{ "type": "bundle", "id": "bundle--5914d3ff-4afc-46e0-88cf-bd5202de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5914d3ff-4afc-46e0-88cf-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "name": "OSINT - Practice Makes Perfect: Nemucod Evolves Delivery and Obfuscation Techniques to Harvest Credentials", "published": "2017-05-11T21:28:30Z", "object_refs": [ "observed-data--5914d415-329c-4958-9962-4dc802de0b81", "url--5914d415-329c-4958-9962-4dc802de0b81", "x-misp-attribute--5914d424-5778-49b4-9330-bd4b02de0b81", "indicator--5914d455-8f08-4b21-b4e9-4dc802de0b81", "indicator--5914d4a9-bbd4-4517-8e68-72d202de0b81", "indicator--5914d4aa-dbfc-40cc-ac99-72d202de0b81", "indicator--5914d4aa-efec-40f0-b40a-72d202de0b81", "indicator--5914d526-864c-4513-99fd-bd5202de0b81", "indicator--5914d526-1994-452e-b427-bd5202de0b81", "indicator--5914d526-f61c-4243-8ce4-bd5202de0b81", "indicator--5914d527-7e6c-4f06-ab37-bd5202de0b81", "indicator--5914d527-a68c-4d95-9412-bd5202de0b81", "indicator--5914d57d-2774-4bbf-9a9f-42db02de0b81", "indicator--5914d57e-3c5c-4788-93fc-426102de0b81", "indicator--5914d57e-3b7c-40db-a0b0-4fd202de0b81", "indicator--5914d57e-6480-4725-86fc-499a02de0b81", "indicator--5914d57f-d788-4a76-b8e6-456e02de0b81", "indicator--5914d57f-c238-4d14-8d6a-42b802de0b81", "indicator--5914d580-c40c-4d8e-9760-40ad02de0b81", "indicator--5914d580-8204-4faf-ba34-4f1602de0b81", "indicator--5914d581-9200-432b-a820-4ce502de0b81", "indicator--5914d581-a2a0-4f54-8392-41ce02de0b81", "indicator--5914d581-4820-4169-a8f4-437b02de0b81", "indicator--5914d582-2594-4238-8bdb-448902de0b81", "indicator--5914d582-bfa0-4849-8bf7-497c02de0b81", "indicator--5914d583-d0b4-4626-9e72-414702de0b81", "indicator--5914d583-3254-4d2b-bf0e-4b9d02de0b81", "indicator--5914d584-11d4-40c1-aad9-406a02de0b81", "indicator--5914d584-c42c-47dd-8c95-4f3f02de0b81", "indicator--5914d584-261c-43dd-9abe-48c402de0b81", "indicator--5914d585-8390-4ca3-8191-41bd02de0b81", "indicator--5914d585-80b0-40ea-b72e-4de202de0b81", "indicator--5914d586-9c6c-404b-afe0-483102de0b81", "indicator--5914d586-a3f4-4928-9038-4f8702de0b81", "indicator--5914d587-1464-4c29-b93a-4e6602de0b81", "indicator--5914d587-f118-4be8-99cb-494102de0b81", "indicator--5914d587-9014-413b-931a-487702de0b81", "indicator--5914d588-89b0-4928-a78a-427c02de0b81", "indicator--5914d588-3b68-4a26-ae07-4ff502de0b81", "indicator--5914d589-60bc-41e5-af33-4fab02de0b81", "indicator--5914d589-0400-40c5-92d1-4f7f02de0b81", "indicator--5914d589-8384-45d7-a9eb-410202de0b81", "indicator--5914d58a-d060-434d-a301-4f8102de0b81", "indicator--5914d58a-b490-4cf6-8df6-4dff02de0b81", "indicator--5914d58b-dc10-45db-976b-407802de0b81", "indicator--5914d58b-574c-437b-8344-4cd502de0b81", "indicator--5914d58c-f090-4ecd-8593-4b1902de0b81", "indicator--5914d58c-fdf0-4381-b0b7-4eb302de0b81", "indicator--5914d58c-fd6c-4391-8552-419d02de0b81", "indicator--5914d58d-adec-4f78-82c7-479702de0b81", "indicator--5914d58d-4d08-4b71-b2bc-4d5c02de0b81", "indicator--5914d58e-db80-4f91-aeab-4b0602de0b81", "indicator--5914d58e-4210-4202-93fb-45fb02de0b81", "indicator--5914d58e-b32c-468a-99f4-410702de0b81", "indicator--5914d58f-779c-4344-ad97-418902de0b81", "indicator--5914d58f-6318-4747-a418-427e02de0b81", "indicator--5914d590-104c-4ab4-8da7-427302de0b81", "indicator--5914d590-de60-4d48-b3fd-445d02de0b81", "indicator--5914d591-8b94-4357-83ab-485e02de0b81", "indicator--5914d591-9058-4a45-93f7-46d502de0b81", "indicator--5914d591-c330-45b1-93a6-46d002de0b81", "indicator--5914d592-e8c8-4690-9d30-45d602de0b81", "indicator--5914d592-2230-4218-aa79-490202de0b81", "indicator--5914d593-686c-4c4a-92b9-4cc102de0b81", "indicator--5914d593-9c64-4909-a1d3-4ada02de0b81", "indicator--5914d593-4c1c-4454-839c-4ff902de0b81", "indicator--5914d594-52a8-46af-81b9-4d1c02de0b81", "indicator--5914d594-73d0-48a4-8f50-456d02de0b81", "indicator--5914d595-9984-4a66-b30e-4fe302de0b81", "indicator--5914d621-1370-41f7-967f-72cf02de0b81", "indicator--5914d63d-1eec-4494-9417-4dcd02de0b81", "indicator--5914d66b-ae6c-4a6f-9eca-bd4d02de0b81", "indicator--5914d67d-df8c-45d9-a5c0-036002de0b81", "indicator--5914d6f4-8b50-415c-b27f-bd5202de0b81", "indicator--5914d6f4-8920-47ad-bf86-bd5202de0b81", "observed-data--5914d6f5-a588-4e95-8b90-bd5202de0b81", "url--5914d6f5-a588-4e95-8b90-bd5202de0b81", "indicator--5914d6f5-d7d4-49b6-b8a9-bd5202de0b81", "indicator--5914d6f6-2a24-45f2-894d-bd5202de0b81", "observed-data--5914d6f6-c878-40f5-a8c3-bd5202de0b81", "url--5914d6f6-c878-40f5-a8c3-bd5202de0b81", "indicator--5914d6f7-7f44-4ed8-bff5-bd5202de0b81", "indicator--5914d6f7-b808-4379-b681-bd5202de0b81", "observed-data--5914d6f7-0e70-4c6d-98b7-bd5202de0b81", "url--5914d6f7-0e70-4c6d-98b7-bd5202de0b81", "indicator--5914d6f8-671c-4448-9d4a-bd5202de0b81", "indicator--5914d6f8-1608-45da-8ca6-bd5202de0b81", "observed-data--5914d6f9-eeb8-409d-8da3-bd5202de0b81", "url--5914d6f9-eeb8-409d-8da3-bd5202de0b81", "indicator--5914d6f9-e478-450e-a89d-bd5202de0b81", "indicator--5914d6fa-6ae0-4c82-be1d-bd5202de0b81", "observed-data--5914d6fa-7a2c-4dfd-bfdd-bd5202de0b81", "url--5914d6fa-7a2c-4dfd-bfdd-bd5202de0b81", "indicator--5914d6fa-9f80-485b-892a-bd5202de0b81", "indicator--5914d6fb-c920-44b7-ab23-bd5202de0b81", "observed-data--5914d6fb-cf74-4308-92ac-bd5202de0b81", "url--5914d6fb-cf74-4308-92ac-bd5202de0b81", "indicator--5914d6fc-3470-4ec7-abd1-bd5202de0b81", "indicator--5914d6fc-06d0-4eec-b1e4-bd5202de0b81", "observed-data--5914d6fd-55e0-44a0-a353-bd5202de0b81", "url--5914d6fd-55e0-44a0-a353-bd5202de0b81", "indicator--5914d6fd-6060-470a-970a-bd5202de0b81", "indicator--5914d6fd-c358-492e-92b5-bd5202de0b81", "observed-data--5914d6fe-c7c4-4a8a-8822-bd5202de0b81", "url--5914d6fe-c7c4-4a8a-8822-bd5202de0b81", "indicator--5914d6fe-50d4-409c-9869-bd5202de0b81", "indicator--5914d6ff-1d0c-4d6c-8c49-bd5202de0b81", "observed-data--5914d6ff-6624-488e-a754-bd5202de0b81", "url--5914d6ff-6624-488e-a754-bd5202de0b81", "indicator--5914d6ff-775c-459c-bd07-bd5202de0b81", "indicator--5914d700-39a0-488e-aac5-bd5202de0b81", "observed-data--5914d700-1bac-431e-8e13-bd5202de0b81", "url--5914d700-1bac-431e-8e13-bd5202de0b81", "indicator--5914d701-394c-43c1-bbdf-bd5202de0b81", "indicator--5914d701-17ec-43a8-879d-bd5202de0b81", "observed-data--5914d702-27c4-4197-8c8d-bd5202de0b81", "url--5914d702-27c4-4197-8c8d-bd5202de0b81", "indicator--5914d702-bde4-4e65-9530-bd5202de0b81", "indicator--5914d702-7694-4eeb-bea3-bd5202de0b81", "observed-data--5914d703-a440-4c80-b0bd-bd5202de0b81", "url--5914d703-a440-4c80-b0bd-bd5202de0b81", "indicator--5914d703-ea54-486e-a310-bd5202de0b81", "indicator--5914d704-0428-49b9-b1fa-bd5202de0b81", "observed-data--5914d704-e410-4a5f-9948-bd5202de0b81", "url--5914d704-e410-4a5f-9948-bd5202de0b81", "indicator--5914d705-6390-44c8-87d4-bd5202de0b81", "indicator--5914d705-2c98-47bd-825d-bd5202de0b81", "observed-data--5914d705-ee9c-4f5b-bb47-bd5202de0b81", "url--5914d705-ee9c-4f5b-bb47-bd5202de0b81", "indicator--5914d706-2288-4dcf-875c-bd5202de0b81", "indicator--5914d706-e360-43eb-bf77-bd5202de0b81", "observed-data--5914d707-8ec8-4457-b2e0-bd5202de0b81", "url--5914d707-8ec8-4457-b2e0-bd5202de0b81", "indicator--5914d707-897c-4c13-a91b-bd5202de0b81", "indicator--5914d708-8ce4-4d8e-ae61-bd5202de0b81", "observed-data--5914d708-3050-4d5c-b61a-bd5202de0b81", "url--5914d708-3050-4d5c-b61a-bd5202de0b81", "indicator--5914d709-04ac-455b-9231-bd5202de0b81", "indicator--5914d709-1ae4-45a8-88ad-bd5202de0b81", "observed-data--5914d70a-0350-4e7f-a9a2-bd5202de0b81", "url--5914d70a-0350-4e7f-a9a2-bd5202de0b81", "indicator--5914d70a-2510-4831-a5da-bd5202de0b81", "indicator--5914d70a-9d38-47f9-9d5e-bd5202de0b81", "observed-data--5914d70b-4118-4ab1-aba2-bd5202de0b81", "url--5914d70b-4118-4ab1-aba2-bd5202de0b81", "indicator--5914d70b-235c-4e24-8860-bd5202de0b81", "indicator--5914d70c-3648-412e-bd3f-bd5202de0b81", "observed-data--5914d70c-56d8-42ad-9f95-bd5202de0b81", "url--5914d70c-56d8-42ad-9f95-bd5202de0b81", "indicator--5914d70d-8608-47eb-a0b2-bd5202de0b81", "indicator--5914d70d-232c-4da9-b7f5-bd5202de0b81", "observed-data--5914d70d-a518-4a90-9567-bd5202de0b81", "url--5914d70d-a518-4a90-9567-bd5202de0b81", "indicator--5914d70e-8644-4247-b786-bd5202de0b81", "indicator--5914d70e-3600-447a-8be8-bd5202de0b81", "observed-data--5914d70f-a4cc-4b55-993f-bd5202de0b81", "url--5914d70f-a4cc-4b55-993f-bd5202de0b81", "indicator--5914d70f-60f8-4009-bb93-bd5202de0b81", "indicator--5914d710-6ccc-4856-b704-bd5202de0b81", "observed-data--5914d710-7d74-4339-9d71-bd5202de0b81", "url--5914d710-7d74-4339-9d71-bd5202de0b81", "indicator--5914d711-71c0-49f6-8684-bd5202de0b81", "indicator--5914d711-319c-4e11-9889-bd5202de0b81", "observed-data--5914d711-d858-40dc-b3e7-bd5202de0b81", "url--5914d711-d858-40dc-b3e7-bd5202de0b81", "indicator--5914d712-2bf4-4380-a86e-bd5202de0b81", "indicator--5914d712-259c-4529-b6b3-bd5202de0b81", "observed-data--5914d713-d434-4618-8a0a-bd5202de0b81", "url--5914d713-d434-4618-8a0a-bd5202de0b81", "indicator--5914d713-9aec-4fff-b7b7-bd5202de0b81", "indicator--5914d714-2308-467e-a4fb-bd5202de0b81", "observed-data--5914d714-7fb0-4326-b374-bd5202de0b81", "url--5914d714-7fb0-4326-b374-bd5202de0b81", "indicator--5914d714-c9e0-43df-b0da-bd5202de0b81", "indicator--5914d715-8238-40e6-ba71-bd5202de0b81", "observed-data--5914d715-5514-4718-9a46-bd5202de0b81", "url--5914d715-5514-4718-9a46-bd5202de0b81", "indicator--5914d716-be24-4b37-8ee6-bd5202de0b81", "indicator--5914d716-15a8-45e6-ba4b-bd5202de0b81", "observed-data--5914d717-1740-406b-bc67-bd5202de0b81", "url--5914d717-1740-406b-bc67-bd5202de0b81", "indicator--5914d717-e820-4486-a237-bd5202de0b81", "indicator--5914d717-1274-4805-ab55-bd5202de0b81", "observed-data--5914d718-bde8-4499-a25e-bd5202de0b81", "url--5914d718-bde8-4499-a25e-bd5202de0b81", "indicator--5914d718-4ac4-4f0d-8e43-bd5202de0b81", "indicator--5914d719-0790-4566-a7fb-bd5202de0b81", "observed-data--5914d719-1ce0-4496-bdae-bd5202de0b81", "url--5914d719-1ce0-4496-bdae-bd5202de0b81", "indicator--5914d719-597c-41aa-ad6c-bd5202de0b81", "indicator--5914d71a-31ac-4411-a773-bd5202de0b81", "observed-data--5914d71a-79dc-4e3e-9c28-bd5202de0b81", "url--5914d71a-79dc-4e3e-9c28-bd5202de0b81", "indicator--5914d71b-1af0-4d3f-8b7d-bd5202de0b81", "indicator--5914d71b-2afc-48ec-807d-bd5202de0b81", "observed-data--5914d71b-849c-4153-b251-bd5202de0b81", "url--5914d71b-849c-4153-b251-bd5202de0b81", "indicator--5914d71c-de4c-4b43-b884-bd5202de0b81", "indicator--5914d71c-8838-42f5-b070-bd5202de0b81", "observed-data--5914d71d-03f8-4260-a77e-bd5202de0b81", "url--5914d71d-03f8-4260-a77e-bd5202de0b81", "indicator--5914d71d-1eb4-488e-9132-bd5202de0b81", "indicator--5914d71d-3460-43e0-afba-bd5202de0b81", "observed-data--5914d71e-6524-458e-a25e-bd5202de0b81", "url--5914d71e-6524-458e-a25e-bd5202de0b81", "indicator--5914d71e-12fc-4141-af5a-bd5202de0b81", "indicator--5914d71f-be38-4b47-ba1b-bd5202de0b81", "observed-data--5914d71f-2478-41ee-8455-bd5202de0b81", "url--5914d71f-2478-41ee-8455-bd5202de0b81", "indicator--5914d720-3d1c-47fb-88e1-bd5202de0b81", "indicator--5914d720-a290-491c-a2e2-bd5202de0b81", "observed-data--5914d720-d2f4-41bc-81aa-bd5202de0b81", "url--5914d720-d2f4-41bc-81aa-bd5202de0b81", "indicator--5914d721-1930-4653-930c-bd5202de0b81", "indicator--5914d721-4f18-4c5d-88ae-bd5202de0b81", "observed-data--5914d722-cb90-4dca-b321-bd5202de0b81", "url--5914d722-cb90-4dca-b321-bd5202de0b81", "indicator--5914d722-2aa0-4c90-a7b8-bd5202de0b81", "indicator--5914d722-1100-45eb-b6e8-bd5202de0b81", "observed-data--5914d723-ea94-41bc-ab8e-bd5202de0b81", "url--5914d723-ea94-41bc-ab8e-bd5202de0b81", "indicator--5914d723-4c20-4a8f-9c95-bd5202de0b81", "indicator--5914d724-aebc-4e10-b56c-bd5202de0b81", "observed-data--5914d724-99dc-43a6-8907-bd5202de0b81", "url--5914d724-99dc-43a6-8907-bd5202de0b81", "indicator--5914d725-b974-4527-9fc8-bd5202de0b81", "indicator--5914d725-d760-4149-9268-bd5202de0b81", "observed-data--5914d725-f864-4b01-abb9-bd5202de0b81", "url--5914d725-f864-4b01-abb9-bd5202de0b81", "indicator--5914d726-cf9c-4cf0-a83a-bd5202de0b81", "indicator--5914d726-a808-4488-bca6-bd5202de0b81", "observed-data--5914d727-3b38-47e8-9804-bd5202de0b81", "url--5914d727-3b38-47e8-9804-bd5202de0b81", "indicator--5914d727-49ac-479d-8967-bd5202de0b81", "indicator--5914d728-82dc-49d7-8660-bd5202de0b81", "observed-data--5914d728-4d8c-49f8-bf7b-bd5202de0b81", "url--5914d728-4d8c-49f8-bf7b-bd5202de0b81", "indicator--5914d729-962c-4b58-aabd-bd5202de0b81", "indicator--5914d729-f348-4170-9f2b-bd5202de0b81", "observed-data--5914d729-ad44-49e0-a4cc-bd5202de0b81", "url--5914d729-ad44-49e0-a4cc-bd5202de0b81", "indicator--5914d72a-435c-4828-b040-bd5202de0b81", "indicator--5914d72a-f9c4-4932-b586-bd5202de0b81", "observed-data--5914d72b-beec-4e8d-9f3e-bd5202de0b81", "url--5914d72b-beec-4e8d-9f3e-bd5202de0b81", "indicator--5914d72b-4a68-437c-a08c-bd5202de0b81", "indicator--5914d72b-5cd8-44e1-86c3-bd5202de0b81", "observed-data--5914d72c-52c8-4338-974f-bd5202de0b81", "url--5914d72c-52c8-4338-974f-bd5202de0b81", "indicator--5914d72c-71ac-4eb0-8a16-bd5202de0b81", "indicator--5914d72d-2438-4214-9e39-bd5202de0b81", "observed-data--5914d72d-b098-49e8-a1a9-bd5202de0b81", "url--5914d72d-b098-49e8-a1a9-bd5202de0b81", "indicator--5914d72e-e314-4f3e-9e65-bd5202de0b81", "indicator--5914d72e-f51c-4a94-9fdc-bd5202de0b81", "observed-data--5914d72e-4e04-4b26-a25f-bd5202de0b81", "url--5914d72e-4e04-4b26-a25f-bd5202de0b81", "indicator--5914d72f-cd24-4f80-9ed8-bd5202de0b81", "indicator--5914d72f-7d44-46b3-87b6-bd5202de0b81", "observed-data--5914d730-376c-4c98-8ae4-bd5202de0b81", "url--5914d730-376c-4c98-8ae4-bd5202de0b81", "indicator--5914d730-d0c4-42bc-9823-bd5202de0b81", "indicator--5914d731-e188-4a2f-855d-bd5202de0b81", "observed-data--5914d731-adb0-4639-8ccf-bd5202de0b81", "url--5914d731-adb0-4639-8ccf-bd5202de0b81", "indicator--5914d731-4a6c-4194-b69f-bd5202de0b81", "indicator--5914d732-17d8-4e57-86a1-bd5202de0b81", "observed-data--5914d732-3fd0-4c49-8d0e-bd5202de0b81", "url--5914d732-3fd0-4c49-8d0e-bd5202de0b81", "indicator--5914d733-5310-4060-84ac-bd5202de0b81", "indicator--5914d733-2b6c-442a-8528-bd5202de0b81", "observed-data--5914d734-af84-411c-b7f4-bd5202de0b81", "url--5914d734-af84-411c-b7f4-bd5202de0b81", "indicator--5914d734-8188-4c62-860c-bd5202de0b81", "indicator--5914d734-77c4-4858-8c1e-bd5202de0b81", "observed-data--5914d735-82e8-44c9-a524-bd5202de0b81", "url--5914d735-82e8-44c9-a524-bd5202de0b81", "indicator--5914d735-79f4-4841-b88e-bd5202de0b81", "indicator--5914d736-57e4-4328-b0b1-bd5202de0b81", "observed-data--5914d736-fa10-40a3-b43b-bd5202de0b81", "url--5914d736-fa10-40a3-b43b-bd5202de0b81", "indicator--5914d737-5c50-4c1b-abba-bd5202de0b81", "indicator--5914d737-c2c4-48c4-95ba-bd5202de0b81", "observed-data--5914d737-2328-4c13-b6d2-bd5202de0b81", "url--5914d737-2328-4c13-b6d2-bd5202de0b81", "indicator--5914d738-e334-45ac-97e6-bd5202de0b81", "indicator--5914d738-443c-4f94-b270-bd5202de0b81", "observed-data--5914d739-04fc-4966-a81e-bd5202de0b81", "url--5914d739-04fc-4966-a81e-bd5202de0b81", "indicator--5914d739-5d9c-464f-8e6d-bd5202de0b81", "indicator--5914d739-ed2c-44dd-a08f-bd5202de0b81", "observed-data--5914d73a-bc30-4837-b899-bd5202de0b81", "url--5914d73a-bc30-4837-b899-bd5202de0b81", "indicator--5914d73a-1a1c-4611-b2ff-bd5202de0b81", "indicator--5914d73b-0d28-49f0-b70f-bd5202de0b81", "observed-data--5914d73b-f258-44a7-982e-bd5202de0b81", "url--5914d73b-f258-44a7-982e-bd5202de0b81", "indicator--5914d73b-3188-4472-a5f2-bd5202de0b81", "indicator--5914d73c-ac38-4749-952f-bd5202de0b81", "observed-data--5914d73c-6dc4-4b59-8b00-bd5202de0b81", "url--5914d73c-6dc4-4b59-8b00-bd5202de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:ransomware=\"Nemucod\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d415-329c-4958-9962-4dc802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "first_observed": "2017-05-11T21:25:41Z", "last_observed": "2017-05-11T21:25:41Z", "number_observed": 1, "object_refs": [ "url--5914d415-329c-4958-9962-4dc802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"b\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d415-329c-4958-9962-4dc802de0b81", "value": "http://researchcenter.paloaltonetworks.com/2017/05/unit42-practice-makes-perfect-nemucod-evolves-delivery-obfuscation-techniques-harvest-credentials/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5914d424-5778-49b4-9330-bd4b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"b\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Recently the Unit 42 research team have been investigating a wave of Nemucod downloader malware that uses weaponized documents to deploy encoded, and heavily obfuscated JavaScript, ultimately leading to further payloads being delivered to the victim. From a single instance of the encoded JavaScript discovered in one version of this malware, we pivoted on the Command and Control (C2) IPv4 address discovered during static analysis and deobfuscation, using our Threat Intelligence Service AutoFocus, unearthed many more versions of the malware and found that the versions seen to date were delivering a credential-stealing Trojan as the final payload.\r\n\r\nIn our recently published Unit 42 white paper Credential-Based Attacks we describe the importance of credentials to attackers, how they are stolen using techniques including malspam phishing as per this Nemucod campaign that delivers a credential stealing Trojan, as well as how the stolen credentials are used by the attackers to masquerade as legitimate users.\r\n\r\nOver the past five months we have tracked this campaign of Nemucod malware in various industry sectors across multiple countries with Europe amassing the highest number of attacks, followed by the United States of America and then Japan" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d455-8f08-4b21-b4e9-4dc802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "PE Password Stealer Hashes", "pattern": "[file:hashes.SHA256 = '53edea186162d84803f8ff72fb83c85f427b3813c32bd9d9d899e74ae283368e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d4a9-bbd4-4517-8e68-72d202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "PE Password Stealer Hashes", "pattern": "[file:hashes.SHA256 = '53edea186162d84803f8ff72fb83c85f427b3813c32bd9d9d899e74ae283368e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d4aa-dbfc-40cc-ac99-72d202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "PE Password Stealer Hashes", "pattern": "[file:hashes.SHA256 = '76b703c9430abf4e0ba09e6d4e4d6cf94a251bb0e7f3fadbd169fcef954a8b39']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d4aa-efec-40f0-b40a-72d202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "PE Password Stealer Hashes", "pattern": "[file:hashes.SHA256 = '99c50b658c632214f0b133f8742a5e6d2d34e47497d7a08ed2d80e4299be3502']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d526-864c-4513-99fd-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "PE Dropper Hashes", "pattern": "[file:hashes.SHA256 = '1b64d1c93e53fa74d89c3362c30899644e9fef7f11292f40740b216bcbe03285']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d526-1994-452e-b427-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "PE Dropper Hashes", "pattern": "[file:hashes.SHA256 = '1db89009b678ba4517fc7490b9a7f597b838939499365374eba32347393fdd4e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d526-f61c-4243-8ce4-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "PE Dropper Hashes", "pattern": "[file:hashes.SHA256 = '85d56628f7ec277a5f49a801ef4793072edd56d9c26b0bdb9b3dc348366c734a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d527-7e6c-4f06-ab37-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "PE Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d527-a68c-4d95-9412-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "PE Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'ffc5e46200f16549f17d2d6e4d6e5e61239b711cd07fbf7932c31e2ea18a7865']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d57d-2774-4bbf-9a9f-42db02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '0a59bc35fe7bd84c955402aba2ad3883a5cdb08deb353c8f6310a163109f0c60']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d57e-3c5c-4788-93fc-426102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'fee6b19ff8a39e83756345af421d3d85d20e67df62ac58bc05f514c368efc329']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d57e-3b7c-40db-a0b0-4fd202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '8e9af7d90193bddc89d1c3782477bde76f90707eb1900537c020fc02970bbd74']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d57e-6480-4725-86fc-499a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'c173085b954ff1055fb859e6584a9e0bb3919740752351ad50706c0b7be37b51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d57f-d788-4a76-b8e6-456e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '1faa27f82bcbad0acc444727e7be35147e5a2ee92757781e5f26db614d3cee7f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d57f-c238-4d14-8d6a-42b802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '6ebd2955fb137b5c983bbfb7601ea49ceb1f66119d13ce850c12d89e8c6a3742']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d580-c40c-4d8e-9760-40ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '777560483cb903ba803bfdbbd1f37353706da3a265e32da44fffb3ec7fcf07a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d580-8204-4faf-ba34-4f1602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '7df6bd0af983f87dc34a71d009a3bd3bd272e094c6c55bf765148d836129e10c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d581-9200-432b-a820-4ce502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'd58cfd2d851b9c98f9de79d38944d72eddec1e2243f1065de7d8b1ed1bf1cddd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d581-a2a0-4f54-8392-41ce02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '4916bc8dc91941a444d3aa41616eaebe8c3d4b095a0c566945b85c143ae532c1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d581-4820-4169-a8f4-437b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'de5ac4aedaca5649758bf34c87fd59967c2adeaaa0be65a58b9c8e9f6a8660f1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d582-2594-4238-8bdb-448902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '368304125ffd86a234aeb8c05a90b7ee40b37dae1dea7178deeda522eac9dcbc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d582-bfa0-4849-8bf7-497c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '1384934c09f6551d19150bfcf8ae954f4969d0b9ff841c93f81ebb57eecc9a71']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d583-d0b4-4626-9e72-414702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'f89edff923d1d2daf6b2ab36595e873ed7d1cd52c2f6b66b590fa636c17dced2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d583-3254-4d2b-bf0e-4b9d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'b1d5bfb124a15ab9068cf413de430a1c2cbd7b2bf67a766cf971269c67c3eace']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d584-11d4-40c1-aad9-406a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '256078f83cf9535c72debffa3d34818789849131e9138589728b4085e2ae2169']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d584-c42c-47dd-8c95-4f3f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'd3683a4fe910d5815541beb2c42b98827a1f6362073b9901a74c36e15072c1a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d584-261c-43dd-9abe-48c402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'cfe56d178ff873a5d984220c96570144a6674ce1b675036566a93ff6d680a981']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d585-8390-4ca3-8191-41bd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '069a4abb186efb6c3b6733cb2f35151d03eefe40cfb626d3c42aaa5f7ef342c6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d585-80b0-40ea-b72e-4de202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '97ea044a5820f9271c21bd8f1bb381099fb188a7d9f54ac72a88bf41411cf1b3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d586-9c6c-404b-afe0-483102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '5b331693bc7ad009db3905fd37edfa94c528b6c4eee024f7a35dcc9b6b8a9c26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d586-a3f4-4928-9038-4f8702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '7e62823f8a775674b6333ff535e93a9fc0bdcfd943c903fe85e614b34d692549']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d587-1464-4c29-b93a-4e6602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'a85b040e923e45a3e139576c2086a8f1671b1c60053274d850218ffa422f80e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d587-f118-4be8-99cb-494102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '1c95a2a32b639008245a205f51aa7fbafc0b61ecc6879f9978be174feee516f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d587-9014-413b-931a-487702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '9e9e7ade1def82a56898415c079bd3f861c143f9db6770a28592bbbe04d5f234']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d588-89b0-4928-a78a-427c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '40fd876c5d7f859484a8d3a021ce3c5eeba23deb8574f4b598aeaa6a0ded7815']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d588-3b68-4a26-ae07-4ff502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '92c82d7ea7b89f02c5b8e7d93d2a4ad17fbc0688ff9ad881cc185c18ea466232']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d589-60bc-41e5-af33-4fab02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'ae3bb85b87d40a12e82b2545fd4c9087b3e847a744a27c1ac215dd38821ced87']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d589-0400-40c5-92d1-4f7f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'c600c7638474fb31664ab32fb9aad5c216096b2c68d93c9eb37cf0476868cf05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d589-8384-45d7-a9eb-410202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '8451cf3f5e5e2576f2ad36a4f19998e5824c2ab185f40ddec460a81ab1a8525a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58a-d060-434d-a301-4f8102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '34e5104bea2728cf9107b4ede124daee8ac68ad0979c66c356ddf3a0e6d0f4c6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58a-b490-4cf6-8df6-4dff02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '7b48b21b10990cd53bb8969930b9f0b39cc495e95a33c38f80024a21a72b0176']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58b-dc10-45db-976b-407802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'dcf3c00a20af527869771a7834565fb938739e3abf84038e2376b23a14926a38']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58b-574c-437b-8344-4cd502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'd8e62ce3039921c11872319a09acc61038f2452a6a2fdb8c0d3a0848b56b26ff']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58c-f090-4ecd-8593-4b1902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '50ab7834e98c2f40d7441006a0221c07bff5f9f694999b595daa29b37c9a5e12']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58c-fdf0-4381-b0b7-4eb302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'b4d3c369449ead7ced48f84b9ea29cb4dbc6f485958e813b102c1d32ce62d3e8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58c-fd6c-4391-8552-419d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'a02ed37812ac37d44979d5131aa10927fb9b9bd09aae2b470e65532bc694b27c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58d-adec-4f78-82c7-479702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '61bcd9b0c11989d6049fd181786f1748116c128bd4768d1b6849805186190320']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58d-4d08-4b71-b2bc-4d5c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '6edbbc7f02179211c5b8da74a770492e25b31be683468629a073f313f25ec8b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58e-db80-4f91-aeab-4b0602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '985d44dfeaf83c2c39c331e4b07b19e8726fb0ec168223455476132fe8c32fc8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58e-4210-4202-93fb-45fb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '1a60afa5c3dcff0fc41179e6a3b71ea0a92e4b50192eaa4c8e2b16ea0c50a229']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58e-b32c-468a-99f4-410702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '76edebe74e015e709abb662c4fa8a2db2f24c12d5b6c51822eef403bf3c3a304']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58f-779c-4344-ad97-418902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '3fdcaf24d5c45d7a8dcf1b2932c026915a982de19b52a8f346ca312c58d36f05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d58f-6318-4747-a418-427e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '561343438f0c26fa7628a91584628a5bd62c3abe1c0cf890b9fdb0528adbde62']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d590-104c-4ab4-8da7-427302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '7f53abc951258d5663119f3ac383b8f84da5acbf0bb9063e5e113ca87b1843ae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d590-de60-4d48-b3fd-445d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '7c552166089ebf45081a5d14bef331e3153a5de50c53b66211b044a08f46153c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d591-8b94-4357-83ab-485e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '432a220ca1e6c64546f21807e17521c243cce2a63d956d0c0cf21a1101835829']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d591-9058-4a45-93f7-46d502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '297665276699830549c83ae79cd2c48e23733e9569be8040ee38d08a4d99192e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d591-c330-45b1-93a6-46d002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '5e54c865afbd42f5a7b4007840e3099d8e1882c58542d08263ffc23fe994ef9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d592-e8c8-4690-9d30-45d602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '8aa5a12bb237f93fc0c3f150a41fcc60e86007b1000c2b133457b2be27dfad4e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d592-2230-4218-aa79-490202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '8e7f77a61a1e710e368257a37fe6785f9b608bb068e5c40824623d299997dbf0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d593-686c-4c4a-92b9-4cc102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '379615acf199bb0beaee736824067b83dcbb2ae60eb648576c81d4971330dd16']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d593-9c64-4909-a1d3-4ada02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'ad94f396f739d4df07f188b9babee829d07da01c986f4795a098d66137c7149c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d593-4c1c-4454-839c-4ff902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'ff7fa949a99d745143d41eeb6b450dca3d95a38031e304b1e829c5bda2ce5213']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d594-52a8-46af-81b9-4d1c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '034421d601d43883528d68741c87e765d76ff4123161d364f6eddfae1f3c7493']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d594-73d0-48a4-8f50-456d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = 'e86c5f4fbcd626e1ec4c211ae1ed0d541fc453e6753e84a724f534c0b9700029']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d595-9984-4a66-b30e-4fe302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "Document Dropper Hashes", "pattern": "[file:hashes.SHA256 = '8b96d5316accd7d2ee0af01a4ae2766b7173d7705b3eef14d9dcb10cd34238ed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d621-1370-41f7-967f-72cf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "pattern": "[url:value = 'https://185.159.82.11:3333/P/tipster.php?']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d63d-1eec-4494-9417-4dcd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "description": "The malware makes calls to the InternetOpenA, InternetConnectA and HttpOpenRequest functions from the Wininet.dll library to prepare the HTTP POST request to the following URL where the contents of goga.txt will be sent.", "pattern": "[url:value = 'http://185.159.82.11/re/b.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d66b-ae6c-4a6f-9eca-bd4d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.130.104.156']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d67d-df8c-45d9-a5c0-036002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:25:41.000Z", "modified": "2017-05-11T21:25:41.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.130.104.178']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:25:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6f4-8b50-415c-b27f-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:12.000Z", "modified": "2017-05-11T21:26:12.000Z", "description": "Document Dropper Hashes - Xchecked via VT: e86c5f4fbcd626e1ec4c211ae1ed0d541fc453e6753e84a724f534c0b9700029", "pattern": "[file:hashes.SHA1 = '768c400bbae202897ab30a7b719221d2b050dfd0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6f4-8920-47ad-bf86-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:12.000Z", "modified": "2017-05-11T21:26:12.000Z", "description": "Document Dropper Hashes - Xchecked via VT: e86c5f4fbcd626e1ec4c211ae1ed0d541fc453e6753e84a724f534c0b9700029", "pattern": "[file:hashes.MD5 = '9a248adafdc4bc2da6d54e5915c3bdba']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d6f5-a588-4e95-8b90-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:13.000Z", "modified": "2017-05-11T21:26:13.000Z", "first_observed": "2017-05-11T21:26:13Z", "last_observed": "2017-05-11T21:26:13Z", "number_observed": 1, "object_refs": [ "url--5914d6f5-a588-4e95-8b90-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d6f5-a588-4e95-8b90-bd5202de0b81", "value": "https://www.virustotal.com/file/e86c5f4fbcd626e1ec4c211ae1ed0d541fc453e6753e84a724f534c0b9700029/analysis/1491959994/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6f5-d7d4-49b6-b8a9-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:13.000Z", "modified": "2017-05-11T21:26:13.000Z", "description": "Document Dropper Hashes - Xchecked via VT: ff7fa949a99d745143d41eeb6b450dca3d95a38031e304b1e829c5bda2ce5213", "pattern": "[file:hashes.SHA1 = '0d568578ccf18fbd5b142947f314b0e065519ff2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6f6-2a24-45f2-894d-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:14.000Z", "modified": "2017-05-11T21:26:14.000Z", "description": "Document Dropper Hashes - Xchecked via VT: ff7fa949a99d745143d41eeb6b450dca3d95a38031e304b1e829c5bda2ce5213", "pattern": "[file:hashes.MD5 = '360a3148ca32947b416c3413ebd03bf1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d6f6-c878-40f5-a8c3-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:14.000Z", "modified": "2017-05-11T21:26:14.000Z", "first_observed": "2017-05-11T21:26:14Z", "last_observed": "2017-05-11T21:26:14Z", "number_observed": 1, "object_refs": [ "url--5914d6f6-c878-40f5-a8c3-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d6f6-c878-40f5-a8c3-bd5202de0b81", "value": "https://www.virustotal.com/file/ff7fa949a99d745143d41eeb6b450dca3d95a38031e304b1e829c5bda2ce5213/analysis/1494535669/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6f7-7f44-4ed8-bff5-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:15.000Z", "modified": "2017-05-11T21:26:15.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 379615acf199bb0beaee736824067b83dcbb2ae60eb648576c81d4971330dd16", "pattern": "[file:hashes.SHA1 = '57560d1633e190c4dfd88e54ab66a477c9029345']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6f7-b808-4379-b681-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:15.000Z", "modified": "2017-05-11T21:26:15.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 379615acf199bb0beaee736824067b83dcbb2ae60eb648576c81d4971330dd16", "pattern": "[file:hashes.MD5 = '5062cbae0617f186c8bcc67117f9e02b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d6f7-0e70-4c6d-98b7-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:15.000Z", "modified": "2017-05-11T21:26:15.000Z", "first_observed": "2017-05-11T21:26:15Z", "last_observed": "2017-05-11T21:26:15Z", "number_observed": 1, "object_refs": [ "url--5914d6f7-0e70-4c6d-98b7-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d6f7-0e70-4c6d-98b7-bd5202de0b81", "value": "https://www.virustotal.com/file/379615acf199bb0beaee736824067b83dcbb2ae60eb648576c81d4971330dd16/analysis/1494535668/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6f8-671c-4448-9d4a-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:16.000Z", "modified": "2017-05-11T21:26:16.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 8e7f77a61a1e710e368257a37fe6785f9b608bb068e5c40824623d299997dbf0", "pattern": "[file:hashes.SHA1 = '54df4ac1be3be2c18c17837469801abed9761640']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6f8-1608-45da-8ca6-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:16.000Z", "modified": "2017-05-11T21:26:16.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 8e7f77a61a1e710e368257a37fe6785f9b608bb068e5c40824623d299997dbf0", "pattern": "[file:hashes.MD5 = '4477a2fb9eb73dd51a7cbfe5244246ed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d6f9-eeb8-409d-8da3-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:17.000Z", "modified": "2017-05-11T21:26:17.000Z", "first_observed": "2017-05-11T21:26:17Z", "last_observed": "2017-05-11T21:26:17Z", "number_observed": 1, "object_refs": [ "url--5914d6f9-eeb8-409d-8da3-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d6f9-eeb8-409d-8da3-bd5202de0b81", "value": "https://www.virustotal.com/file/8e7f77a61a1e710e368257a37fe6785f9b608bb068e5c40824623d299997dbf0/analysis/1494535668/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6f9-e478-450e-a89d-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:17.000Z", "modified": "2017-05-11T21:26:17.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 8aa5a12bb237f93fc0c3f150a41fcc60e86007b1000c2b133457b2be27dfad4e", "pattern": "[file:hashes.SHA1 = 'c1a36776a38c0f61cb4b79850edc9d4fb07c8d13']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6fa-6ae0-4c82-be1d-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:18.000Z", "modified": "2017-05-11T21:26:18.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 8aa5a12bb237f93fc0c3f150a41fcc60e86007b1000c2b133457b2be27dfad4e", "pattern": "[file:hashes.MD5 = 'ae6da22f910967764c5f6a17061ee335']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d6fa-7a2c-4dfd-bfdd-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:18.000Z", "modified": "2017-05-11T21:26:18.000Z", "first_observed": "2017-05-11T21:26:18Z", "last_observed": "2017-05-11T21:26:18Z", "number_observed": 1, "object_refs": [ "url--5914d6fa-7a2c-4dfd-bfdd-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d6fa-7a2c-4dfd-bfdd-bd5202de0b81", "value": "https://www.virustotal.com/file/8aa5a12bb237f93fc0c3f150a41fcc60e86007b1000c2b133457b2be27dfad4e/analysis/1494535668/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6fa-9f80-485b-892a-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:18.000Z", "modified": "2017-05-11T21:26:18.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 5e54c865afbd42f5a7b4007840e3099d8e1882c58542d08263ffc23fe994ef9b", "pattern": "[file:hashes.SHA1 = '825f52b35f1ecb200770bc6300ade88cbc1cd11c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6fb-c920-44b7-ab23-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:19.000Z", "modified": "2017-05-11T21:26:19.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 5e54c865afbd42f5a7b4007840e3099d8e1882c58542d08263ffc23fe994ef9b", "pattern": "[file:hashes.MD5 = '9af507f9ff13cb0ce82f50d9d9723683']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d6fb-cf74-4308-92ac-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:19.000Z", "modified": "2017-05-11T21:26:19.000Z", "first_observed": "2017-05-11T21:26:19Z", "last_observed": "2017-05-11T21:26:19Z", "number_observed": 1, "object_refs": [ "url--5914d6fb-cf74-4308-92ac-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d6fb-cf74-4308-92ac-bd5202de0b81", "value": "https://www.virustotal.com/file/5e54c865afbd42f5a7b4007840e3099d8e1882c58542d08263ffc23fe994ef9b/analysis/1494535668/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6fc-3470-4ec7-abd1-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:20.000Z", "modified": "2017-05-11T21:26:20.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 297665276699830549c83ae79cd2c48e23733e9569be8040ee38d08a4d99192e", "pattern": "[file:hashes.SHA1 = '64e8a824b6e34b2146ecf0b95aebce8ef46a3aed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6fc-06d0-4eec-b1e4-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:20.000Z", "modified": "2017-05-11T21:26:20.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 297665276699830549c83ae79cd2c48e23733e9569be8040ee38d08a4d99192e", "pattern": "[file:hashes.MD5 = 'c6713c98e69c29460ad686bb81a805d9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d6fd-55e0-44a0-a353-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:21.000Z", "modified": "2017-05-11T21:26:21.000Z", "first_observed": "2017-05-11T21:26:21Z", "last_observed": "2017-05-11T21:26:21Z", "number_observed": 1, "object_refs": [ "url--5914d6fd-55e0-44a0-a353-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d6fd-55e0-44a0-a353-bd5202de0b81", "value": "https://www.virustotal.com/file/297665276699830549c83ae79cd2c48e23733e9569be8040ee38d08a4d99192e/analysis/1494535668/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6fd-6060-470a-970a-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:21.000Z", "modified": "2017-05-11T21:26:21.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 7f53abc951258d5663119f3ac383b8f84da5acbf0bb9063e5e113ca87b1843ae", "pattern": "[file:hashes.SHA1 = '6947f3e5ab4d4d2a3d4d11b6b63923c4ece81a1d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6fd-c358-492e-92b5-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:21.000Z", "modified": "2017-05-11T21:26:21.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 7f53abc951258d5663119f3ac383b8f84da5acbf0bb9063e5e113ca87b1843ae", "pattern": "[file:hashes.MD5 = 'e627a6c83b46e79f5c10dee15bfc4e9d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d6fe-c7c4-4a8a-8822-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:22.000Z", "modified": "2017-05-11T21:26:22.000Z", "first_observed": "2017-05-11T21:26:22Z", "last_observed": "2017-05-11T21:26:22Z", "number_observed": 1, "object_refs": [ "url--5914d6fe-c7c4-4a8a-8822-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d6fe-c7c4-4a8a-8822-bd5202de0b81", "value": "https://www.virustotal.com/file/7f53abc951258d5663119f3ac383b8f84da5acbf0bb9063e5e113ca87b1843ae/analysis/1494535667/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6fe-50d4-409c-9869-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:22.000Z", "modified": "2017-05-11T21:26:22.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 561343438f0c26fa7628a91584628a5bd62c3abe1c0cf890b9fdb0528adbde62", "pattern": "[file:hashes.SHA1 = 'a2b438dbe642ae8cf489098224b981ec1f12ea3c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6ff-1d0c-4d6c-8c49-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:23.000Z", "modified": "2017-05-11T21:26:23.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 561343438f0c26fa7628a91584628a5bd62c3abe1c0cf890b9fdb0528adbde62", "pattern": "[file:hashes.MD5 = 'e4242a0b9ae10943dc0ce9638dbaa5ef']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d6ff-6624-488e-a754-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:23.000Z", "modified": "2017-05-11T21:26:23.000Z", "first_observed": "2017-05-11T21:26:23Z", "last_observed": "2017-05-11T21:26:23Z", "number_observed": 1, "object_refs": [ "url--5914d6ff-6624-488e-a754-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d6ff-6624-488e-a754-bd5202de0b81", "value": "https://www.virustotal.com/file/561343438f0c26fa7628a91584628a5bd62c3abe1c0cf890b9fdb0528adbde62/analysis/1494535667/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d6ff-775c-459c-bd07-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:23.000Z", "modified": "2017-05-11T21:26:23.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 3fdcaf24d5c45d7a8dcf1b2932c026915a982de19b52a8f346ca312c58d36f05", "pattern": "[file:hashes.SHA1 = '0573274f4a719171e1925f6d5bc106949fbc1673']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d700-39a0-488e-aac5-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:24.000Z", "modified": "2017-05-11T21:26:24.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 3fdcaf24d5c45d7a8dcf1b2932c026915a982de19b52a8f346ca312c58d36f05", "pattern": "[file:hashes.MD5 = '4cdd4ed57f51d63c4a248fd0cb5fbfb7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d700-1bac-431e-8e13-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:24.000Z", "modified": "2017-05-11T21:26:24.000Z", "first_observed": "2017-05-11T21:26:24Z", "last_observed": "2017-05-11T21:26:24Z", "number_observed": 1, "object_refs": [ "url--5914d700-1bac-431e-8e13-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d700-1bac-431e-8e13-bd5202de0b81", "value": "https://www.virustotal.com/file/3fdcaf24d5c45d7a8dcf1b2932c026915a982de19b52a8f346ca312c58d36f05/analysis/1494535667/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d701-394c-43c1-bbdf-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:25.000Z", "modified": "2017-05-11T21:26:25.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 76edebe74e015e709abb662c4fa8a2db2f24c12d5b6c51822eef403bf3c3a304", "pattern": "[file:hashes.SHA1 = 'e425b4cd6622c0e04468ad51341dd773ca412009']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d701-17ec-43a8-879d-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:25.000Z", "modified": "2017-05-11T21:26:25.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 76edebe74e015e709abb662c4fa8a2db2f24c12d5b6c51822eef403bf3c3a304", "pattern": "[file:hashes.MD5 = '0745a4ee754b291ffdaaa1696e3e3420']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d702-27c4-4197-8c8d-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:26.000Z", "modified": "2017-05-11T21:26:26.000Z", "first_observed": "2017-05-11T21:26:26Z", "last_observed": "2017-05-11T21:26:26Z", "number_observed": 1, "object_refs": [ "url--5914d702-27c4-4197-8c8d-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d702-27c4-4197-8c8d-bd5202de0b81", "value": "https://www.virustotal.com/file/76edebe74e015e709abb662c4fa8a2db2f24c12d5b6c51822eef403bf3c3a304/analysis/1494507201/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d702-bde4-4e65-9530-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:26.000Z", "modified": "2017-05-11T21:26:26.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 1a60afa5c3dcff0fc41179e6a3b71ea0a92e4b50192eaa4c8e2b16ea0c50a229", "pattern": "[file:hashes.SHA1 = 'a53d66339e5604e9510f79020af55591f1fb8931']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d702-7694-4eeb-bea3-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:26.000Z", "modified": "2017-05-11T21:26:26.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 1a60afa5c3dcff0fc41179e6a3b71ea0a92e4b50192eaa4c8e2b16ea0c50a229", "pattern": "[file:hashes.MD5 = 'c27b104e863fb80e7faa647fd85068f2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d703-a440-4c80-b0bd-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:27.000Z", "modified": "2017-05-11T21:26:27.000Z", "first_observed": "2017-05-11T21:26:27Z", "last_observed": "2017-05-11T21:26:27Z", "number_observed": 1, "object_refs": [ "url--5914d703-a440-4c80-b0bd-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d703-a440-4c80-b0bd-bd5202de0b81", "value": "https://www.virustotal.com/file/1a60afa5c3dcff0fc41179e6a3b71ea0a92e4b50192eaa4c8e2b16ea0c50a229/analysis/1494506994/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d703-ea54-486e-a310-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:27.000Z", "modified": "2017-05-11T21:26:27.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 985d44dfeaf83c2c39c331e4b07b19e8726fb0ec168223455476132fe8c32fc8", "pattern": "[file:hashes.SHA1 = '6d062165da76ed4800695f02e0413620f80bb5d4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d704-0428-49b9-b1fa-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:28.000Z", "modified": "2017-05-11T21:26:28.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 985d44dfeaf83c2c39c331e4b07b19e8726fb0ec168223455476132fe8c32fc8", "pattern": "[file:hashes.MD5 = '1828963ed3b571bc6fa5f74900a88a88']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d704-e410-4a5f-9948-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:28.000Z", "modified": "2017-05-11T21:26:28.000Z", "first_observed": "2017-05-11T21:26:28Z", "last_observed": "2017-05-11T21:26:28Z", "number_observed": 1, "object_refs": [ "url--5914d704-e410-4a5f-9948-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d704-e410-4a5f-9948-bd5202de0b81", "value": "https://www.virustotal.com/file/985d44dfeaf83c2c39c331e4b07b19e8726fb0ec168223455476132fe8c32fc8/analysis/1494535666/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d705-6390-44c8-87d4-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:29.000Z", "modified": "2017-05-11T21:26:29.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 6edbbc7f02179211c5b8da74a770492e25b31be683468629a073f313f25ec8b6", "pattern": "[file:hashes.SHA1 = '81043253dcfb659e7692eff2ca283a7cc55d3d40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d705-2c98-47bd-825d-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:29.000Z", "modified": "2017-05-11T21:26:29.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 6edbbc7f02179211c5b8da74a770492e25b31be683468629a073f313f25ec8b6", "pattern": "[file:hashes.MD5 = '7eb373f60779ffe72edb35249736de41']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d705-ee9c-4f5b-bb47-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:29.000Z", "modified": "2017-05-11T21:26:29.000Z", "first_observed": "2017-05-11T21:26:29Z", "last_observed": "2017-05-11T21:26:29Z", "number_observed": 1, "object_refs": [ "url--5914d705-ee9c-4f5b-bb47-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d705-ee9c-4f5b-bb47-bd5202de0b81", "value": "https://www.virustotal.com/file/6edbbc7f02179211c5b8da74a770492e25b31be683468629a073f313f25ec8b6/analysis/1494535666/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d706-2288-4dcf-875c-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:30.000Z", "modified": "2017-05-11T21:26:30.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 61bcd9b0c11989d6049fd181786f1748116c128bd4768d1b6849805186190320", "pattern": "[file:hashes.SHA1 = '8988ad47ed53f439747d5022f96f80ca8d7b4299']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d706-e360-43eb-bf77-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:30.000Z", "modified": "2017-05-11T21:26:30.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 61bcd9b0c11989d6049fd181786f1748116c128bd4768d1b6849805186190320", "pattern": "[file:hashes.MD5 = '4584e56bdc8e096a05a986c454d46333']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d707-8ec8-4457-b2e0-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:31.000Z", "modified": "2017-05-11T21:26:31.000Z", "first_observed": "2017-05-11T21:26:31Z", "last_observed": "2017-05-11T21:26:31Z", "number_observed": 1, "object_refs": [ "url--5914d707-8ec8-4457-b2e0-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d707-8ec8-4457-b2e0-bd5202de0b81", "value": "https://www.virustotal.com/file/61bcd9b0c11989d6049fd181786f1748116c128bd4768d1b6849805186190320/analysis/1494535666/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d707-897c-4c13-a91b-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:31.000Z", "modified": "2017-05-11T21:26:31.000Z", "description": "Document Dropper Hashes - Xchecked via VT: a02ed37812ac37d44979d5131aa10927fb9b9bd09aae2b470e65532bc694b27c", "pattern": "[file:hashes.SHA1 = '02e51ee358407bb7e3b6bc0b818ad0e0a2c20c0b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d708-8ce4-4d8e-ae61-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:32.000Z", "modified": "2017-05-11T21:26:32.000Z", "description": "Document Dropper Hashes - Xchecked via VT: a02ed37812ac37d44979d5131aa10927fb9b9bd09aae2b470e65532bc694b27c", "pattern": "[file:hashes.MD5 = '1a3741669abaa116abc66c1db0236890']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d708-3050-4d5c-b61a-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:32.000Z", "modified": "2017-05-11T21:26:32.000Z", "first_observed": "2017-05-11T21:26:32Z", "last_observed": "2017-05-11T21:26:32Z", "number_observed": 1, "object_refs": [ "url--5914d708-3050-4d5c-b61a-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d708-3050-4d5c-b61a-bd5202de0b81", "value": "https://www.virustotal.com/file/a02ed37812ac37d44979d5131aa10927fb9b9bd09aae2b470e65532bc694b27c/analysis/1494535665/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d709-04ac-455b-9231-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:33.000Z", "modified": "2017-05-11T21:26:33.000Z", "description": "Document Dropper Hashes - Xchecked via VT: b4d3c369449ead7ced48f84b9ea29cb4dbc6f485958e813b102c1d32ce62d3e8", "pattern": "[file:hashes.SHA1 = 'ccc0fb9afbb964d8feaa731b8c12b2d5d709beb0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d709-1ae4-45a8-88ad-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:33.000Z", "modified": "2017-05-11T21:26:33.000Z", "description": "Document Dropper Hashes - Xchecked via VT: b4d3c369449ead7ced48f84b9ea29cb4dbc6f485958e813b102c1d32ce62d3e8", "pattern": "[file:hashes.MD5 = 'f92dfc8a2f7d865cfc365211dec38abe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d70a-0350-4e7f-a9a2-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:34.000Z", "modified": "2017-05-11T21:26:34.000Z", "first_observed": "2017-05-11T21:26:34Z", "last_observed": "2017-05-11T21:26:34Z", "number_observed": 1, "object_refs": [ "url--5914d70a-0350-4e7f-a9a2-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d70a-0350-4e7f-a9a2-bd5202de0b81", "value": "https://www.virustotal.com/file/b4d3c369449ead7ced48f84b9ea29cb4dbc6f485958e813b102c1d32ce62d3e8/analysis/1494535665/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d70a-2510-4831-a5da-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:34.000Z", "modified": "2017-05-11T21:26:34.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 50ab7834e98c2f40d7441006a0221c07bff5f9f694999b595daa29b37c9a5e12", "pattern": "[file:hashes.SHA1 = '3458013c174277fdca1282dfea5aab7fc8e2c74f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d70a-9d38-47f9-9d5e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:34.000Z", "modified": "2017-05-11T21:26:34.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 50ab7834e98c2f40d7441006a0221c07bff5f9f694999b595daa29b37c9a5e12", "pattern": "[file:hashes.MD5 = '874450f20106f9511beb916721f1fe1b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d70b-4118-4ab1-aba2-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:35.000Z", "modified": "2017-05-11T21:26:35.000Z", "first_observed": "2017-05-11T21:26:35Z", "last_observed": "2017-05-11T21:26:35Z", "number_observed": 1, "object_refs": [ "url--5914d70b-4118-4ab1-aba2-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d70b-4118-4ab1-aba2-bd5202de0b81", "value": "https://www.virustotal.com/file/50ab7834e98c2f40d7441006a0221c07bff5f9f694999b595daa29b37c9a5e12/analysis/1494535665/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d70b-235c-4e24-8860-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:35.000Z", "modified": "2017-05-11T21:26:35.000Z", "description": "Document Dropper Hashes - Xchecked via VT: d8e62ce3039921c11872319a09acc61038f2452a6a2fdb8c0d3a0848b56b26ff", "pattern": "[file:hashes.SHA1 = '04661681860828b34906f6ef2283e63525b7ac31']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d70c-3648-412e-bd3f-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:36.000Z", "modified": "2017-05-11T21:26:36.000Z", "description": "Document Dropper Hashes - Xchecked via VT: d8e62ce3039921c11872319a09acc61038f2452a6a2fdb8c0d3a0848b56b26ff", "pattern": "[file:hashes.MD5 = '9989d733ea79ba392919c386a3db51b8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d70c-56d8-42ad-9f95-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:36.000Z", "modified": "2017-05-11T21:26:36.000Z", "first_observed": "2017-05-11T21:26:36Z", "last_observed": "2017-05-11T21:26:36Z", "number_observed": 1, "object_refs": [ "url--5914d70c-56d8-42ad-9f95-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d70c-56d8-42ad-9f95-bd5202de0b81", "value": "https://www.virustotal.com/file/d8e62ce3039921c11872319a09acc61038f2452a6a2fdb8c0d3a0848b56b26ff/analysis/1494535665/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d70d-8608-47eb-a0b2-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:37.000Z", "modified": "2017-05-11T21:26:37.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 7b48b21b10990cd53bb8969930b9f0b39cc495e95a33c38f80024a21a72b0176", "pattern": "[file:hashes.SHA1 = '67b7a4b74ae752999bee525d3dc2b91c8c5a37a8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d70d-232c-4da9-b7f5-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:37.000Z", "modified": "2017-05-11T21:26:37.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 7b48b21b10990cd53bb8969930b9f0b39cc495e95a33c38f80024a21a72b0176", "pattern": "[file:hashes.MD5 = '73b29fafd07dbc0341b9cb190c6f615e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d70d-a518-4a90-9567-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:37.000Z", "modified": "2017-05-11T21:26:37.000Z", "first_observed": "2017-05-11T21:26:37Z", "last_observed": "2017-05-11T21:26:37Z", "number_observed": 1, "object_refs": [ "url--5914d70d-a518-4a90-9567-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d70d-a518-4a90-9567-bd5202de0b81", "value": "https://www.virustotal.com/file/7b48b21b10990cd53bb8969930b9f0b39cc495e95a33c38f80024a21a72b0176/analysis/1489460924/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d70e-8644-4247-b786-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:38.000Z", "modified": "2017-05-11T21:26:38.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 8451cf3f5e5e2576f2ad36a4f19998e5824c2ab185f40ddec460a81ab1a8525a", "pattern": "[file:hashes.SHA1 = 'd47d1c2cf4ec98e8b7bb7d0b555ef97a5b573c11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d70e-3600-447a-8be8-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:38.000Z", "modified": "2017-05-11T21:26:38.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 8451cf3f5e5e2576f2ad36a4f19998e5824c2ab185f40ddec460a81ab1a8525a", "pattern": "[file:hashes.MD5 = '586337cbc23f51fe97ae2d1420f43071']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d70f-a4cc-4b55-993f-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:39.000Z", "modified": "2017-05-11T21:26:39.000Z", "first_observed": "2017-05-11T21:26:39Z", "last_observed": "2017-05-11T21:26:39Z", "number_observed": 1, "object_refs": [ "url--5914d70f-a4cc-4b55-993f-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d70f-a4cc-4b55-993f-bd5202de0b81", "value": "https://www.virustotal.com/file/8451cf3f5e5e2576f2ad36a4f19998e5824c2ab185f40ddec460a81ab1a8525a/analysis/1494535664/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d70f-60f8-4009-bb93-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:39.000Z", "modified": "2017-05-11T21:26:39.000Z", "description": "Document Dropper Hashes - Xchecked via VT: c600c7638474fb31664ab32fb9aad5c216096b2c68d93c9eb37cf0476868cf05", "pattern": "[file:hashes.SHA1 = 'b659ef884f6d7210c1e8cc5c96a4e923099e6bff']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d710-6ccc-4856-b704-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:40.000Z", "modified": "2017-05-11T21:26:40.000Z", "description": "Document Dropper Hashes - Xchecked via VT: c600c7638474fb31664ab32fb9aad5c216096b2c68d93c9eb37cf0476868cf05", "pattern": "[file:hashes.MD5 = '0bc5449f24f70a97eb5a63b60c5eafee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d710-7d74-4339-9d71-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:40.000Z", "modified": "2017-05-11T21:26:40.000Z", "first_observed": "2017-05-11T21:26:40Z", "last_observed": "2017-05-11T21:26:40Z", "number_observed": 1, "object_refs": [ "url--5914d710-7d74-4339-9d71-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d710-7d74-4339-9d71-bd5202de0b81", "value": "https://www.virustotal.com/file/c600c7638474fb31664ab32fb9aad5c216096b2c68d93c9eb37cf0476868cf05/analysis/1494535664/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d711-71c0-49f6-8684-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:41.000Z", "modified": "2017-05-11T21:26:41.000Z", "description": "Document Dropper Hashes - Xchecked via VT: ae3bb85b87d40a12e82b2545fd4c9087b3e847a744a27c1ac215dd38821ced87", "pattern": "[file:hashes.SHA1 = '823289568653beb7d18dda3a059514c2a6029925']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d711-319c-4e11-9889-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:41.000Z", "modified": "2017-05-11T21:26:41.000Z", "description": "Document Dropper Hashes - Xchecked via VT: ae3bb85b87d40a12e82b2545fd4c9087b3e847a744a27c1ac215dd38821ced87", "pattern": "[file:hashes.MD5 = 'f209fe46636ec146643618d79881ad63']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d711-d858-40dc-b3e7-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:41.000Z", "modified": "2017-05-11T21:26:41.000Z", "first_observed": "2017-05-11T21:26:41Z", "last_observed": "2017-05-11T21:26:41Z", "number_observed": 1, "object_refs": [ "url--5914d711-d858-40dc-b3e7-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d711-d858-40dc-b3e7-bd5202de0b81", "value": "https://www.virustotal.com/file/ae3bb85b87d40a12e82b2545fd4c9087b3e847a744a27c1ac215dd38821ced87/analysis/1494380308/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d712-2bf4-4380-a86e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:42.000Z", "modified": "2017-05-11T21:26:42.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 92c82d7ea7b89f02c5b8e7d93d2a4ad17fbc0688ff9ad881cc185c18ea466232", "pattern": "[file:hashes.SHA1 = 'dcd678e99ffd594f00704dc3867b19efe85c9884']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d712-259c-4529-b6b3-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:42.000Z", "modified": "2017-05-11T21:26:42.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 92c82d7ea7b89f02c5b8e7d93d2a4ad17fbc0688ff9ad881cc185c18ea466232", "pattern": "[file:hashes.MD5 = '281c88a584c6ff0fb449624bf97298a4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:42Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d713-d434-4618-8a0a-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:43.000Z", "modified": "2017-05-11T21:26:43.000Z", "first_observed": "2017-05-11T21:26:43Z", "last_observed": "2017-05-11T21:26:43Z", "number_observed": 1, "object_refs": [ "url--5914d713-d434-4618-8a0a-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d713-d434-4618-8a0a-bd5202de0b81", "value": "https://www.virustotal.com/file/92c82d7ea7b89f02c5b8e7d93d2a4ad17fbc0688ff9ad881cc185c18ea466232/analysis/1494535663/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d713-9aec-4fff-b7b7-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:43.000Z", "modified": "2017-05-11T21:26:43.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 40fd876c5d7f859484a8d3a021ce3c5eeba23deb8574f4b598aeaa6a0ded7815", "pattern": "[file:hashes.SHA1 = '8b5b6f5ece8c596c60ad4d6a2b90022d7635999a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d714-2308-467e-a4fb-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:44.000Z", "modified": "2017-05-11T21:26:44.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 40fd876c5d7f859484a8d3a021ce3c5eeba23deb8574f4b598aeaa6a0ded7815", "pattern": "[file:hashes.MD5 = 'fabdab3aa4d863f446149cbc41ba3463']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d714-7fb0-4326-b374-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:44.000Z", "modified": "2017-05-11T21:26:44.000Z", "first_observed": "2017-05-11T21:26:44Z", "last_observed": "2017-05-11T21:26:44Z", "number_observed": 1, "object_refs": [ "url--5914d714-7fb0-4326-b374-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d714-7fb0-4326-b374-bd5202de0b81", "value": "https://www.virustotal.com/file/40fd876c5d7f859484a8d3a021ce3c5eeba23deb8574f4b598aeaa6a0ded7815/analysis/1489038928/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d714-c9e0-43df-b0da-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:44.000Z", "modified": "2017-05-11T21:26:44.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 9e9e7ade1def82a56898415c079bd3f861c143f9db6770a28592bbbe04d5f234", "pattern": "[file:hashes.SHA1 = 'ab6bd4c0d5ec83f34e882eba915253056d6b49cb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d715-8238-40e6-ba71-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:45.000Z", "modified": "2017-05-11T21:26:45.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 9e9e7ade1def82a56898415c079bd3f861c143f9db6770a28592bbbe04d5f234", "pattern": "[file:hashes.MD5 = '6418268fae0ebc429fd446cf6b1c0316']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d715-5514-4718-9a46-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:45.000Z", "modified": "2017-05-11T21:26:45.000Z", "first_observed": "2017-05-11T21:26:45Z", "last_observed": "2017-05-11T21:26:45Z", "number_observed": 1, "object_refs": [ "url--5914d715-5514-4718-9a46-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d715-5514-4718-9a46-bd5202de0b81", "value": "https://www.virustotal.com/file/9e9e7ade1def82a56898415c079bd3f861c143f9db6770a28592bbbe04d5f234/analysis/1494535663/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d716-be24-4b37-8ee6-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:46.000Z", "modified": "2017-05-11T21:26:46.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 1c95a2a32b639008245a205f51aa7fbafc0b61ecc6879f9978be174feee516f4", "pattern": "[file:hashes.SHA1 = 'e179f266d87e85538f9d890fa0f031c5581986dd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d716-15a8-45e6-ba4b-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:46.000Z", "modified": "2017-05-11T21:26:46.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 1c95a2a32b639008245a205f51aa7fbafc0b61ecc6879f9978be174feee516f4", "pattern": "[file:hashes.MD5 = '60ea5ec5ccc9c2f34a8f7874000097a9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d717-1740-406b-bc67-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:47.000Z", "modified": "2017-05-11T21:26:47.000Z", "first_observed": "2017-05-11T21:26:47Z", "last_observed": "2017-05-11T21:26:47Z", "number_observed": 1, "object_refs": [ "url--5914d717-1740-406b-bc67-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d717-1740-406b-bc67-bd5202de0b81", "value": "https://www.virustotal.com/file/1c95a2a32b639008245a205f51aa7fbafc0b61ecc6879f9978be174feee516f4/analysis/1494508546/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d717-e820-4486-a237-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:47.000Z", "modified": "2017-05-11T21:26:47.000Z", "description": "Document Dropper Hashes - Xchecked via VT: a85b040e923e45a3e139576c2086a8f1671b1c60053274d850218ffa422f80e6", "pattern": "[file:hashes.SHA1 = 'cf8c7cc742bf68410bb82208becaa4688d09c937']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d717-1274-4805-ab55-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:47.000Z", "modified": "2017-05-11T21:26:47.000Z", "description": "Document Dropper Hashes - Xchecked via VT: a85b040e923e45a3e139576c2086a8f1671b1c60053274d850218ffa422f80e6", "pattern": "[file:hashes.MD5 = '6b67ed3878f109e4e9a867880a269705']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d718-bde8-4499-a25e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:48.000Z", "modified": "2017-05-11T21:26:48.000Z", "first_observed": "2017-05-11T21:26:48Z", "last_observed": "2017-05-11T21:26:48Z", "number_observed": 1, "object_refs": [ "url--5914d718-bde8-4499-a25e-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d718-bde8-4499-a25e-bd5202de0b81", "value": "https://www.virustotal.com/file/a85b040e923e45a3e139576c2086a8f1671b1c60053274d850218ffa422f80e6/analysis/1489038330/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d718-4ac4-4f0d-8e43-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:48.000Z", "modified": "2017-05-11T21:26:48.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 7e62823f8a775674b6333ff535e93a9fc0bdcfd943c903fe85e614b34d692549", "pattern": "[file:hashes.SHA1 = '969430da71847aadfdb699576bd1fa5b05cc0578']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d719-0790-4566-a7fb-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:49.000Z", "modified": "2017-05-11T21:26:49.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 7e62823f8a775674b6333ff535e93a9fc0bdcfd943c903fe85e614b34d692549", "pattern": "[file:hashes.MD5 = '6b627f64d75543875ae17405c6c663e5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d719-1ce0-4496-bdae-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:49.000Z", "modified": "2017-05-11T21:26:49.000Z", "first_observed": "2017-05-11T21:26:49Z", "last_observed": "2017-05-11T21:26:49Z", "number_observed": 1, "object_refs": [ "url--5914d719-1ce0-4496-bdae-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d719-1ce0-4496-bdae-bd5202de0b81", "value": "https://www.virustotal.com/file/7e62823f8a775674b6333ff535e93a9fc0bdcfd943c903fe85e614b34d692549/analysis/1489040584/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d719-597c-41aa-ad6c-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:49.000Z", "modified": "2017-05-11T21:26:49.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 5b331693bc7ad009db3905fd37edfa94c528b6c4eee024f7a35dcc9b6b8a9c26", "pattern": "[file:hashes.SHA1 = 'aecad2194587c25a090770fdf6bb79b963ac0f99']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d71a-31ac-4411-a773-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:50.000Z", "modified": "2017-05-11T21:26:50.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 5b331693bc7ad009db3905fd37edfa94c528b6c4eee024f7a35dcc9b6b8a9c26", "pattern": "[file:hashes.MD5 = '3e60efd63cc510148c783d4d5b16ea05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d71a-79dc-4e3e-9c28-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:50.000Z", "modified": "2017-05-11T21:26:50.000Z", "first_observed": "2017-05-11T21:26:50Z", "last_observed": "2017-05-11T21:26:50Z", "number_observed": 1, "object_refs": [ "url--5914d71a-79dc-4e3e-9c28-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d71a-79dc-4e3e-9c28-bd5202de0b81", "value": "https://www.virustotal.com/file/5b331693bc7ad009db3905fd37edfa94c528b6c4eee024f7a35dcc9b6b8a9c26/analysis/1489867223/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d71b-1af0-4d3f-8b7d-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:51.000Z", "modified": "2017-05-11T21:26:51.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 97ea044a5820f9271c21bd8f1bb381099fb188a7d9f54ac72a88bf41411cf1b3", "pattern": "[file:hashes.SHA1 = '2e23271b02d0e82fba529d04def9127d4ad2b574']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d71b-2afc-48ec-807d-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:51.000Z", "modified": "2017-05-11T21:26:51.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 97ea044a5820f9271c21bd8f1bb381099fb188a7d9f54ac72a88bf41411cf1b3", "pattern": "[file:hashes.MD5 = 'b22efe94ed4ac8eee1618adfff92403a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d71b-849c-4153-b251-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:51.000Z", "modified": "2017-05-11T21:26:51.000Z", "first_observed": "2017-05-11T21:26:51Z", "last_observed": "2017-05-11T21:26:51Z", "number_observed": 1, "object_refs": [ "url--5914d71b-849c-4153-b251-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d71b-849c-4153-b251-bd5202de0b81", "value": "https://www.virustotal.com/file/97ea044a5820f9271c21bd8f1bb381099fb188a7d9f54ac72a88bf41411cf1b3/analysis/1494535663/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d71c-de4c-4b43-b884-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:52.000Z", "modified": "2017-05-11T21:26:52.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 069a4abb186efb6c3b6733cb2f35151d03eefe40cfb626d3c42aaa5f7ef342c6", "pattern": "[file:hashes.SHA1 = '1fccdf389f4adb8ff67097b140dddc89a85b7073']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d71c-8838-42f5-b070-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:52.000Z", "modified": "2017-05-11T21:26:52.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 069a4abb186efb6c3b6733cb2f35151d03eefe40cfb626d3c42aaa5f7ef342c6", "pattern": "[file:hashes.MD5 = '5b020b9e7a8033ca4444f7cc210eb1d7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d71d-03f8-4260-a77e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:53.000Z", "modified": "2017-05-11T21:26:53.000Z", "first_observed": "2017-05-11T21:26:53Z", "last_observed": "2017-05-11T21:26:53Z", "number_observed": 1, "object_refs": [ "url--5914d71d-03f8-4260-a77e-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d71d-03f8-4260-a77e-bd5202de0b81", "value": "https://www.virustotal.com/file/069a4abb186efb6c3b6733cb2f35151d03eefe40cfb626d3c42aaa5f7ef342c6/analysis/1493947778/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d71d-1eb4-488e-9132-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:53.000Z", "modified": "2017-05-11T21:26:53.000Z", "description": "Document Dropper Hashes - Xchecked via VT: cfe56d178ff873a5d984220c96570144a6674ce1b675036566a93ff6d680a981", "pattern": "[file:hashes.SHA1 = '486a5ece9c217c9e651045236f6158d339ea0a33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d71d-3460-43e0-afba-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:53.000Z", "modified": "2017-05-11T21:26:53.000Z", "description": "Document Dropper Hashes - Xchecked via VT: cfe56d178ff873a5d984220c96570144a6674ce1b675036566a93ff6d680a981", "pattern": "[file:hashes.MD5 = '17661f80532cef37f114a923d076cc79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d71e-6524-458e-a25e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:54.000Z", "modified": "2017-05-11T21:26:54.000Z", "first_observed": "2017-05-11T21:26:54Z", "last_observed": "2017-05-11T21:26:54Z", "number_observed": 1, "object_refs": [ "url--5914d71e-6524-458e-a25e-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d71e-6524-458e-a25e-bd5202de0b81", "value": "https://www.virustotal.com/file/cfe56d178ff873a5d984220c96570144a6674ce1b675036566a93ff6d680a981/analysis/1490601720/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d71e-12fc-4141-af5a-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:54.000Z", "modified": "2017-05-11T21:26:54.000Z", "description": "Document Dropper Hashes - Xchecked via VT: d3683a4fe910d5815541beb2c42b98827a1f6362073b9901a74c36e15072c1a2", "pattern": "[file:hashes.SHA1 = 'f1e9696e5b925cf3291cf66a769e4b32a4193c1d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d71f-be38-4b47-ba1b-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:55.000Z", "modified": "2017-05-11T21:26:55.000Z", "description": "Document Dropper Hashes - Xchecked via VT: d3683a4fe910d5815541beb2c42b98827a1f6362073b9901a74c36e15072c1a2", "pattern": "[file:hashes.MD5 = 'f07cb060cde4a2010a827372b6780a85']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d71f-2478-41ee-8455-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:55.000Z", "modified": "2017-05-11T21:26:55.000Z", "first_observed": "2017-05-11T21:26:55Z", "last_observed": "2017-05-11T21:26:55Z", "number_observed": 1, "object_refs": [ "url--5914d71f-2478-41ee-8455-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d71f-2478-41ee-8455-bd5202de0b81", "value": "https://www.virustotal.com/file/d3683a4fe910d5815541beb2c42b98827a1f6362073b9901a74c36e15072c1a2/analysis/1481021920/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d720-3d1c-47fb-88e1-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:56.000Z", "modified": "2017-05-11T21:26:56.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 256078f83cf9535c72debffa3d34818789849131e9138589728b4085e2ae2169", "pattern": "[file:hashes.SHA1 = '0b0bd3105b3d9538b8211e4b9b6f95ac16a28950']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d720-a290-491c-a2e2-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:56.000Z", "modified": "2017-05-11T21:26:56.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 256078f83cf9535c72debffa3d34818789849131e9138589728b4085e2ae2169", "pattern": "[file:hashes.MD5 = '8f4c507a6094225d70c066ae52974381']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d720-d2f4-41bc-81aa-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:56.000Z", "modified": "2017-05-11T21:26:56.000Z", "first_observed": "2017-05-11T21:26:56Z", "last_observed": "2017-05-11T21:26:56Z", "number_observed": 1, "object_refs": [ "url--5914d720-d2f4-41bc-81aa-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d720-d2f4-41bc-81aa-bd5202de0b81", "value": "https://www.virustotal.com/file/256078f83cf9535c72debffa3d34818789849131e9138589728b4085e2ae2169/analysis/1494508496/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d721-1930-4653-930c-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:57.000Z", "modified": "2017-05-11T21:26:57.000Z", "description": "Document Dropper Hashes - Xchecked via VT: b1d5bfb124a15ab9068cf413de430a1c2cbd7b2bf67a766cf971269c67c3eace", "pattern": "[file:hashes.SHA1 = '24c1a3b12f62df58a0931523c0a6c56d7079bdce']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d721-4f18-4c5d-88ae-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:57.000Z", "modified": "2017-05-11T21:26:57.000Z", "description": "Document Dropper Hashes - Xchecked via VT: b1d5bfb124a15ab9068cf413de430a1c2cbd7b2bf67a766cf971269c67c3eace", "pattern": "[file:hashes.MD5 = '4a2cc8973ec2692ca00f620cbf536e9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d722-cb90-4dca-b321-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:58.000Z", "modified": "2017-05-11T21:26:58.000Z", "first_observed": "2017-05-11T21:26:58Z", "last_observed": "2017-05-11T21:26:58Z", "number_observed": 1, "object_refs": [ "url--5914d722-cb90-4dca-b321-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d722-cb90-4dca-b321-bd5202de0b81", "value": "https://www.virustotal.com/file/b1d5bfb124a15ab9068cf413de430a1c2cbd7b2bf67a766cf971269c67c3eace/analysis/1481046323/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d722-2aa0-4c90-a7b8-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:58.000Z", "modified": "2017-05-11T21:26:58.000Z", "description": "Document Dropper Hashes - Xchecked via VT: f89edff923d1d2daf6b2ab36595e873ed7d1cd52c2f6b66b590fa636c17dced2", "pattern": "[file:hashes.SHA1 = '4be209d6c9d9b2de5175127f9ff5cb4f7c1d8d77']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d722-1100-45eb-b6e8-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:58.000Z", "modified": "2017-05-11T21:26:58.000Z", "description": "Document Dropper Hashes - Xchecked via VT: f89edff923d1d2daf6b2ab36595e873ed7d1cd52c2f6b66b590fa636c17dced2", "pattern": "[file:hashes.MD5 = '60d6bf2b1471ba0b2e63ddad240a16e8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d723-ea94-41bc-ab8e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:59.000Z", "modified": "2017-05-11T21:26:59.000Z", "first_observed": "2017-05-11T21:26:59Z", "last_observed": "2017-05-11T21:26:59Z", "number_observed": 1, "object_refs": [ "url--5914d723-ea94-41bc-ab8e-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d723-ea94-41bc-ab8e-bd5202de0b81", "value": "https://www.virustotal.com/file/f89edff923d1d2daf6b2ab36595e873ed7d1cd52c2f6b66b590fa636c17dced2/analysis/1482148364/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d723-4c20-4a8f-9c95-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:26:59.000Z", "modified": "2017-05-11T21:26:59.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 1384934c09f6551d19150bfcf8ae954f4969d0b9ff841c93f81ebb57eecc9a71", "pattern": "[file:hashes.SHA1 = '489a55e02bb63ec11832869828049c62fc7c52fe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:26:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d724-aebc-4e10-b56c-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:00.000Z", "modified": "2017-05-11T21:27:00.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 1384934c09f6551d19150bfcf8ae954f4969d0b9ff841c93f81ebb57eecc9a71", "pattern": "[file:hashes.MD5 = '6049aa7df91af05a3475699c8d5f0166']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d724-99dc-43a6-8907-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:00.000Z", "modified": "2017-05-11T21:27:00.000Z", "first_observed": "2017-05-11T21:27:00Z", "last_observed": "2017-05-11T21:27:00Z", "number_observed": 1, "object_refs": [ "url--5914d724-99dc-43a6-8907-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d724-99dc-43a6-8907-bd5202de0b81", "value": "https://www.virustotal.com/file/1384934c09f6551d19150bfcf8ae954f4969d0b9ff841c93f81ebb57eecc9a71/analysis/1489054613/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d725-b974-4527-9fc8-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:01.000Z", "modified": "2017-05-11T21:27:01.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 368304125ffd86a234aeb8c05a90b7ee40b37dae1dea7178deeda522eac9dcbc", "pattern": "[file:hashes.SHA1 = '6399935fdae58066b21165ac606eaec43cf78408']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d725-d760-4149-9268-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:01.000Z", "modified": "2017-05-11T21:27:01.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 368304125ffd86a234aeb8c05a90b7ee40b37dae1dea7178deeda522eac9dcbc", "pattern": "[file:hashes.MD5 = 'da4eabfa45676ce4aa96f9b3f5265dfe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d725-f864-4b01-abb9-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:01.000Z", "modified": "2017-05-11T21:27:01.000Z", "first_observed": "2017-05-11T21:27:01Z", "last_observed": "2017-05-11T21:27:01Z", "number_observed": 1, "object_refs": [ "url--5914d725-f864-4b01-abb9-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d725-f864-4b01-abb9-bd5202de0b81", "value": "https://www.virustotal.com/file/368304125ffd86a234aeb8c05a90b7ee40b37dae1dea7178deeda522eac9dcbc/analysis/1481278162/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d726-cf9c-4cf0-a83a-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:02.000Z", "modified": "2017-05-11T21:27:02.000Z", "description": "Document Dropper Hashes - Xchecked via VT: de5ac4aedaca5649758bf34c87fd59967c2adeaaa0be65a58b9c8e9f6a8660f1", "pattern": "[file:hashes.SHA1 = 'f68e6301f5674f6ee44724b30207f4308abe18b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d726-a808-4488-bca6-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:02.000Z", "modified": "2017-05-11T21:27:02.000Z", "description": "Document Dropper Hashes - Xchecked via VT: de5ac4aedaca5649758bf34c87fd59967c2adeaaa0be65a58b9c8e9f6a8660f1", "pattern": "[file:hashes.MD5 = '02225b290fdbbea5b061164b55eb60dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d727-3b38-47e8-9804-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:03.000Z", "modified": "2017-05-11T21:27:03.000Z", "first_observed": "2017-05-11T21:27:03Z", "last_observed": "2017-05-11T21:27:03Z", "number_observed": 1, "object_refs": [ "url--5914d727-3b38-47e8-9804-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d727-3b38-47e8-9804-bd5202de0b81", "value": "https://www.virustotal.com/file/de5ac4aedaca5649758bf34c87fd59967c2adeaaa0be65a58b9c8e9f6a8660f1/analysis/1482219248/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d727-49ac-479d-8967-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:03.000Z", "modified": "2017-05-11T21:27:03.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 4916bc8dc91941a444d3aa41616eaebe8c3d4b095a0c566945b85c143ae532c1", "pattern": "[file:hashes.SHA1 = '263be7a0bbbfaf36845216a592f61b3273259535']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d728-82dc-49d7-8660-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:04.000Z", "modified": "2017-05-11T21:27:04.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 4916bc8dc91941a444d3aa41616eaebe8c3d4b095a0c566945b85c143ae532c1", "pattern": "[file:hashes.MD5 = 'd0a1e490e206adf0e7dbf174aa96f229']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d728-4d8c-49f8-bf7b-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:04.000Z", "modified": "2017-05-11T21:27:04.000Z", "first_observed": "2017-05-11T21:27:04Z", "last_observed": "2017-05-11T21:27:04Z", "number_observed": 1, "object_refs": [ "url--5914d728-4d8c-49f8-bf7b-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d728-4d8c-49f8-bf7b-bd5202de0b81", "value": "https://www.virustotal.com/file/4916bc8dc91941a444d3aa41616eaebe8c3d4b095a0c566945b85c143ae532c1/analysis/1483580953/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d729-962c-4b58-aabd-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:05.000Z", "modified": "2017-05-11T21:27:05.000Z", "description": "Document Dropper Hashes - Xchecked via VT: d58cfd2d851b9c98f9de79d38944d72eddec1e2243f1065de7d8b1ed1bf1cddd", "pattern": "[file:hashes.SHA1 = 'ad94cbdf25403efd0b8b4fc2dae776b34840b08c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d729-f348-4170-9f2b-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:05.000Z", "modified": "2017-05-11T21:27:05.000Z", "description": "Document Dropper Hashes - Xchecked via VT: d58cfd2d851b9c98f9de79d38944d72eddec1e2243f1065de7d8b1ed1bf1cddd", "pattern": "[file:hashes.MD5 = '9c5b642972f6cb5bd68d869b139f0bd6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d729-ad44-49e0-a4cc-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:05.000Z", "modified": "2017-05-11T21:27:05.000Z", "first_observed": "2017-05-11T21:27:05Z", "last_observed": "2017-05-11T21:27:05Z", "number_observed": 1, "object_refs": [ "url--5914d729-ad44-49e0-a4cc-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d729-ad44-49e0-a4cc-bd5202de0b81", "value": "https://www.virustotal.com/file/d58cfd2d851b9c98f9de79d38944d72eddec1e2243f1065de7d8b1ed1bf1cddd/analysis/1489107062/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d72a-435c-4828-b040-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:06.000Z", "modified": "2017-05-11T21:27:06.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 7df6bd0af983f87dc34a71d009a3bd3bd272e094c6c55bf765148d836129e10c", "pattern": "[file:hashes.SHA1 = '89e74722017038bf7f8fa3b28851d44a2d0534c9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d72a-f9c4-4932-b586-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:06.000Z", "modified": "2017-05-11T21:27:06.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 7df6bd0af983f87dc34a71d009a3bd3bd272e094c6c55bf765148d836129e10c", "pattern": "[file:hashes.MD5 = '4cd702e3c6a5992bdd12e119c37b91bc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d72b-beec-4e8d-9f3e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:07.000Z", "modified": "2017-05-11T21:27:07.000Z", "first_observed": "2017-05-11T21:27:07Z", "last_observed": "2017-05-11T21:27:07Z", "number_observed": 1, "object_refs": [ "url--5914d72b-beec-4e8d-9f3e-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d72b-beec-4e8d-9f3e-bd5202de0b81", "value": "https://www.virustotal.com/file/7df6bd0af983f87dc34a71d009a3bd3bd272e094c6c55bf765148d836129e10c/analysis/1489109886/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d72b-4a68-437c-a08c-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:07.000Z", "modified": "2017-05-11T21:27:07.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 777560483cb903ba803bfdbbd1f37353706da3a265e32da44fffb3ec7fcf07a2", "pattern": "[file:hashes.SHA1 = '8fd0494e425d0b8b37dea0ad3e2752a23a5dec75']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d72b-5cd8-44e1-86c3-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:07.000Z", "modified": "2017-05-11T21:27:07.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 777560483cb903ba803bfdbbd1f37353706da3a265e32da44fffb3ec7fcf07a2", "pattern": "[file:hashes.MD5 = 'd1b913b5644ee3e9636f0ec7875ca3f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d72c-52c8-4338-974f-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:08.000Z", "modified": "2017-05-11T21:27:08.000Z", "first_observed": "2017-05-11T21:27:08Z", "last_observed": "2017-05-11T21:27:08Z", "number_observed": 1, "object_refs": [ "url--5914d72c-52c8-4338-974f-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d72c-52c8-4338-974f-bd5202de0b81", "value": "https://www.virustotal.com/file/777560483cb903ba803bfdbbd1f37353706da3a265e32da44fffb3ec7fcf07a2/analysis/1494508355/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d72c-71ac-4eb0-8a16-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:08.000Z", "modified": "2017-05-11T21:27:08.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 6ebd2955fb137b5c983bbfb7601ea49ceb1f66119d13ce850c12d89e8c6a3742", "pattern": "[file:hashes.SHA1 = 'de1612116378c4e25fb79cf7279517a746aaf259']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d72d-2438-4214-9e39-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:09.000Z", "modified": "2017-05-11T21:27:09.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 6ebd2955fb137b5c983bbfb7601ea49ceb1f66119d13ce850c12d89e8c6a3742", "pattern": "[file:hashes.MD5 = '0da4f5785a682a1a66fc1fd5eca3d14e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d72d-b098-49e8-a1a9-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:09.000Z", "modified": "2017-05-11T21:27:09.000Z", "first_observed": "2017-05-11T21:27:09Z", "last_observed": "2017-05-11T21:27:09Z", "number_observed": 1, "object_refs": [ "url--5914d72d-b098-49e8-a1a9-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d72d-b098-49e8-a1a9-bd5202de0b81", "value": "https://www.virustotal.com/file/6ebd2955fb137b5c983bbfb7601ea49ceb1f66119d13ce850c12d89e8c6a3742/analysis/1482993999/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d72e-e314-4f3e-9e65-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:10.000Z", "modified": "2017-05-11T21:27:10.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 1faa27f82bcbad0acc444727e7be35147e5a2ee92757781e5f26db614d3cee7f", "pattern": "[file:hashes.SHA1 = '72b18f5e5163559bd7d1b00bbf5185c7c577052b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d72e-f51c-4a94-9fdc-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:10.000Z", "modified": "2017-05-11T21:27:10.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 1faa27f82bcbad0acc444727e7be35147e5a2ee92757781e5f26db614d3cee7f", "pattern": "[file:hashes.MD5 = '56860734beb580fc431d6c8d8e7cae2c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d72e-4e04-4b26-a25f-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:10.000Z", "modified": "2017-05-11T21:27:10.000Z", "first_observed": "2017-05-11T21:27:10Z", "last_observed": "2017-05-11T21:27:10Z", "number_observed": 1, "object_refs": [ "url--5914d72e-4e04-4b26-a25f-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d72e-4e04-4b26-a25f-bd5202de0b81", "value": "https://www.virustotal.com/file/1faa27f82bcbad0acc444727e7be35147e5a2ee92757781e5f26db614d3cee7f/analysis/1480580090/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d72f-cd24-4f80-9ed8-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:11.000Z", "modified": "2017-05-11T21:27:11.000Z", "description": "Document Dropper Hashes - Xchecked via VT: c173085b954ff1055fb859e6584a9e0bb3919740752351ad50706c0b7be37b51", "pattern": "[file:hashes.SHA1 = 'a857e704259229f535abda7de2b3c00eeb197650']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d72f-7d44-46b3-87b6-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:11.000Z", "modified": "2017-05-11T21:27:11.000Z", "description": "Document Dropper Hashes - Xchecked via VT: c173085b954ff1055fb859e6584a9e0bb3919740752351ad50706c0b7be37b51", "pattern": "[file:hashes.MD5 = '569748d6942ea9bbcfb72defc7ac37a0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d730-376c-4c98-8ae4-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:12.000Z", "modified": "2017-05-11T21:27:12.000Z", "first_observed": "2017-05-11T21:27:12Z", "last_observed": "2017-05-11T21:27:12Z", "number_observed": 1, "object_refs": [ "url--5914d730-376c-4c98-8ae4-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d730-376c-4c98-8ae4-bd5202de0b81", "value": "https://www.virustotal.com/file/c173085b954ff1055fb859e6584a9e0bb3919740752351ad50706c0b7be37b51/analysis/1489585497/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d730-d0c4-42bc-9823-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:12.000Z", "modified": "2017-05-11T21:27:12.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 8e9af7d90193bddc89d1c3782477bde76f90707eb1900537c020fc02970bbd74", "pattern": "[file:hashes.SHA1 = 'fc5250922a17f2c2a06cec360ebf12004436d245']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d731-e188-4a2f-855d-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:13.000Z", "modified": "2017-05-11T21:27:13.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 8e9af7d90193bddc89d1c3782477bde76f90707eb1900537c020fc02970bbd74", "pattern": "[file:hashes.MD5 = '30bd3e14b4aedf1ebd424d4070a352e4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d731-adb0-4639-8ccf-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:13.000Z", "modified": "2017-05-11T21:27:13.000Z", "first_observed": "2017-05-11T21:27:13Z", "last_observed": "2017-05-11T21:27:13Z", "number_observed": 1, "object_refs": [ "url--5914d731-adb0-4639-8ccf-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d731-adb0-4639-8ccf-bd5202de0b81", "value": "https://www.virustotal.com/file/8e9af7d90193bddc89d1c3782477bde76f90707eb1900537c020fc02970bbd74/analysis/1489278967/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d731-4a6c-4194-b69f-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:13.000Z", "modified": "2017-05-11T21:27:13.000Z", "description": "Document Dropper Hashes - Xchecked via VT: fee6b19ff8a39e83756345af421d3d85d20e67df62ac58bc05f514c368efc329", "pattern": "[file:hashes.SHA1 = '71d4374cb95fa688f318131905394ff6e0b4c709']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d732-17d8-4e57-86a1-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:14.000Z", "modified": "2017-05-11T21:27:14.000Z", "description": "Document Dropper Hashes - Xchecked via VT: fee6b19ff8a39e83756345af421d3d85d20e67df62ac58bc05f514c368efc329", "pattern": "[file:hashes.MD5 = 'bb04f8381fb159fcf541070773f7de4d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d732-3fd0-4c49-8d0e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:14.000Z", "modified": "2017-05-11T21:27:14.000Z", "first_observed": "2017-05-11T21:27:14Z", "last_observed": "2017-05-11T21:27:14Z", "number_observed": 1, "object_refs": [ "url--5914d732-3fd0-4c49-8d0e-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d732-3fd0-4c49-8d0e-bd5202de0b81", "value": "https://www.virustotal.com/file/fee6b19ff8a39e83756345af421d3d85d20e67df62ac58bc05f514c368efc329/analysis/1494535661/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d733-5310-4060-84ac-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:15.000Z", "modified": "2017-05-11T21:27:15.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 0a59bc35fe7bd84c955402aba2ad3883a5cdb08deb353c8f6310a163109f0c60", "pattern": "[file:hashes.SHA1 = '1b25fbc28a176f98e1ba53d6591ef3488aa763b4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d733-2b6c-442a-8528-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:15.000Z", "modified": "2017-05-11T21:27:15.000Z", "description": "Document Dropper Hashes - Xchecked via VT: 0a59bc35fe7bd84c955402aba2ad3883a5cdb08deb353c8f6310a163109f0c60", "pattern": "[file:hashes.MD5 = 'a99e5c66ae548aa86328b00b8ccaf561']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d734-af84-411c-b7f4-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:16.000Z", "modified": "2017-05-11T21:27:16.000Z", "first_observed": "2017-05-11T21:27:16Z", "last_observed": "2017-05-11T21:27:16Z", "number_observed": 1, "object_refs": [ "url--5914d734-af84-411c-b7f4-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d734-af84-411c-b7f4-bd5202de0b81", "value": "https://www.virustotal.com/file/0a59bc35fe7bd84c955402aba2ad3883a5cdb08deb353c8f6310a163109f0c60/analysis/1487653017/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d734-8188-4c62-860c-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:16.000Z", "modified": "2017-05-11T21:27:16.000Z", "description": "PE Dropper Hashes - Xchecked via VT: ffc5e46200f16549f17d2d6e4d6e5e61239b711cd07fbf7932c31e2ea18a7865", "pattern": "[file:hashes.SHA1 = 'fe61098c0e444ac0e20bc70de3d1014ff3b49029']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d734-77c4-4858-8c1e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:16.000Z", "modified": "2017-05-11T21:27:16.000Z", "description": "PE Dropper Hashes - Xchecked via VT: ffc5e46200f16549f17d2d6e4d6e5e61239b711cd07fbf7932c31e2ea18a7865", "pattern": "[file:hashes.MD5 = 'b3a17f4ec0e5ea0f406884c69afdd676']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d735-82e8-44c9-a524-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:17.000Z", "modified": "2017-05-11T21:27:17.000Z", "first_observed": "2017-05-11T21:27:17Z", "last_observed": "2017-05-11T21:27:17Z", "number_observed": 1, "object_refs": [ "url--5914d735-82e8-44c9-a524-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d735-82e8-44c9-a524-bd5202de0b81", "value": "https://www.virustotal.com/file/ffc5e46200f16549f17d2d6e4d6e5e61239b711cd07fbf7932c31e2ea18a7865/analysis/1485752780/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d735-79f4-4841-b88e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:17.000Z", "modified": "2017-05-11T21:27:17.000Z", "description": "PE Dropper Hashes - Xchecked via VT: b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552", "pattern": "[file:hashes.SHA1 = '5b24af2e9802b503c7f41c17b561b0b6b38914d7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d736-57e4-4328-b0b1-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:18.000Z", "modified": "2017-05-11T21:27:18.000Z", "description": "PE Dropper Hashes - Xchecked via VT: b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552", "pattern": "[file:hashes.MD5 = 'c2ed5b0eea4e4bf833e1a5549bde2024']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d736-fa10-40a3-b43b-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:18.000Z", "modified": "2017-05-11T21:27:18.000Z", "first_observed": "2017-05-11T21:27:18Z", "last_observed": "2017-05-11T21:27:18Z", "number_observed": 1, "object_refs": [ "url--5914d736-fa10-40a3-b43b-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d736-fa10-40a3-b43b-bd5202de0b81", "value": "https://www.virustotal.com/file/b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552/analysis/1494508308/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d737-5c50-4c1b-abba-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:19.000Z", "modified": "2017-05-11T21:27:19.000Z", "description": "PE Dropper Hashes - Xchecked via VT: 85d56628f7ec277a5f49a801ef4793072edd56d9c26b0bdb9b3dc348366c734a", "pattern": "[file:hashes.SHA1 = '961cd65ba039b3e6ff640d7afb2b328bf4e0b528']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d737-c2c4-48c4-95ba-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:19.000Z", "modified": "2017-05-11T21:27:19.000Z", "description": "PE Dropper Hashes - Xchecked via VT: 85d56628f7ec277a5f49a801ef4793072edd56d9c26b0bdb9b3dc348366c734a", "pattern": "[file:hashes.MD5 = '0dda5e2ba7e57c05842c2f16d3b8d53f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d737-2328-4c13-b6d2-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:19.000Z", "modified": "2017-05-11T21:27:19.000Z", "first_observed": "2017-05-11T21:27:19Z", "last_observed": "2017-05-11T21:27:19Z", "number_observed": 1, "object_refs": [ "url--5914d737-2328-4c13-b6d2-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d737-2328-4c13-b6d2-bd5202de0b81", "value": "https://www.virustotal.com/file/85d56628f7ec277a5f49a801ef4793072edd56d9c26b0bdb9b3dc348366c734a/analysis/1494508225/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d738-e334-45ac-97e6-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:20.000Z", "modified": "2017-05-11T21:27:20.000Z", "description": "PE Dropper Hashes - Xchecked via VT: 1db89009b678ba4517fc7490b9a7f597b838939499365374eba32347393fdd4e", "pattern": "[file:hashes.SHA1 = '0825e2a307f2471071a86bc43fdd3b4d5d502db8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d738-443c-4f94-b270-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:20.000Z", "modified": "2017-05-11T21:27:20.000Z", "description": "PE Dropper Hashes - Xchecked via VT: 1db89009b678ba4517fc7490b9a7f597b838939499365374eba32347393fdd4e", "pattern": "[file:hashes.MD5 = '7420b8e04e655ce932a27f26bcd8f7eb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d739-04fc-4966-a81e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:21.000Z", "modified": "2017-05-11T21:27:21.000Z", "first_observed": "2017-05-11T21:27:21Z", "last_observed": "2017-05-11T21:27:21Z", "number_observed": 1, "object_refs": [ "url--5914d739-04fc-4966-a81e-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d739-04fc-4966-a81e-bd5202de0b81", "value": "https://www.virustotal.com/file/1db89009b678ba4517fc7490b9a7f597b838939499365374eba32347393fdd4e/analysis/1494506735/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d739-5d9c-464f-8e6d-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:21.000Z", "modified": "2017-05-11T21:27:21.000Z", "description": "PE Dropper Hashes - Xchecked via VT: 1b64d1c93e53fa74d89c3362c30899644e9fef7f11292f40740b216bcbe03285", "pattern": "[file:hashes.SHA1 = 'bec06edfeb83066b3d1a661380d4e381ed79a3c2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d739-ed2c-44dd-a08f-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:21.000Z", "modified": "2017-05-11T21:27:21.000Z", "description": "PE Dropper Hashes - Xchecked via VT: 1b64d1c93e53fa74d89c3362c30899644e9fef7f11292f40740b216bcbe03285", "pattern": "[file:hashes.MD5 = 'f4c9f50d1ca9708641ff81272d821743']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d73a-bc30-4837-b899-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:22.000Z", "modified": "2017-05-11T21:27:22.000Z", "first_observed": "2017-05-11T21:27:22Z", "last_observed": "2017-05-11T21:27:22Z", "number_observed": 1, "object_refs": [ "url--5914d73a-bc30-4837-b899-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d73a-bc30-4837-b899-bd5202de0b81", "value": "https://www.virustotal.com/file/1b64d1c93e53fa74d89c3362c30899644e9fef7f11292f40740b216bcbe03285/analysis/1494535660/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d73a-1a1c-4611-b2ff-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:22.000Z", "modified": "2017-05-11T21:27:22.000Z", "description": "PE Password Stealer Hashes - Xchecked via VT: 99c50b658c632214f0b133f8742a5e6d2d34e47497d7a08ed2d80e4299be3502", "pattern": "[file:hashes.SHA1 = 'e77d057a3093a9c1c04f2d12531bc4f3318e4374']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d73b-0d28-49f0-b70f-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:23.000Z", "modified": "2017-05-11T21:27:23.000Z", "description": "PE Password Stealer Hashes - Xchecked via VT: 99c50b658c632214f0b133f8742a5e6d2d34e47497d7a08ed2d80e4299be3502", "pattern": "[file:hashes.MD5 = '0d6f3df24aec13d0e0d5d0eabeb379b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d73b-f258-44a7-982e-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:23.000Z", "modified": "2017-05-11T21:27:23.000Z", "first_observed": "2017-05-11T21:27:23Z", "last_observed": "2017-05-11T21:27:23Z", "number_observed": 1, "object_refs": [ "url--5914d73b-f258-44a7-982e-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d73b-f258-44a7-982e-bd5202de0b81", "value": "https://www.virustotal.com/file/99c50b658c632214f0b133f8742a5e6d2d34e47497d7a08ed2d80e4299be3502/analysis/1494535660/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d73b-3188-4472-a5f2-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:23.000Z", "modified": "2017-05-11T21:27:23.000Z", "description": "PE Password Stealer Hashes - Xchecked via VT: 76b703c9430abf4e0ba09e6d4e4d6cf94a251bb0e7f3fadbd169fcef954a8b39", "pattern": "[file:hashes.SHA1 = 'f684597911f043dbd239fcb6539366ca77454c6d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5914d73c-ac38-4749-952f-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:24.000Z", "modified": "2017-05-11T21:27:24.000Z", "description": "PE Password Stealer Hashes - Xchecked via VT: 76b703c9430abf4e0ba09e6d4e4d6cf94a251bb0e7f3fadbd169fcef954a8b39", "pattern": "[file:hashes.MD5 = '92a7a7b298e6b89ec44138c5be3573c4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-05-11T21:27:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5914d73c-6dc4-4b59-8b00-bd5202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-11T21:27:24.000Z", "modified": "2017-05-11T21:27:24.000Z", "first_observed": "2017-05-11T21:27:24Z", "last_observed": "2017-05-11T21:27:24Z", "number_observed": 1, "object_refs": [ "url--5914d73c-6dc4-4b59-8b00-bd5202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5914d73c-6dc4-4b59-8b00-bd5202de0b81", "value": "https://www.virustotal.com/file/76b703c9430abf4e0ba09e6d4e4d6cf94a251bb0e7f3fadbd169fcef954a8b39/analysis/1488380532/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }