8b9cb634bf1f48a7065f' AND file:hashes.SHA1 = '10301bf7f1202c57df484ebcc125b84d8d427014' AND file:hashes.SHA256 = '711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:03:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--776e2aba-176a-48be-895a-c6d665ffcd02", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:03:06.000Z", "modified": "2018-07-25T21:03:06.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2016-11-10 15:50:58", "category": "Other", "uuid": "58e7f184-7092-463f-a342-2b475e53aec4" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c/analysis/1478793058/", "category": "External analysis", "uuid": "e18d6539-c159-47bf-91be-068da68abe71" }, { "type": "text", "object_relation": "detection-ratio", "value": "26/54", "category": "Other", "uuid": "884a8c07-14d5-4574-aaa4-7aac53dde5c8" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:03:12.000Z", "modified": "2018-07-25T21:03:12.000Z", "pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e' AND file:hashes.SHA1 = 'da39a3ee5e6b4b0d3255bfef95601890afd80709' AND file:hashes.SHA256 = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:03:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--3acaf083-3b2a-4b5f-9451-7c1ea9b39768", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:03:13.000Z", "modified": "2018-07-25T21:03:13.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-07-25 20:49:30", "category": "Other", "uuid": "d5580362-b4ad-4ee2-9c38-7bb05878a591" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1532551770/", "category": "External analysis", "uuid": "887aea02-9162-47a8-9684-0cb42bda0520" }, { "type": "text", "object_relation": "detection-ratio", "value": "0/61", "category": "Other", "uuid": "6d26efdf-e637-4a26-a036-b21a524e663a" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--16984ff8-41a2-42d9-a859-87df65432e94", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:03:19.000Z", "modified": "2018-07-25T21:03:19.000Z", "pattern": "[file:hashes.MD5 = '6fcc13563aad936c7d0f3165351cb453' AND file:hashes.SHA1 = '8b1757b95b7b7f9c4dfa09b52b0d3c6451b269fc' AND file:hashes.SHA256 = '093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:03:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8df7db4c-c0a1-495d-a400-6e134bf827a6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:03:20.000Z", "modified": "2018-07-25T21:03:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2017-12-19 00:26:19", "category": "Other", "uuid": "520c34d4-ed53-4cf2-be8d-0d6dbcc95604" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e/analysis/1513643179/", "category": "External analysis", "uuid": "1c2745c4-6d74-407c-aef0-dc86e8edce38" }, { "type": "text", "object_relation": "detection-ratio", "value": "44/67", "category": "Other", "uuid": "473e0959-9f52-4d7c-82d1-1540cb995bb3" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--18574ddd-6a89-41b7-924b-d9a1388d4fc0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:03:26.000Z", "modified": "2018-07-25T21:03:26.000Z", "pattern": "[file:hashes.MD5 = '83d21d808f7408ebcb3947cb88366172' AND file:hashes.SHA1 = 'ef12b3c274c02a68f678b618828ee4c92a297e59' AND file:hashes.SHA256 = 'a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:03:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--77f014cd-c354-4167-86fa-78e315ba907b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:03:27.000Z", "modified": "2018-07-25T21:03:27.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2017-07-18 20:58:26", "category": "Other", "uuid": "e01b2c15-aa53-4020-82d3-0f1f7ce840e2" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156/analysis/1500411506/", "category": "External analysis", "uuid": "684f43f7-25ca-47f6-be6d-5739d4f57d72" }, { "type": "text", "object_relation": "detection-ratio", "value": "36/58", "category": "Other", "uuid": "8a2f71fb-df0f-41c0-9950-db186f88f8f4" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0d95e126-39c8-4048-be62-5470568b0f0f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:03:33.000Z", "modified": "2018-07-25T21:03:33.000Z", "pattern": "[file:hashes.MD5 = '8758b7984fa2f20ada64e95cf9d5d192' AND file:hashes.SHA1 = 'd35ee56d673fa44a72cf43e6c16f9270dea33f2d' AND file:hashes.SHA256 = '90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-07-25T21:03:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--11e88643-99a3-4053-b9bf-73f53056ebae", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-07-25T21:03:34.000Z", "modified": "2018-07-25T21:03:34.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2016-12-13 19:02:03", "category": "Other", "uuid": "2aed675b-f09b-4b27-aa4e-d8cef860ee81" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0/analysis/1481655723/", "category": "External analysis", "uuid": "57b62add-1e94-406b-9081-eac88b655b27" }, { "type": "text", "object_relation": "detection-ratio", "value": "40/55", "category": "Other", "uuid": "3208bb65-c286-4c9b-958f-f1d7488b957c" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--95c49945-cdca-4019-b1e0-c067a4d32f16", "created": "2018-07-25T21:03:36.000Z", "modified": "2018-07-25T21:03:36.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--a9d88727-e3a0-4095-b1d0-2b156670a502", "target_ref": "x-misp-object--edb2ae54-a660-4d51-ab66-8f27d9223543" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--13191b36-c491-475f-8c70-13cb282229c8", "created": "2018-07-25T21:03:37.000Z", "modified": "2018-07-25T21:03:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--98a247a0-d160-4eee-be67-362795be9206", "target_ref": "x-misp-object--0d28ddad-c7aa-4a6b-a448-c253efd98a2f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--07b16923-0a92-4025-9007-d0efbcef7e9a", "created": "2018-07-25T21:03:37.000Z", "modified": "2018-07-25T21:03:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b0fd87a7-f7be-4f96-8ebc-90044b6c09ab", "target_ref": "x-misp-object--e548da40-21e0-44e7-8878-30051f1ffa04" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--62f895d3-6fbc-49a6-b01b-f0fa884ecc5b", "created": "2018-07-25T21:03:37.000Z", "modified": "2018-07-25T21:03:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--ef42d127-90f8-425a-8866-83310e33e640", "target_ref": "x-misp-object--6709cf8f-3627-407e-8485-e6218167d3c0" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e524abdf-47b1-428b-ada4-2495a39a1dee", "created": "2018-07-25T21:03:37.000Z", "modified": "2018-07-25T21:03:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--f734d0d6-468b-4c5d-8883-d137f6140100", "target_ref": "x-misp-object--71d925d6-48ee-413d-bb73-c729eedd03f1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a75b5f32-3bb7-43fd-91ac-4aca531fe0c1", "created": "2018-07-25T21:03:37.000Z", "modified": "2018-07-25T21:03:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--31d38205-0b87-4063-a326-2e4f1a2459db", "target_ref": "x-misp-object--4ed5377e-7638-45ba-9377-a1aa31e4a4ae" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--73a423e8-c9d2-4e84-9bf9-86f9adef88f3", "created": "2018-07-25T21:03:37.000Z", "modified": "2018-07-25T21:03:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--b6d5fe7e-b69f-4e54-942e-360486c7bfcb", "target_ref": "x-misp-object--776e2aba-176a-48be-895a-c6d665ffcd02" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fdbb1028-e78c-4ead-af46-1f9778c657b3", "created": "2018-07-25T21:03:37.000Z", "modified": "2018-07-25T21:03:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4", "target_ref": "x-misp-object--3acaf083-3b2a-4b5f-9451-7c1ea9b39768" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bb1c5730-e990-4437-83d8-a9e2adcb9e04", "created": "2018-07-25T21:03:37.000Z", "modified": "2018-07-25T21:03:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--16984ff8-41a2-42d9-a859-87df65432e94", "target_ref": "x-misp-object--8df7db4c-c0a1-495d-a400-6e134bf827a6" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--84c9a2fc-7809-4f73-a677-03dd4a0daa00", "created": "2018-07-25T21:03:37.000Z", "modified": "2018-07-25T21:03:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--18574ddd-6a89-41b7-924b-d9a1388d4fc0", "target_ref": "x-misp-object--77f014cd-c354-4167-86fa-78e315ba907b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--297a2c38-9cae-4e5d-bc9f-1f9e0b5a9c53", "created": "2018-07-25T21:03:37.000Z", "modified": "2018-07-25T21:03:37.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--0d95e126-39c8-4048-be62-5470568b0f0f", "target_ref": "x-misp-object--11e88643-99a3-4053-b9bf-73f53056ebae" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }