{ "type": "bundle", "id": "bundle--5bf7ba12-bec4-4d01-8330-4373950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T15:34:40.000Z", "modified": "2018-11-23T15:34:40.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5bf7ba12-bec4-4d01-8330-4373950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T15:34:40.000Z", "modified": "2018-11-23T15:34:40.000Z", "name": "OSINT - Turla PNG Dropper is back", "published": "2018-11-23T15:34:53Z", "object_refs": [ "observed-data--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f", "url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f", "x-misp-attribute--5bf7bb86-3374-4ece-8226-4383950d210f", "observed-data--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f", "url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f", "indicator--5bf7d798-4a08-48f1-9e9c-4744950d210f", "indicator--5bf7d7ce-2514-4e61-ac16-6b24950d210f", "observed-data--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f", "url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f", "indicator--5bf7df1a-f8d4-46d6-837e-446b950d210f", "indicator--5bf7dad4-098c-4666-9e4d-4958950d210f", "indicator--5bf7db2a-2440-4ed3-ae21-6b24950d210f", "indicator--5bf7e05b-4018-4130-afed-4d90950d210f", "indicator--5bf7e069-2af4-442f-a0c4-4cd4950d210f", "indicator--5bf7e0cb-7f0c-4eef-a610-f5d5950d210f", "indicator--5bf7e0e2-94c8-47df-a0ae-4620950d210f", "indicator--5bf7e123-cbfc-4f9c-a8c0-4064950d210f", "indicator--5bf7e186-6c94-4a68-90a1-493a950d210f", "indicator--5bf7e1c8-5f30-420c-b9e1-f5d5950d210f", "indicator--5bf7e202-29a4-4f46-94cc-fb4f950d210f", "indicator--5bf7e210-29f8-4e5c-964e-37a2950d210f", "indicator--370ee35f-2e62-4fa1-87de-59a36b9ad817", "x-misp-object--003ceafa-e652-4272-89f0-356846947659", "indicator--672a1c55-bfa8-497f-8a1e-a9cbbbe31dd6", "x-misp-object--ebf1d2c1-c387-463f-ac79-5573cec56447", "indicator--07a6a6dc-9c22-4773-8432-cdd60d62f8bc", "x-misp-object--dfee9eb0-06b6-4817-aa43-a2d63f0a49f2", "indicator--b12e81db-47cb-482e-8deb-e6c98261d878", "x-misp-object--cf0b0660-5bc6-4da8-816b-f6133511fbf0" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:threat-actor=\"Turla Group\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T08:37:10.000Z", "modified": "2018-11-23T08:37:10.000Z", "first_observed": "2018-11-23T08:37:10Z", "last_observed": "2018-11-23T08:37:10Z", "number_observed": 1, "object_refs": [ "url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5bf7bb5f-ad9c-4e3d-b6da-4e83950d210f", "value": "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5bf7bb86-3374-4ece-8226-4383950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T08:37:08.000Z", "modified": "2018-11-23T08:37:08.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. Back in 2017 it was being used to distribute Snake, but recently NCC Group researchers have uncovered samples with a new payload that we have internally named RegRunnerSvc.\r\n\r\nIt\u00e2\u20ac\u2122s worth noting at this point that there are other components to this infection that we have not managed to obtain. There will be a first stage dropper that will drop and install the PNG Dropper/RegRunnerSvc. Nevertheless, we think that this it is worth documenting this new use of the PNG Dropper." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T08:49:36.000Z", "modified": "2018-11-23T08:49:36.000Z", "first_observed": "2018-11-23T08:49:36Z", "last_observed": "2018-11-23T08:49:36Z", "number_observed": 1, "object_refs": [ "url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5bf7bf20-cd9c-48b1-aeb1-4e5b950d210f", "value": "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7d798-4a08-48f1-9e9c-4744950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T10:34:00.000Z", "modified": "2018-11-23T10:34:00.000Z", "pattern": "[rule turla_png_dropper {\r\n meta:\r\n author = \"Ben Humphrey\"\r\n description = \"Detects the PNG Dropper used by the Turla group\"\r\n sha256 = \r\n\"6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27\"\r\n\r\n strings:\r\n $api0 = \"GdiplusStartup\"\r\n $api1 = \"GdipAlloc\"\r\n $api2 = \"GdipCreateBitmapFromStreamICM\"\r\n $api3 = \"GdipBitmapLockBits\"\r\n $api4 = \"GdipGetImageWidth\"\r\n $api5 = \"GdipGetImageHeight\"\r\n $api6 = \"GdiplusShutdown\"\r\n\r\n $code32 = {\r\n 8B 46 3C // mov eax, [esi+3Ch]\r\n B9 0B 01 00 00 // mov ecx, 10Bh\r\n 66 39 4C 30 18 // cmp [eax+esi+18h], cx\r\n 8B 44 30 28 // mov eax, [eax+esi+28h]\r\n 6A 00 // push 0\r\n B9 AF BE AD DE // mov ecx, 0DEADBEAFh\r\n 51 // push ecx\r\n 51 // push ecx\r\n 03 C6 // add eax, esi\r\n 56 // push esi\r\n FF D0 // call eax\r\n }\r\n\r\n $code64 = {\r\n 48 63 43 3C // movsxd rax, dword ptr [rbx+3Ch]\r\n B9 0B 01 00 00 // mov ecx, 10Bh\r\n BA AF BE AD DE // mov edx, 0DEADBEAFh\r\n 66 39 4C 18 18 // cmp [rax+rbx+18h], cx\r\n 8B 44 18 28 // mov eax, [rax+rbx+28h]\r\n 45 33 C9 // xor r9d, r9d\r\n 44 8B C2 // mov r8d, edx\r\n 48 8B CB // mov rcx, rbx\r\n 48 03 C3 // add rax, rbx\r\n FF D0 // call rax\r\n }\r\n\r\n condition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n all of ($api*) and \r\n 1 of ($code*)\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2018-11-23T10:34:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7d7ce-2514-4e61-ac16-6b24950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T10:34:54.000Z", "modified": "2018-11-23T10:34:54.000Z", "pattern": "[rule turla_png_reg_enum_payload {\r\n meta:\r\n author = \"Ben Humphrey\"\r\n description = \"Payload that has most recently been dropped by the\r\nTurla PNG Dropper\"\r\n shas256 =\r\n\"fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3\"\r\n\r\n strings:\r\n $crypt00 = \"Microsoft Software Key Storage Provider\" wide\r\n $crypt01 = \"ChainingModeCBC\" wide\r\n $crypt02 = \"AES\" wide\r\n\r\n condition:\r\n (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and\r\n pe.imports(\"advapi32.dll\", \"StartServiceCtrlDispatcherA\") and \r\n pe.imports(\"advapi32.dll\", \"RegEnumValueA\") and \r\n pe.imports(\"advapi32.dll\", \"RegEnumKeyExA\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptOpenStorageProvider\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptEnumKeys\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptOpenKey\") and \r\n pe.imports(\"ncrypt.dll\", \"NCryptDecrypt\") and\r\n pe.imports(\"ncrypt.dll\", \"BCryptGenerateSymmetricKey\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptGetProperty\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptDecrypt\") and \r\n pe.imports(\"ncrypt.dll\", \"BCryptEncrypt\") and \r\n all of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2018-11-23T10:34:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T10:50:21.000Z", "modified": "2018-11-23T10:50:21.000Z", "first_observed": "2018-11-23T10:50:21Z", "last_observed": "2018-11-23T10:50:21Z", "number_observed": 1, "object_refs": [ "url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5bf7db6d-d5c0-4a23-8aa8-60c4950d210f", "value": "https://github.com/carbonblack/threat-research-tools/tree/master/png_extract" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7df1a-f8d4-46d6-837e-446b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T11:06:02.000Z", "modified": "2018-11-23T11:06:02.000Z", "pattern": "[rule PNG_dropper:RU TR APT\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \u00e2\u20ac\u0153CarbonBlack Threat Research\u00e2\u20ac\u009d\r\n\r\n date = \u00e2\u20ac\u01532017-June-11\u00e2\u20ac\u009d\r\n\r\n description = \u00e2\u20ac\u0153Dropper tool that extracts payload from PNG resources\u00e2\u20ac\u009d\r\n\r\n yara_version = \u00e2\u20ac\u01533.5.0\u00e2\u20ac\u009d\r\n\r\n exemplar_hashes = \u00e2\u20ac\u01533a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3, 69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290, eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158 \u00e2\u20ac\u0153\r\n\r\n strings:\r\n\r\n$s1 = \u00e2\u20ac\u0153GdipGetImageWidth\u00e2\u20ac\u009d\r\n\r\n$s2 = \u00e2\u20ac\u0153GdipGetImageHeight\u00e2\u20ac\u009d\r\n\r\n$s3 = \u00e2\u20ac\u0153GdipCreateBitmapFromStream\u00e2\u20ac\u009d\r\n\r\n$s4 = \u00e2\u20ac\u0153GdipCreateBitmapFromStreamICM\u00e2\u20ac\u009d\r\n\r\n$s5 = \u00e2\u20ac\u0153GdipBitmapLockBits\u00e2\u20ac\u009d\r\n\r\n$s6 = \u00e2\u20ac\u0153GdipBitmapUnlockBits\u00e2\u20ac\u009d\r\n\r\n$s7 = \u00e2\u20ac\u0153LockResource\u00e2\u20ac\u009d\r\n\r\n$s8 = \u00e2\u20ac\u0153LoadResource\u00e2\u20ac\u009d\r\n\r\n$s9 = \u00e2\u20ac\u0153ExpandEnvironmentStringsW\u00e2\u20ac\u009d\r\n\r\n$s10 = \u00e2\u20ac\u0153SetFileTime\u00e2\u20ac\u009d\r\n\r\n$s11 = \u00e2\u20ac\u0153memcmp\u00e2\u20ac\u009d\r\n\r\n$s12 = \u00e2\u20ac\u0153strlen\u00e2\u20ac\u009d\r\n\r\n$s13 = \u00e2\u20ac\u0153memcpy\u00e2\u20ac\u009d\r\n\r\n$s14 = \u00e2\u20ac\u0153memchr\u00e2\u20ac\u009d\r\n\r\n$s15 = \u00e2\u20ac\u0153memmove\u00e2\u20ac\u009d\r\n\r\n$s16 = \u00e2\u20ac\u0153ZwQueryValueKey\u00e2\u20ac\u009d\r\n\r\n$s17 = \u00e2\u20ac\u0153ZwQueryInformationProcess\u00e2\u20ac\u009d\r\n\r\n$s18 = \u00e2\u20ac\u0153FindNextFile\u00e2\u20ac\u009d\r\n\r\n$s19 = \u00e2\u20ac\u0153GetModuleHandle\u00e2\u20ac\u009d\r\n\r\n$s20 = \u00e2\u20ac\u0153VirtualFree\u00e2\u20ac\u009d\r\n\r\n$PNG1 = {89 50 4E 47 [8] 49 48 44 52} //PNG Header\r\n\r\n$bin32_bit1 = {50 68 07 10 06 00 6A 07 8?} //BitmapLockBits_x86\r\n\r\n$bin64_bit1 = {41 B? 07 10 06 00} //BitmapLockBits_x64\r\n\r\n$bin64_bit2 = {41 B? 07 00 00 00}//BitmapLockBits_x64\r\n\r\n$bin32_virt1 = {6A 40 68 00 10 00 00 50 53} //VirtualAlloc_x86\r\n\r\n$bin64_virt1 = {40 41 B? 00 10 00 00}//VirtualAlloc_x64\r\n\r\n \r\n\r\n condition:\r\n\r\n uint16(0) == 0x5A4D and// MZ header check\r\n\r\n filesize < 6MB and\r\n\r\n 18 of ($s*) and\r\n\r\n (#PNG1 > 7) and\r\n\r\n//checks for multiple PNG headers\r\n\r\n ((#bin32_bit1 > 1 and $bin32_virt1) or\r\n\r\n//More than 1 of $bin32_bit and $bi32_virt1\r\n\r\n (for 1 of ($bin64_bit*) : (# > 2) and $bin64_virt1))\r\n\r\n//1 of $bin64_bit \u00e2\u20ac\u201c present more that 2 times and $bin64_Virt1\r\n\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2018-11-23T11:06:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload delivery\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7dad4-098c-4666-9e4d-4958950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T10:47:48.000Z", "modified": "2018-11-23T10:47:48.000Z", "description": "PNG Dropper", "pattern": "[file:hashes.SHA256 = '6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T10:47:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7db2a-2440-4ed3-ae21-6b24950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T10:49:14.000Z", "modified": "2018-11-23T10:49:14.000Z", "description": "Payload contained in the PNG dropper", "pattern": "[file:hashes.SHA256 = 'fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T10:49:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7e05b-4018-4130-afed-4d90950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T11:11:23.000Z", "modified": "2018-11-23T11:11:23.000Z", "pattern": "[file:hashes.MD5 = 'f84aa30676d2c05ed290b43c4c1e2d4c' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T11:11:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7e069-2af4-442f-a0c4-4cd4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T11:11:37.000Z", "modified": "2018-11-23T11:11:37.000Z", "pattern": "[file:hashes.MD5 = 'ae2ec6d8e455c674d5486ce198d4d46e' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T11:11:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7e0cb-7f0c-4eef-a610-f5d5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T11:13:15.000Z", "modified": "2018-11-23T11:13:15.000Z", "pattern": "[file:hashes.MD5 = '7a1a174dd24d3f88454615102a074600' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T11:13:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7e0e2-94c8-47df-a0ae-4620950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T11:13:38.000Z", "modified": "2018-11-23T11:13:38.000Z", "pattern": "[file:hashes.SHA1 = '645985805780510670092469b7627a23803eefd1' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T11:13:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7e123-cbfc-4f9c-a8c0-4064950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T11:14:43.000Z", "modified": "2018-11-23T11:14:43.000Z", "pattern": "[file:hashes.SHA1 = '17941a20d86c9518c168c7f765785095a57246a3' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T11:14:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7e186-6c94-4a68-90a1-493a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T11:16:22.000Z", "modified": "2018-11-23T11:16:22.000Z", "pattern": "[file:hashes.SHA1 = 'ba221b85c1923866ce2ec3cd0824970216052c82' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T11:16:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7e1c8-5f30-420c-b9e1-f5d5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T11:17:28.000Z", "modified": "2018-11-23T11:17:28.000Z", "pattern": "[file:hashes.SHA256 = 'eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T11:17:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7e202-29a4-4f46-94cc-fb4f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T11:18:26.000Z", "modified": "2018-11-23T11:18:26.000Z", "pattern": "[file:hashes.SHA256 = '69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T11:18:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5bf7e210-29f8-4e5c-964e-37a2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T11:18:40.000Z", "modified": "2018-11-23T11:18:40.000Z", "pattern": "[file:hashes.SHA256 = '3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T11:18:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--370ee35f-2e62-4fa1-87de-59a36b9ad817", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T15:34:07.000Z", "modified": "2018-11-23T15:34:07.000Z", "pattern": "[file:hashes.MD5 = '7a1a174dd24d3f88454615102a074600' AND file:hashes.SHA1 = '645985805780510670092469b7627a23803eefd1' AND file:hashes.SHA256 = 'eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T15:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--003ceafa-e652-4272-89f0-356846947659", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T15:34:09.000Z", "modified": "2018-11-23T15:34:09.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-17T23:41:05", "category": "Other", "uuid": "ded701b7-f8e5-4a51-94eb-9509c5a5f6c7" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158/analysis/1539819665/", "category": "External analysis", "uuid": "2b06642b-d74e-4910-9a74-980fdb5cebb3" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/67", "category": "Other", "uuid": "2a5f6f23-8854-48fd-bb7c-dda116812263" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--672a1c55-bfa8-497f-8a1e-a9cbbbe31dd6", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T15:34:10.000Z", "modified": "2018-11-23T15:34:10.000Z", "pattern": "[file:hashes.MD5 = 'f84aa30676d2c05ed290b43c4c1e2d4c' AND file:hashes.SHA1 = '17941a20d86c9518c168c7f765785095a57246a3' AND file:hashes.SHA256 = '69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T15:34:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--ebf1d2c1-c387-463f-ac79-5573cec56447", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T15:34:11.000Z", "modified": "2018-11-23T15:34:11.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-27T23:11:14", "category": "Other", "uuid": "6443cb5d-0517-4dda-b7b7-7eb5d39ae7fa" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290/analysis/1538089874/", "category": "External analysis", "uuid": "3e316cfb-ba54-4612-9ee6-20204adc750d" }, { "type": "text", "object_relation": "detection-ratio", "value": "24/68", "category": "Other", "uuid": "e2c20e0f-18f6-4fbf-86ad-f0d025f17266" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--07a6a6dc-9c22-4773-8432-cdd60d62f8bc", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T15:34:12.000Z", "modified": "2018-11-23T15:34:12.000Z", "pattern": "[file:hashes.MD5 = 'ae2ec6d8e455c674d5486ce198d4d46e' AND file:hashes.SHA1 = 'ba221b85c1923866ce2ec3cd0824970216052c82' AND file:hashes.SHA256 = '3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T15:34:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--dfee9eb0-06b6-4817-aa43-a2d63f0a49f2", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T15:34:14.000Z", "modified": "2018-11-23T15:34:14.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-10-17T04:41:54", "category": "Other", "uuid": "a4daa13a-1374-4259-af44-d8c88ea2cc58" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3/analysis/1539751314/", "category": "External analysis", "uuid": "a305ca88-cd28-4233-af68-b4def8e76110" }, { "type": "text", "object_relation": "detection-ratio", "value": "45/67", "category": "Other", "uuid": "ad12f987-16cf-453d-8e0f-bd6d3758823d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b12e81db-47cb-482e-8deb-e6c98261d878", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T15:34:15.000Z", "modified": "2018-11-23T15:34:15.000Z", "pattern": "[file:hashes.MD5 = 'd2e8e75c30dccd98a95d25b218ba7d2e' AND file:hashes.SHA1 = '72997e699d6c7cd5a2409535bfdef58695ed46fa' AND file:hashes.SHA256 = '6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-11-23T15:34:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--cf0b0660-5bc6-4da8-816b-f6133511fbf0", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-11-23T15:34:16.000Z", "modified": "2018-11-23T15:34:16.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-11-23T13:40:06", "category": "Other", "uuid": "9797ab40-8d7c-4a60-ab23-f6f99e9492b0" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27/analysis/1542980406/", "category": "External analysis", "uuid": "2817750f-5b18-463e-baa8-19fba2fb0765" }, { "type": "text", "object_relation": "detection-ratio", "value": "47/69", "category": "Other", "uuid": "164f9a1b-2a21-40de-be22-762bb37ab16e" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }