{ "type": "bundle", "id": "bundle--57b47152-b938-42f7-aa36-4bf1950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:10.000Z", "modified": "2016-08-17T14:16:10.000Z", "name": "CthulhuSPRL.be", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57b47152-b938-42f7-aa36-4bf1950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:10.000Z", "modified": "2016-08-17T14:16:10.000Z", "name": "OSINT Generic Yara rule to detect PlugX by Jay DiMartino", "published": "2016-09-25T20:36:29Z", "object_refs": [ "observed-data--57b4716e-624c-431e-af53-40c2950d210f", "url--57b4716e-624c-431e-af53-40c2950d210f", "indicator--57b4717f-cc50-4b81-9fd1-4f64950d210f", "indicator--57b471a5-25b0-4f2d-9181-489a950d210f", "indicator--57b471a5-9708-4b32-885d-4249950d210f", "indicator--57b471a6-5574-48ae-84e9-4d11950d210f", "indicator--57b471a6-137c-4dd7-9756-46db950d210f", "indicator--57b471a6-4dc4-4f35-a8f4-4d2d950d210f", "indicator--57b471a6-c6e0-49f9-8e12-440b950d210f", "indicator--57b471a6-7f80-4c6d-8825-4e11950d210f", "indicator--57b471a7-58e0-40fe-9ce5-400c950d210f", "indicator--57b471a7-43b0-44ef-80f9-4b20950d210f", "indicator--57b471a7-a564-48fd-8a5e-4c05950d210f", "indicator--57b471a7-9994-4528-be80-45fe950d210f", "indicator--57b471a8-357c-4f03-aff5-4230950d210f", "indicator--57b471a8-c8a8-4844-8897-46b1950d210f", "indicator--57b471a8-fb7c-4dd7-b366-495f950d210f", "indicator--57b471a8-fb24-4246-8f8e-4093950d210f", "indicator--57b471a8-c074-49c5-a84a-4c2b950d210f", "indicator--57b471a9-29f0-4524-9743-4ffb950d210f", "indicator--57b471a9-4a44-46d5-94ad-400c950d210f", "indicator--57b471a9-0f70-4473-9189-41f6950d210f", "indicator--57b471a9-2588-4b70-8997-4f2f950d210f", "indicator--57b471a9-83b8-4570-81c2-45f8950d210f", "indicator--57b471aa-ef54-405c-a475-4d95950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57b4716e-624c-431e-af53-40c2950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:15:10.000Z", "modified": "2016-08-17T14:15:10.000Z", "first_observed": "2016-08-17T14:15:10Z", "last_observed": "2016-08-17T14:15:10Z", "number_observed": 1, "object_refs": [ "url--57b4716e-624c-431e-af53-40c2950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57b4716e-624c-431e-af53-40c2950d210f", "value": "https://github.com/Neo23x0/signature-base/blob/master/yara/apt_plugx.yar" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b4717f-cc50-4b81-9fd1-4f64950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:15:27.000Z", "modified": "2016-08-17T14:15:27.000Z", "pattern": "[rule APTGroupX_PlugXTrojanLoader_StringDecode {\r\n meta:\r\n author = \"Jay DiMartino\"\r\n \tdescription = \"Rule to detect PlugX Malware\"\r\n\t\tscore = 80\r\n \treference = \"https://t.co/4xQ8G2mNap\"\r\n hash1 = \"0535e8c300204e257f0fa57630f386e9fcc8e779\"\r\n hash2 = \"088ebf9ccde958f32d11f4e7eb14f5332332f97d\"\r\n hash3 = \"0c999d0bffa007e9e6b6fe593933b52f40c75b3d\"\r\n hash4 = \"2f644e7131ec0a4f12ce04ba1e54d23856dbbfbf\"\r\n hash5 = \"3be9148ad132ca342d5fbabea1119a175ef1df7c\"\r\n hash6 = \"4c1ee94ec0e15491fc4f6b4095f67eee6309e62a\"\r\n hash7 = \"587af7ce05e61d4c312d6bae12ea380116b08d7e\"\r\n hash8 = \"5990efd83b5646a7ba419541d3a2c19260224ca3\"\r\n hash9 = \"67970367c250c44a5feb263843cf45fd91336df5\"\r\n hash10 = \"68f53f7188910a4cf67843aedd38c1523f1f2e7c\"\r\n hash11 = \"962dc7e0ad37286df012f623423ac4182fe791ca\"\r\n hash12 = \"aa0976906807af2e1b127608040aa3ef6e118a13\"\r\n hash13 = \"b170d015e32b39fa4ac15f94d58e45e65cd16d6c\"\r\n hash14 = \"c9b3d2cef3b34c7ee18fc2f60ff022965959613d\"\r\n hash15 = \"cd425ce7f3e4a823d9027780e1b439759c4dc665\"\r\n hash16 = \"d5e82513c6472d3826a22d9a15c05af8c0d33b58\"\r\n hash17 = \"d9b32084f27ef13001060e1dcee8a1a9e95d89a6\"\r\n hash18 = \"daa2d1cb9148b7ba5a86fa9ab593678e77c92672\"\r\n hash19 = \"e2c098a95d1c1f0e29f207af9c5ffc5bd69a92ee\"\r\n hash20 = \"ef8cf68dc3c80e9cb5a3fa0f92b544eab583812e\"\r\n hash21 = \"f0fc0a4e4e0748464caa6a202d0083cd33458677\"\r\n hash22 = \"fe1abe55529c1d6aa6b2a2f02d7e41ea58040feb\"\r\n strings:\r\n $byte1 = { 8A [2-4] 8A [2-4] FF 05 00 30 00 10 [0-5] 2A [1-6] 80 [2-7] 02 [1-6] 88 0? }\r\n $byte2 = { 8B [2-4] 8A [2-4] FF 05 00 30 00 10 [0-5] 2A [1-6] 80 [2-7] 02 [1-6] 88 0? }\r\n condition:\r\n any of them\r\n}]", "pattern_type": "yara", "valid_from": "2016-08-17T14:15:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a5-25b0-4f2d-9181-489a950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:05.000Z", "modified": "2016-08-17T14:16:05.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '0535e8c300204e257f0fa57630f386e9fcc8e779']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a5-9708-4b32-885d-4249950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:05.000Z", "modified": "2016-08-17T14:16:05.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '088ebf9ccde958f32d11f4e7eb14f5332332f97d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a6-5574-48ae-84e9-4d11950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:06.000Z", "modified": "2016-08-17T14:16:06.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '0c999d0bffa007e9e6b6fe593933b52f40c75b3d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a6-137c-4dd7-9756-46db950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:06.000Z", "modified": "2016-08-17T14:16:06.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '2f644e7131ec0a4f12ce04ba1e54d23856dbbfbf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a6-4dc4-4f35-a8f4-4d2d950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:06.000Z", "modified": "2016-08-17T14:16:06.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '3be9148ad132ca342d5fbabea1119a175ef1df7c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a6-c6e0-49f9-8e12-440b950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:06.000Z", "modified": "2016-08-17T14:16:06.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '4c1ee94ec0e15491fc4f6b4095f67eee6309e62a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a6-7f80-4c6d-8825-4e11950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:06.000Z", "modified": "2016-08-17T14:16:06.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '587af7ce05e61d4c312d6bae12ea380116b08d7e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a7-58e0-40fe-9ce5-400c950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:07.000Z", "modified": "2016-08-17T14:16:07.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '5990efd83b5646a7ba419541d3a2c19260224ca3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a7-43b0-44ef-80f9-4b20950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:07.000Z", "modified": "2016-08-17T14:16:07.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '67970367c250c44a5feb263843cf45fd91336df5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a7-a564-48fd-8a5e-4c05950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:07.000Z", "modified": "2016-08-17T14:16:07.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '68f53f7188910a4cf67843aedd38c1523f1f2e7c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a7-9994-4528-be80-45fe950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:07.000Z", "modified": "2016-08-17T14:16:07.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = '962dc7e0ad37286df012f623423ac4182fe791ca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a8-357c-4f03-aff5-4230950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:07.000Z", "modified": "2016-08-17T14:16:07.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'aa0976906807af2e1b127608040aa3ef6e118a13']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a8-c8a8-4844-8897-46b1950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:08.000Z", "modified": "2016-08-17T14:16:08.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'b170d015e32b39fa4ac15f94d58e45e65cd16d6c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a8-fb7c-4dd7-b366-495f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:08.000Z", "modified": "2016-08-17T14:16:08.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'c9b3d2cef3b34c7ee18fc2f60ff022965959613d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a8-fb24-4246-8f8e-4093950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:08.000Z", "modified": "2016-08-17T14:16:08.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'cd425ce7f3e4a823d9027780e1b439759c4dc665']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a8-c074-49c5-a84a-4c2b950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:08.000Z", "modified": "2016-08-17T14:16:08.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'd5e82513c6472d3826a22d9a15c05af8c0d33b58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a9-29f0-4524-9743-4ffb950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:09.000Z", "modified": "2016-08-17T14:16:09.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'd9b32084f27ef13001060e1dcee8a1a9e95d89a6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a9-4a44-46d5-94ad-400c950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:09.000Z", "modified": "2016-08-17T14:16:09.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'daa2d1cb9148b7ba5a86fa9ab593678e77c92672']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a9-0f70-4473-9189-41f6950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:09.000Z", "modified": "2016-08-17T14:16:09.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'e2c098a95d1c1f0e29f207af9c5ffc5bd69a92ee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a9-2588-4b70-8997-4f2f950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:09.000Z", "modified": "2016-08-17T14:16:09.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'ef8cf68dc3c80e9cb5a3fa0f92b544eab583812e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471a9-83b8-4570-81c2-45f8950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:09.000Z", "modified": "2016-08-17T14:16:09.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'f0fc0a4e4e0748464caa6a202d0083cd33458677']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57b471aa-ef54-405c-a475-4d95950d210f", "created_by_ref": "identity--55f6ea5f-fd34-43b8-ac1d-40cb950d210f", "created": "2016-08-17T14:16:10.000Z", "modified": "2016-08-17T14:16:10.000Z", "description": "Imported via the Freetext Import Tool", "pattern": "[file:hashes.SHA1 = 'fe1abe55529c1d6aa6b2a2f02d7e41ea58040feb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-17T14:16:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }