{ "type": "bundle", "id": "bundle--575d798e-2398-4121-b5e6-4a0e950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:51.000Z", "modified": "2016-06-12T15:04:51.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--575d798e-2398-4121-b5e6-4a0e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:51.000Z", "modified": "2016-06-12T15:04:51.000Z", "name": "OSINT - Reverse-engineering DUBNIUM", "published": "2016-06-12T15:07:54Z", "object_refs": [ "observed-data--575d79b2-9cfc-4052-9f92-4642950d210f", "url--575d79b2-9cfc-4052-9f92-4642950d210f", "x-misp-attribute--575d79cb-8d18-4b89-9bcf-4cd5950d210f", "indicator--575d79f6-8d1c-4b1c-ba28-4680950d210f", "indicator--575d79f6-9e14-4b98-b1c1-40d8950d210f", "indicator--575d79f6-3d2c-430e-98c0-41b2950d210f", "indicator--575d79f7-e928-423f-81de-4394950d210f", "indicator--575d79f7-04c0-4ab5-aa9b-4a44950d210f", "indicator--575d79f8-4270-478c-bdcd-470c950d210f", "indicator--575d79f8-c724-40ff-a801-4ab9950d210f", "indicator--575d79f9-cdac-4e3f-ad8d-4397950d210f", "indicator--575d79f9-2618-4e51-8747-4bf5950d210f", "indicator--575d79f9-2228-463d-8b06-4660950d210f", "indicator--575d79fa-766c-4877-8ff9-42e0950d210f", "indicator--575d79fa-9c24-4a80-bebd-43bd950d210f", "indicator--575d79fb-2ea8-47de-8a9e-4cac950d210f", "indicator--575d79fb-2f6c-4127-98fd-4b2c950d210f", "indicator--575d79fc-a090-4016-b9eb-4658950d210f", "indicator--575d79fc-cab8-4628-9277-45d3950d210f", "indicator--575d79fd-00cc-47c0-9a69-4636950d210f", "indicator--575d79fd-76c4-402d-b542-47b4950d210f", "indicator--575d79fe-77d4-439c-932e-4da8950d210f", "indicator--575d7a13-edd0-43fc-b1de-494f02de0b81", "indicator--575d7a13-d600-4464-9431-4cdd02de0b81", "observed-data--575d7a14-36d8-478e-acc1-4ed402de0b81", "url--575d7a14-36d8-478e-acc1-4ed402de0b81", "indicator--575d7a14-6d7c-4d5c-9062-468d02de0b81", "indicator--575d7a15-6bdc-490f-baa1-491b02de0b81", "observed-data--575d7a15-3118-4cfe-b293-457002de0b81", "url--575d7a15-3118-4cfe-b293-457002de0b81", "indicator--575d7a16-bd1c-4290-ac2e-4df602de0b81", "indicator--575d7a16-f520-4623-8cbf-40c702de0b81", "observed-data--575d7a17-a350-4b6d-9854-4acc02de0b81", "url--575d7a17-a350-4b6d-9854-4acc02de0b81", "indicator--575d7a17-22c0-4abf-a958-4a3e02de0b81", "indicator--575d7a17-d9dc-4a74-80b3-4a9a02de0b81", "observed-data--575d7a18-038c-43f7-ab4e-49a702de0b81", "url--575d7a18-038c-43f7-ab4e-49a702de0b81", "indicator--575d7a18-ef30-4925-b719-458b02de0b81", "indicator--575d7a19-9e10-42eb-9c54-4e1302de0b81", "observed-data--575d7a19-8a60-4818-a854-4f9102de0b81", "url--575d7a19-8a60-4818-a854-4f9102de0b81", "indicator--575d7a1a-0754-449e-9624-4ce002de0b81", "indicator--575d7a1a-d480-4e8c-ad01-493c02de0b81", "observed-data--575d7a1b-9fb4-47e3-9e5b-4fde02de0b81", "url--575d7a1b-9fb4-47e3-9e5b-4fde02de0b81", "indicator--575d7a1b-05f8-4a7c-9243-4e1102de0b81", "indicator--575d7a1c-75f4-48d9-bc38-4af702de0b81", "observed-data--575d7a1c-b878-4f97-9337-45db02de0b81", "url--575d7a1c-b878-4f97-9337-45db02de0b81", "indicator--575d7a1c-6ce8-4dbb-82c5-433a02de0b81", "indicator--575d7a1d-6aac-4c22-bac6-4a9d02de0b81", "observed-data--575d7a1d-b108-422c-83b5-4ef502de0b81", "url--575d7a1d-b108-422c-83b5-4ef502de0b81", "indicator--575d7a1e-0458-4311-b5f8-4e0202de0b81", "indicator--575d7a1e-d364-44e0-97e8-45c502de0b81", "observed-data--575d7a1f-8f38-4c98-9f4a-427402de0b81", "url--575d7a1f-8f38-4c98-9f4a-427402de0b81", "indicator--575d7a1f-5e30-4d9f-946c-438402de0b81", "indicator--575d7a20-ef38-4d96-90c2-435702de0b81", "observed-data--575d7a20-9358-428d-8a0d-4eae02de0b81", "url--575d7a20-9358-428d-8a0d-4eae02de0b81", "indicator--575d7a20-e438-4e89-9e82-4adb02de0b81", "indicator--575d7a21-cd28-4db7-808d-4a2a02de0b81", "observed-data--575d7a21-016c-417b-94b6-42b602de0b81", "url--575d7a21-016c-417b-94b6-42b602de0b81", "indicator--575d7a22-7ec8-418d-a666-4c4d02de0b81", "indicator--575d7a22-f560-4791-8271-470102de0b81", "observed-data--575d7a22-2534-467b-9a0e-4ebe02de0b81", "url--575d7a22-2534-467b-9a0e-4ebe02de0b81", "indicator--575d7a23-43d0-478f-a64b-490d02de0b81", "indicator--575d7a23-4b88-48e7-a482-448402de0b81", "observed-data--575d7a23-3bcc-4c0d-a644-488702de0b81", "url--575d7a23-3bcc-4c0d-a644-488702de0b81", "indicator--575d7a24-8e8c-49a1-9086-465002de0b81", "indicator--575d7a24-1e4c-4175-bb70-41ba02de0b81", "observed-data--575d7a25-df88-44c4-97f6-46d102de0b81", "url--575d7a25-df88-44c4-97f6-46d102de0b81", "indicator--575d7a25-fc3c-41bb-8e3c-481302de0b81", "indicator--575d7a25-b8b0-403c-b4ce-474102de0b81", "observed-data--575d7a26-0ed4-43f9-9dd5-4d6902de0b81", "url--575d7a26-0ed4-43f9-9dd5-4d6902de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d79b2-9cfc-4052-9f92-4642950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:03:14.000Z", "modified": "2016-06-12T15:03:14.000Z", "first_observed": "2016-06-12T15:03:14Z", "last_observed": "2016-06-12T15:03:14Z", "number_observed": 1, "object_refs": [ "url--575d79b2-9cfc-4052-9f92-4642950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d79b2-9cfc-4052-9f92-4642950d210f", "value": "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--575d79cb-8d18-4b89-9bcf-4cd5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:03:39.000Z", "modified": "2016-06-12T15:03:39.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.\r\n\r\nWe located multiple variants of multiple-stage droppers and payloads in the last few months, and although they are not really packed or obfuscated in a conventional way, they use their own methods and tactics of obfuscation and distraction.\r\n\r\nIn this blog, we will focus on analysis of the first-stage payload of the malware.\r\n\r\nAs the code is very complicated and twisted in many ways, it is a complex task to reverse-engineer the malware. The complexity of the malware includes linking with unrelated code statically (so that their logic can hide in a big, benign code dump) and excessive use of an in-house encoding scheme. Their bootstrap logic is also hidden in plain sight, such that it might be easy to miss.\r\n\r\nEvery sub-routine from the malicious code has a \u00e2\u20ac\u0153memory cleaner routine\u00e2\u20ac\u009d when the logic ends. The memory snapshot of the process will not disclose many more details than the static binary itself.\r\n\r\nThe malware is also very sneaky and sensitive to dynamic analysis. When it detects the existence of analysis toolsets, the executable file bails out from further execution. Even binary instrumentation tools like PIN or DynamoRio prevent the malware from running. This effectively defeats many automation systems that rely on at least one of the toolsets they check to avoid. Avoiding these toolsets during analysis makes the overall investigation even more complex.\r\n\r\nWith this blog series, we want to discuss some of the simple techniques and tactics we\u00e2\u20ac\u2122ve used to break down the features of DUBNIUM.\r\n\r\nWe acquired multiple versions of DUBNIUM droppers through our daily operations. They are evolving slowly, but basically their features have not changed over the last few months.\r\n\r\nIn this blog, we\u00e2\u20ac\u2122ll be using sample SHA1: dc3ab3f6af87405d889b6af2557c835d7b7ed588 in our examples and analysis." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79f6-8d1c-4b1c-ba28-4680950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:22.000Z", "modified": "2016-06-12T15:04:22.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '35847c56e3068a98cff85088005ba1a611b6261f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79f6-9e14-4b98-b1c1-40d8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:22.000Z", "modified": "2016-06-12T15:04:22.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '09b022ef88b825041b67da9c9a2588e962817f6d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79f6-3d2c-430e-98c0-41b2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:22.000Z", "modified": "2016-06-12T15:04:22.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '7f9ecfc95462b5e01e233b64dcedbcf944e97fca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79f7-e928-423f-81de-4394950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:23.000Z", "modified": "2016-06-12T15:04:23.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = 'cad21e4ae48f2f1ba91faa9f875816f83737bcaf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79f7-04c0-4ab5-aa9b-4a44950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:23.000Z", "modified": "2016-06-12T15:04:23.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = 'ebccb1e12c88d838db15957366cee93c079b5a8e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79f8-4270-478c-bdcd-470c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:24.000Z", "modified": "2016-06-12T15:04:24.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = 'aee8d6f39e4286506cee0c849ede01d6f42110cc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79f8-c724-40ff-a801-4ab9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:24.000Z", "modified": "2016-06-12T15:04:24.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = 'b42ca359fe942456de14283fd2e199113c8789e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79f9-cdac-4e3f-ad8d-4397950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:25.000Z", "modified": "2016-06-12T15:04:25.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '0ac65c60ad6f23b2b2f208e5ab8be0372371e4b3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79f9-2618-4e51-8747-4bf5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:25.000Z", "modified": "2016-06-12T15:04:25.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '1949a9753df57eec586aeb6b4763f92c0ca6a895']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79f9-2228-463d-8b06-4660950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:25.000Z", "modified": "2016-06-12T15:04:25.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '259f0d98e96602223d7694852137d6312af78967']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79fa-766c-4877-8ff9-42e0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:26.000Z", "modified": "2016-06-12T15:04:26.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '4627cff4cd90dc47df5c4d53480101bdc1d46720']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79fa-9c24-4a80-bebd-43bd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:26.000Z", "modified": "2016-06-12T15:04:26.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '561db51eba971ab4afe0a811361e7a678b8f8129']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79fb-2ea8-47de-8a9e-4cac950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:27.000Z", "modified": "2016-06-12T15:04:27.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '6e74da35695e7838456f3f719d6eb283d4198735']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79fb-2f6c-4127-98fd-4b2c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:27.000Z", "modified": "2016-06-12T15:04:27.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '8ff7f64356f7577623bf424f601c7fa0f720e5fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79fc-a090-4016-b9eb-4658950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:28.000Z", "modified": "2016-06-12T15:04:28.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = 'a3bcaecf62d9bc92e48b703750b78816bc38dbe8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79fc-cab8-4628-9277-45d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:28.000Z", "modified": "2016-06-12T15:04:28.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = 'c9cd559ed73a0b066b48090243436103eb52cc45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79fd-00cc-47c0-9a69-4636950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:29.000Z", "modified": "2016-06-12T15:04:29.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = 'dc3ab3f6af87405d889b6af2557c835d7b7ed588']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79fd-76c4-402d-b542-47b4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:29.000Z", "modified": "2016-06-12T15:04:29.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = 'df793d097017b90bc9d7da9a85f929422004f6b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d79fe-77d4-439c-932e-4da8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:30.000Z", "modified": "2016-06-12T15:04:30.000Z", "description": "We discovered the following in relation to DUBNIUM", "pattern": "[file:hashes.SHA1 = '6ccba071425ba9ed69d5a79bb53ad27541577cb9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a13-edd0-43fc-b1de-494f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:51.000Z", "modified": "2016-06-12T15:04:51.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: df793d097017b90bc9d7da9a85f929422004f6b6", "pattern": "[file:hashes.SHA256 = '839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a13-d600-4464-9431-4cdd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:51.000Z", "modified": "2016-06-12T15:04:51.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: df793d097017b90bc9d7da9a85f929422004f6b6", "pattern": "[file:hashes.MD5 = '5e01b8bc78afc6ecb3376c06cbceb680']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a14-36d8-478e-acc1-4ed402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:52.000Z", "modified": "2016-06-12T15:04:52.000Z", "first_observed": "2016-06-12T15:04:52Z", "last_observed": "2016-06-12T15:04:52Z", "number_observed": 1, "object_refs": [ "url--575d7a14-36d8-478e-acc1-4ed402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a14-36d8-478e-acc1-4ed402de0b81", "value": "https://www.virustotal.com/file/839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba/analysis/1465591410/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a14-6d7c-4d5c-9062-468d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:52.000Z", "modified": "2016-06-12T15:04:52.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: c9cd559ed73a0b066b48090243436103eb52cc45", "pattern": "[file:hashes.SHA256 = '5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a15-6bdc-490f-baa1-491b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:53.000Z", "modified": "2016-06-12T15:04:53.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: c9cd559ed73a0b066b48090243436103eb52cc45", "pattern": "[file:hashes.MD5 = '4d84720998eb6e358a1671f6eb1ef74e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a15-3118-4cfe-b293-457002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:53.000Z", "modified": "2016-06-12T15:04:53.000Z", "first_observed": "2016-06-12T15:04:53Z", "last_observed": "2016-06-12T15:04:53Z", "number_observed": 1, "object_refs": [ "url--575d7a15-3118-4cfe-b293-457002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a15-3118-4cfe-b293-457002de0b81", "value": "https://www.virustotal.com/file/5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b/analysis/1447106132/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a16-bd1c-4290-ac2e-4df602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:54.000Z", "modified": "2016-06-12T15:04:54.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: a3bcaecf62d9bc92e48b703750b78816bc38dbe8", "pattern": "[file:hashes.SHA256 = '5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a16-f520-4623-8cbf-40c702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:54.000Z", "modified": "2016-06-12T15:04:54.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: a3bcaecf62d9bc92e48b703750b78816bc38dbe8", "pattern": "[file:hashes.MD5 = 'eac466fb9be8f98c29bfe513949f2ab5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a17-a350-4b6d-9854-4acc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:55.000Z", "modified": "2016-06-12T15:04:55.000Z", "first_observed": "2016-06-12T15:04:55Z", "last_observed": "2016-06-12T15:04:55Z", "number_observed": 1, "object_refs": [ "url--575d7a17-a350-4b6d-9854-4acc02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a17-a350-4b6d-9854-4acc02de0b81", "value": "https://www.virustotal.com/file/5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0/analysis/1457628585/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a17-22c0-4abf-a958-4a3e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:55.000Z", "modified": "2016-06-12T15:04:55.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 8ff7f64356f7577623bf424f601c7fa0f720e5fb", "pattern": "[file:hashes.SHA256 = '16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a17-d9dc-4a74-80b3-4a9a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:55.000Z", "modified": "2016-06-12T15:04:55.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 8ff7f64356f7577623bf424f601c7fa0f720e5fb", "pattern": "[file:hashes.MD5 = '3acdef50a42d038de579f5ced74eb97f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a18-038c-43f7-ab4e-49a702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:56.000Z", "modified": "2016-06-12T15:04:56.000Z", "first_observed": "2016-06-12T15:04:56Z", "last_observed": "2016-06-12T15:04:56Z", "number_observed": 1, "object_refs": [ "url--575d7a18-038c-43f7-ab4e-49a702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a18-038c-43f7-ab4e-49a702de0b81", "value": "https://www.virustotal.com/file/16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b/analysis/1465591409/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a18-ef30-4925-b719-458b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:56.000Z", "modified": "2016-06-12T15:04:56.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 6e74da35695e7838456f3f719d6eb283d4198735", "pattern": "[file:hashes.SHA256 = '1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a19-9e10-42eb-9c54-4e1302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:57.000Z", "modified": "2016-06-12T15:04:57.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 6e74da35695e7838456f3f719d6eb283d4198735", "pattern": "[file:hashes.MD5 = '46cd2305c3802f86c6471ac89e2a3512']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a19-8a60-4818-a854-4f9102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:57.000Z", "modified": "2016-06-12T15:04:57.000Z", "first_observed": "2016-06-12T15:04:57Z", "last_observed": "2016-06-12T15:04:57Z", "number_observed": 1, "object_refs": [ "url--575d7a19-8a60-4818-a854-4f9102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a19-8a60-4818-a854-4f9102de0b81", "value": "https://www.virustotal.com/file/1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8/analysis/1465591409/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a1a-0754-449e-9624-4ce002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:58.000Z", "modified": "2016-06-12T15:04:58.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 561db51eba971ab4afe0a811361e7a678b8f8129", "pattern": "[file:hashes.SHA256 = 'bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a1a-d480-4e8c-ad01-493c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:58.000Z", "modified": "2016-06-12T15:04:58.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 561db51eba971ab4afe0a811361e7a678b8f8129", "pattern": "[file:hashes.MD5 = 'd8a06811385e0fd463f215a43b366169']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a1b-9fb4-47e3-9e5b-4fde02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:59.000Z", "modified": "2016-06-12T15:04:59.000Z", "first_observed": "2016-06-12T15:04:59Z", "last_observed": "2016-06-12T15:04:59Z", "number_observed": 1, "object_refs": [ "url--575d7a1b-9fb4-47e3-9e5b-4fde02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a1b-9fb4-47e3-9e5b-4fde02de0b81", "value": "https://www.virustotal.com/file/bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f/analysis/1452178803/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a1b-05f8-4a7c-9243-4e1102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:04:59.000Z", "modified": "2016-06-12T15:04:59.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 4627cff4cd90dc47df5c4d53480101bdc1d46720", "pattern": "[file:hashes.SHA256 = 'a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:04:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a1c-75f4-48d9-bc38-4af702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:00.000Z", "modified": "2016-06-12T15:05:00.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 4627cff4cd90dc47df5c4d53480101bdc1d46720", "pattern": "[file:hashes.MD5 = 'd0399ca4c86909bc03ccf470534264c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a1c-b878-4f97-9337-45db02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:00.000Z", "modified": "2016-06-12T15:05:00.000Z", "first_observed": "2016-06-12T15:05:00Z", "last_observed": "2016-06-12T15:05:00Z", "number_observed": 1, "object_refs": [ "url--575d7a1c-b878-4f97-9337-45db02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a1c-b878-4f97-9337-45db02de0b81", "value": "https://www.virustotal.com/file/a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9/analysis/1455833470/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a1c-6ce8-4dbb-82c5-433a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:00.000Z", "modified": "2016-06-12T15:05:00.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 1949a9753df57eec586aeb6b4763f92c0ca6a895", "pattern": "[file:hashes.SHA256 = '41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a1d-6aac-4c22-bac6-4a9d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:01.000Z", "modified": "2016-06-12T15:05:01.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 1949a9753df57eec586aeb6b4763f92c0ca6a895", "pattern": "[file:hashes.MD5 = '5f4c355c95927c5712e9deacd31a2fa8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a1d-b108-422c-83b5-4ef502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:01.000Z", "modified": "2016-06-12T15:05:01.000Z", "first_observed": "2016-06-12T15:05:01Z", "last_observed": "2016-06-12T15:05:01Z", "number_observed": 1, "object_refs": [ "url--575d7a1d-b108-422c-83b5-4ef502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a1d-b108-422c-83b5-4ef502de0b81", "value": "https://www.virustotal.com/file/41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf/analysis/1454552583/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a1e-0458-4311-b5f8-4e0202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:02.000Z", "modified": "2016-06-12T15:05:02.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 0ac65c60ad6f23b2b2f208e5ab8be0372371e4b3", "pattern": "[file:hashes.SHA256 = 'e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a1e-d364-44e0-97e8-45c502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:02.000Z", "modified": "2016-06-12T15:05:02.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 0ac65c60ad6f23b2b2f208e5ab8be0372371e4b3", "pattern": "[file:hashes.MD5 = 'a5ec201b518ce52c50cd8175ad79d5ea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a1f-8f38-4c98-9f4a-427402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:03.000Z", "modified": "2016-06-12T15:05:03.000Z", "first_observed": "2016-06-12T15:05:03Z", "last_observed": "2016-06-12T15:05:03Z", "number_observed": 1, "object_refs": [ "url--575d7a1f-8f38-4c98-9f4a-427402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a1f-8f38-4c98-9f4a-427402de0b81", "value": "https://www.virustotal.com/file/e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b/analysis/1453000012/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a1f-5e30-4d9f-946c-438402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:03.000Z", "modified": "2016-06-12T15:05:03.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: b42ca359fe942456de14283fd2e199113c8789e6", "pattern": "[file:hashes.SHA256 = 'f529a10126b83157e403742c8c7c90742a490a24270cb137b372ba84e5977d78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a20-ef38-4d96-90c2-435702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:04.000Z", "modified": "2016-06-12T15:05:04.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: b42ca359fe942456de14283fd2e199113c8789e6", "pattern": "[file:hashes.MD5 = '9e1574342f042501f8fa00adbd6707c8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a20-9358-428d-8a0d-4eae02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:04.000Z", "modified": "2016-06-12T15:05:04.000Z", "first_observed": "2016-06-12T15:05:04Z", "last_observed": "2016-06-12T15:05:04Z", "number_observed": 1, "object_refs": [ "url--575d7a20-9358-428d-8a0d-4eae02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a20-9358-428d-8a0d-4eae02de0b81", "value": "https://www.virustotal.com/file/f529a10126b83157e403742c8c7c90742a490a24270cb137b372ba84e5977d78/analysis/1458803118/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a20-e438-4e89-9e82-4adb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:04.000Z", "modified": "2016-06-12T15:05:04.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: aee8d6f39e4286506cee0c849ede01d6f42110cc", "pattern": "[file:hashes.SHA256 = 'e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a21-cd28-4db7-808d-4a2a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:05.000Z", "modified": "2016-06-12T15:05:05.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: aee8d6f39e4286506cee0c849ede01d6f42110cc", "pattern": "[file:hashes.MD5 = 'fe8b411eab82a5169a262a601025f186']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a21-016c-417b-94b6-42b602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:05.000Z", "modified": "2016-06-12T15:05:05.000Z", "first_observed": "2016-06-12T15:05:05Z", "last_observed": "2016-06-12T15:05:05Z", "number_observed": 1, "object_refs": [ "url--575d7a21-016c-417b-94b6-42b602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a21-016c-417b-94b6-42b602de0b81", "value": "https://www.virustotal.com/file/e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5/analysis/1465591407/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a22-7ec8-418d-a666-4c4d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:06.000Z", "modified": "2016-06-12T15:05:06.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: ebccb1e12c88d838db15957366cee93c079b5a8e", "pattern": "[file:hashes.SHA256 = 'caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a22-f560-4791-8271-470102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:06.000Z", "modified": "2016-06-12T15:05:06.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: ebccb1e12c88d838db15957366cee93c079b5a8e", "pattern": "[file:hashes.MD5 = '891b5bbc60fab52620e446dcc0d85bda']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a22-2534-467b-9a0e-4ebe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:06.000Z", "modified": "2016-06-12T15:05:06.000Z", "first_observed": "2016-06-12T15:05:06Z", "last_observed": "2016-06-12T15:05:06Z", "number_observed": 1, "object_refs": [ "url--575d7a22-2534-467b-9a0e-4ebe02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a22-2534-467b-9a0e-4ebe02de0b81", "value": "https://www.virustotal.com/file/caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8/analysis/1465591410/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a23-43d0-478f-a64b-490d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:07.000Z", "modified": "2016-06-12T15:05:07.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: cad21e4ae48f2f1ba91faa9f875816f83737bcaf", "pattern": "[file:hashes.SHA256 = '77ca1148503def0d8e9674a37e1388e5c910da4eda9685eabe68fd0ee227b727']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a23-4b88-48e7-a482-448402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:07.000Z", "modified": "2016-06-12T15:05:07.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: cad21e4ae48f2f1ba91faa9f875816f83737bcaf", "pattern": "[file:hashes.MD5 = '5825372c87662c5b91f2b5080add9485']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a23-3bcc-4c0d-a644-488702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:07.000Z", "modified": "2016-06-12T15:05:07.000Z", "first_observed": "2016-06-12T15:05:07Z", "last_observed": "2016-06-12T15:05:07Z", "number_observed": 1, "object_refs": [ "url--575d7a23-3bcc-4c0d-a644-488702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a23-3bcc-4c0d-a644-488702de0b81", "value": "https://www.virustotal.com/file/77ca1148503def0d8e9674a37e1388e5c910da4eda9685eabe68fd0ee227b727/analysis/1465591408/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a24-8e8c-49a1-9086-465002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:08.000Z", "modified": "2016-06-12T15:05:08.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 7f9ecfc95462b5e01e233b64dcedbcf944e97fca", "pattern": "[file:hashes.SHA256 = 'a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a24-1e4c-4175-bb70-41ba02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:08.000Z", "modified": "2016-06-12T15:05:08.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 7f9ecfc95462b5e01e233b64dcedbcf944e97fca", "pattern": "[file:hashes.MD5 = '33c8a13ea2400806032b516ecfca743c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a25-df88-44c4-97f6-46d102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:09.000Z", "modified": "2016-06-12T15:05:09.000Z", "first_observed": "2016-06-12T15:05:09Z", "last_observed": "2016-06-12T15:05:09Z", "number_observed": 1, "object_refs": [ "url--575d7a25-df88-44c4-97f6-46d102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a25-df88-44c4-97f6-46d102de0b81", "value": "https://www.virustotal.com/file/a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827/analysis/1465591406/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a25-fc3c-41bb-8e3c-481302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:09.000Z", "modified": "2016-06-12T15:05:09.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 09b022ef88b825041b67da9c9a2588e962817f6d", "pattern": "[file:hashes.SHA256 = '8ca8067dfef13f10e657d299b517008ad7523aacf7900a1afeb0a8508a6e11d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--575d7a25-b8b0-403c-b4ce-474102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:09.000Z", "modified": "2016-06-12T15:05:09.000Z", "description": "We discovered the following in relation to DUBNIUM - Xchecked via VT: 09b022ef88b825041b67da9c9a2588e962817f6d", "pattern": "[file:hashes.MD5 = '7a32b39ac104071ddeb65acd27633c16']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-12T15:05:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--575d7a26-0ed4-43f9-9dd5-4d6902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-12T15:05:10.000Z", "modified": "2016-06-12T15:05:10.000Z", "first_observed": "2016-06-12T15:05:10Z", "last_observed": "2016-06-12T15:05:10Z", "number_observed": 1, "object_refs": [ "url--575d7a26-0ed4-43f9-9dd5-4d6902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--575d7a26-0ed4-43f9-9dd5-4d6902de0b81", "value": "https://www.virustotal.com/file/8ca8067dfef13f10e657d299b517008ad7523aacf7900a1afeb0a8508a6e11d3/analysis/1454911986/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }