{ "type": "bundle", "id": "bundle--57454ee0-3294-407a-8468-493c950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:51.000Z", "modified": "2016-05-25T07:34:51.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57454ee0-3294-407a-8468-493c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:51.000Z", "modified": "2016-05-25T07:34:51.000Z", "name": "OSINT - New Wekby Attacks Use DNS Requests As Command and Control Mechanism", "published": "2016-05-25T07:48:54Z", "object_refs": [ "indicator--57455077-0144-41d3-b61f-4420950d210f", "indicator--57455077-e4e8-46e7-8528-4fe1950d210f", "indicator--57455078-6e98-4713-ae9a-4370950d210f", "indicator--57455078-5aa8-4a30-9f3e-48ee950d210f", "indicator--57455078-7a08-49da-a316-463f950d210f", "indicator--57455079-8b60-418f-8579-4b4c950d210f", "indicator--57455079-d494-4a47-9489-48a9950d210f", "indicator--57455119-805c-49dd-b728-4394950d210f", "indicator--57455119-2dcc-40d1-aa46-44a9950d210f", "indicator--57455119-880c-48af-a815-4de3950d210f", "indicator--5745511a-9328-4035-85c8-456f950d210f", "indicator--5745511a-e1e4-4728-8b1a-441b950d210f", "indicator--5745511a-1828-434d-bfbe-40fa950d210f", "indicator--5745511b-5548-434d-a276-4bb1950d210f", "observed-data--5745513e-e4c4-429d-98fb-40f5950d210f", "url--5745513e-e4c4-429d-98fb-40f5950d210f", "observed-data--5745513f-68ac-4629-9b82-480d950d210f", "url--5745513f-68ac-4629-9b82-480d950d210f", "observed-data--5745513f-79fc-4aa8-a5e4-48bf950d210f", "url--5745513f-79fc-4aa8-a5e4-48bf950d210f", "observed-data--5745513f-98a4-4b12-a221-4f50950d210f", "url--5745513f-98a4-4b12-a221-4f50950d210f", "observed-data--57455140-3e14-4530-a551-4326950d210f", "url--57455140-3e14-4530-a551-4326950d210f", "observed-data--57455140-79a4-4aaf-a4e3-4882950d210f", "url--57455140-79a4-4aaf-a4e3-4882950d210f", "observed-data--57455182-0280-4cee-8e2e-4bbb950d210f", "mutex--57455182-0280-4cee-8e2e-4bbb950d210f", "indicator--5745559b-6988-419d-aa75-4c9302de0b81", "indicator--5745559b-b154-4998-98af-425f02de0b81", "observed-data--5745559b-948c-4fe7-9404-4ef902de0b81", "url--5745559b-948c-4fe7-9404-4ef902de0b81", "indicator--5745559b-e91c-488c-82cb-479a02de0b81", "indicator--5745559c-6bac-4960-9e47-445402de0b81", "observed-data--5745559c-cffc-4030-b815-486102de0b81", "url--5745559c-cffc-4030-b815-486102de0b81", "indicator--5745559c-c63c-45ac-9f98-43a702de0b81", "indicator--5745559c-4324-4a68-ae68-422f02de0b81", "observed-data--5745559c-2db8-4f32-af0f-498c02de0b81", "url--5745559c-2db8-4f32-af0f-498c02de0b81", "indicator--5745559d-dba8-4c1b-9fdc-49db02de0b81", "indicator--5745559d-9b54-46fc-b82c-44c202de0b81", "observed-data--5745559d-5274-4cd4-992a-4d6402de0b81", "url--5745559d-5274-4cd4-992a-4d6402de0b81", "indicator--5745559d-0054-4721-a70e-4d3502de0b81", "indicator--5745559d-5e58-4eaa-bc9b-4d3a02de0b81", "observed-data--5745559e-fcb4-4847-a533-419402de0b81", "url--5745559e-fcb4-4847-a533-419402de0b81", "indicator--5745559e-c110-4754-af54-43a302de0b81", "indicator--5745559e-f960-43d3-974a-410702de0b81", "observed-data--5745559e-b6b0-419c-b1fc-469f02de0b81", "url--5745559e-b6b0-419c-b1fc-469f02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57455077-0144-41d3-b61f-4420950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:12:55.000Z", "modified": "2016-05-25T07:12:55.000Z", "pattern": "[file:hashes.SHA256 = 'da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:12:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57455077-e4e8-46e7-8528-4fe1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:12:55.000Z", "modified": "2016-05-25T07:12:55.000Z", "pattern": "[file:hashes.SHA256 = '930772d6af8f43f62ea78092914fa8d6b03e8e3360dd4678eec1a3dda17206ed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:12:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57455078-6e98-4713-ae9a-4370950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:12:56.000Z", "modified": "2016-05-25T07:12:56.000Z", "pattern": "[file:hashes.SHA256 = '6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:12:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57455078-5aa8-4a30-9f3e-48ee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:12:56.000Z", "modified": "2016-05-25T07:12:56.000Z", "pattern": "[file:hashes.SHA256 = '9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:12:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57455078-7a08-49da-a316-463f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:12:56.000Z", "modified": "2016-05-25T07:12:56.000Z", "pattern": "[file:hashes.SHA256 = '4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:12:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57455079-8b60-418f-8579-4b4c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:12:57.000Z", "modified": "2016-05-25T07:12:57.000Z", "pattern": "[file:hashes.SHA256 = '1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57455079-d494-4a47-9489-48a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:12:57.000Z", "modified": "2016-05-25T07:12:57.000Z", "pattern": "[file:hashes.SHA256 = '456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57455119-805c-49dd-b728-4394950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:15:37.000Z", "modified": "2016-05-25T07:15:37.000Z", "description": "DNS exfiltration", "pattern": "[domain-name:value = 'ns1.logitech-usa.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:15:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57455119-2dcc-40d1-aa46-44a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:15:37.000Z", "modified": "2016-05-25T07:15:37.000Z", "description": "Delivery of the initial file", "pattern": "[domain-name:value = 'globalprint-us.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:15:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57455119-880c-48af-a815-4de3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:15:37.000Z", "modified": "2016-05-25T07:15:37.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[domain-name:value = 'intranetwabcam.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:15:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745511a-9328-4035-85c8-456f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:15:38.000Z", "modified": "2016-05-25T07:15:38.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[domain-name:value = 'login.access-mail.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:15:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745511a-e1e4-4728-8b1a-441b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:15:38.000Z", "modified": "2016-05-25T07:15:38.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[domain-name:value = 'glb.it-desktop.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:15:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745511a-1828-434d-bfbe-40fa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:15:38.000Z", "modified": "2016-05-25T07:15:38.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[domain-name:value = 'local.it-desktop.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:15:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745511b-5548-434d-a276-4bb1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:15:39.000Z", "modified": "2016-05-25T07:15:39.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[domain-name:value = 'hi.getgo2.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:15:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5745513e-e4c4-429d-98fb-40f5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:16:14.000Z", "modified": "2016-05-25T07:16:14.000Z", "first_observed": "2016-05-25T07:16:14Z", "last_observed": "2016-05-25T07:16:14Z", "number_observed": 1, "object_refs": [ "url--5745513e-e4c4-429d-98fb-40f5950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5745513e-e4c4-429d-98fb-40f5950d210f", "value": "https://blog.anomali.com/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5745513f-68ac-4629-9b82-480d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:16:15.000Z", "modified": "2016-05-25T07:16:15.000Z", "first_observed": "2016-05-25T07:16:15Z", "last_observed": "2016-05-25T07:16:15Z", "number_observed": 1, "object_refs": [ "url--5745513f-68ac-4629-9b82-480d950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5745513f-68ac-4629-9b82-480d950d210f", "value": "http://www.volexity.com/blog/?p=158" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5745513f-79fc-4aa8-a5e4-48bf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:16:15.000Z", "modified": "2016-05-25T07:16:15.000Z", "first_observed": "2016-05-25T07:16:15Z", "last_observed": "2016-05-25T07:16:15Z", "number_observed": 1, "object_refs": [ "url--5745513f-79fc-4aa8-a5e4-48bf950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5745513f-79fc-4aa8-a5e4-48bf950d210f", "value": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5745513f-98a4-4b12-a221-4f50950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:16:15.000Z", "modified": "2016-05-25T07:16:15.000Z", "first_observed": "2016-05-25T07:16:15Z", "last_observed": "2016-05-25T07:16:15Z", "number_observed": 1, "object_refs": [ "url--5745513f-98a4-4b12-a221-4f50950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5745513f-98a4-4b12-a221-4f50950d210f", "value": "https://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57455140-3e14-4530-a551-4326950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:16:16.000Z", "modified": "2016-05-25T07:16:16.000Z", "first_observed": "2016-05-25T07:16:16Z", "last_observed": "2016-05-25T07:16:16Z", "number_observed": 1, "object_refs": [ "url--57455140-3e14-4530-a551-4326950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57455140-3e14-4530-a551-4326950d210f", "value": "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57455140-79a4-4aaf-a4e3-4882950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:16:16.000Z", "modified": "2016-05-25T07:16:16.000Z", "first_observed": "2016-05-25T07:16:16Z", "last_observed": "2016-05-25T07:16:16Z", "number_observed": 1, "object_refs": [ "url--57455140-79a4-4aaf-a4e3-4882950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57455140-79a4-4aaf-a4e3-4882950d210f", "value": "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57455182-0280-4cee-8e2e-4bbb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:17:22.000Z", "modified": "2016-05-25T07:17:22.000Z", "first_observed": "2016-05-25T07:17:22Z", "last_observed": "2016-05-25T07:17:22Z", "number_observed": 1, "object_refs": [ "mutex--57455182-0280-4cee-8e2e-4bbb950d210f" ], "labels": [ "misp:type=\"mutex\"", "misp:category=\"Artifacts dropped\"" ] }, { "type": "mutex", "spec_version": "2.1", "id": "mutex--57455182-0280-4cee-8e2e-4bbb950d210f", "name": ")!VoqA.I5" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559b-6988-419d-aa75-4c9302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:51.000Z", "modified": "2016-05-25T07:34:51.000Z", "description": "- Xchecked via VT: 456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb", "pattern": "[file:hashes.SHA1 = '0d620c1c7e64a20a2918c0ec92260afc2716fd17']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559b-b154-4998-98af-425f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:51.000Z", "modified": "2016-05-25T07:34:51.000Z", "description": "- Xchecked via VT: 456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb", "pattern": "[file:hashes.MD5 = '07b9b62fb3b1c068837c188fefbd5de9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5745559b-948c-4fe7-9404-4ef902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:51.000Z", "modified": "2016-05-25T07:34:51.000Z", "first_observed": "2016-05-25T07:34:51Z", "last_observed": "2016-05-25T07:34:51Z", "number_observed": 1, "object_refs": [ "url--5745559b-948c-4fe7-9404-4ef902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5745559b-948c-4fe7-9404-4ef902de0b81", "value": "https://www.virustotal.com/file/456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb/analysis/1463822200/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559b-e91c-488c-82cb-479a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:51.000Z", "modified": "2016-05-25T07:34:51.000Z", "description": "- Xchecked via VT: 1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094", "pattern": "[file:hashes.SHA1 = '459d35058d4a5c8ca84638a5ea8fcbc2d4e0c772']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559c-6bac-4960-9e47-445402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:52.000Z", "modified": "2016-05-25T07:34:52.000Z", "description": "- Xchecked via VT: 1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094", "pattern": "[file:hashes.MD5 = 'e5414c5215c9305feeebbe0dbee43567']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5745559c-cffc-4030-b815-486102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:52.000Z", "modified": "2016-05-25T07:34:52.000Z", "first_observed": "2016-05-25T07:34:52Z", "last_observed": "2016-05-25T07:34:52Z", "number_observed": 1, "object_refs": [ "url--5745559c-cffc-4030-b815-486102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5745559c-cffc-4030-b815-486102de0b81", "value": "https://www.virustotal.com/file/1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094/analysis/1445829715/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559c-c63c-45ac-9f98-43a702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:52.000Z", "modified": "2016-05-25T07:34:52.000Z", "description": "- Xchecked via VT: 4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16", "pattern": "[file:hashes.SHA1 = '326b5dfa775f7479862c8896e1906ba95e530f9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559c-4324-4a68-ae68-422f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:52.000Z", "modified": "2016-05-25T07:34:52.000Z", "description": "- Xchecked via VT: 4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16", "pattern": "[file:hashes.MD5 = 'd0f79de7bd194c1843e7411c473e4288']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5745559c-2db8-4f32-af0f-498c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:52.000Z", "modified": "2016-05-25T07:34:52.000Z", "first_observed": "2016-05-25T07:34:52Z", "last_observed": "2016-05-25T07:34:52Z", "number_observed": 1, "object_refs": [ "url--5745559c-2db8-4f32-af0f-498c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5745559c-2db8-4f32-af0f-498c02de0b81", "value": "https://www.virustotal.com/file/4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16/analysis/1445828993/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559d-dba8-4c1b-9fdc-49db02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:53.000Z", "modified": "2016-05-25T07:34:53.000Z", "description": "- Xchecked via VT: 9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b", "pattern": "[file:hashes.SHA1 = '0e989a0867d6385ed0eda780a86a9229ac5b809e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559d-9b54-46fc-b82c-44c202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:53.000Z", "modified": "2016-05-25T07:34:53.000Z", "description": "- Xchecked via VT: 9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b", "pattern": "[file:hashes.MD5 = '985eba97e12c3e5bce9221631fb66d68']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5745559d-5274-4cd4-992a-4d6402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:53.000Z", "modified": "2016-05-25T07:34:53.000Z", "first_observed": "2016-05-25T07:34:53Z", "last_observed": "2016-05-25T07:34:53Z", "number_observed": 1, "object_refs": [ "url--5745559d-5274-4cd4-992a-4d6402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5745559d-5274-4cd4-992a-4d6402de0b81", "value": "https://www.virustotal.com/file/9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b/analysis/1437393001/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559d-0054-4721-a70e-4d3502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:53.000Z", "modified": "2016-05-25T07:34:53.000Z", "description": "- Xchecked via VT: 6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274", "pattern": "[file:hashes.SHA1 = '1c581a09963109fc526a71adc5cde8e6c89ce615']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559d-5e58-4eaa-bc9b-4d3a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:53.000Z", "modified": "2016-05-25T07:34:53.000Z", "description": "- Xchecked via VT: 6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274", "pattern": "[file:hashes.MD5 = '7b24d17e5f29e27b1c17127839be591a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5745559e-fcb4-4847-a533-419402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:54.000Z", "modified": "2016-05-25T07:34:54.000Z", "first_observed": "2016-05-25T07:34:54Z", "last_observed": "2016-05-25T07:34:54Z", "number_observed": 1, "object_refs": [ "url--5745559e-fcb4-4847-a533-419402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5745559e-fcb4-4847-a533-419402de0b81", "value": "https://www.virustotal.com/file/6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274/analysis/1447119998/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559e-c110-4754-af54-43a302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:54.000Z", "modified": "2016-05-25T07:34:54.000Z", "description": "- Xchecked via VT: da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1", "pattern": "[file:hashes.SHA1 = 'c6db4ddc514869a41272abba5e10de70b888476a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5745559e-f960-43d3-974a-410702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:54.000Z", "modified": "2016-05-25T07:34:54.000Z", "description": "- Xchecked via VT: da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1", "pattern": "[file:hashes.MD5 = 'e8d58aa76dd97536ac225949a2767e05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-25T07:34:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5745559e-b6b0-419c-b1fc-469f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-25T07:34:54.000Z", "modified": "2016-05-25T07:34:54.000Z", "first_observed": "2016-05-25T07:34:54Z", "last_observed": "2016-05-25T07:34:54Z", "number_observed": 1, "object_refs": [ "url--5745559e-b6b0-419c-b1fc-469f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5745559e-b6b0-419c-b1fc-469f02de0b81", "value": "https://www.virustotal.com/file/da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1/analysis/1462960470/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }