{ "type": "bundle", "id": "bundle--58a0ae18-4554-4af8-a66b-459802de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:56:30.000Z", "modified": "2017-02-12T18:56:30.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58a0ae18-4554-4af8-a66b-459802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:56:30.000Z", "modified": "2017-02-12T18:56:30.000Z", "name": "OSINT - Attackers target dozens of global banks with new malware", "published": "2017-02-12T18:57:18Z", "object_refs": [ "observed-data--58a0ae24-bedc-4399-8c2d-4fa002de0b81", "url--58a0ae24-bedc-4399-8c2d-4fa002de0b81", "x-misp-attribute--58a0ae39-1e30-42d6-b78a-20e102de0b81", "indicator--58a0ae50-a948-465d-8e9f-20e102de0b81", "indicator--58a0ae6f-1010-4e03-ac4b-419802de0b81", "indicator--58a0ae8a-1364-42e1-82af-4ce102de0b81", "indicator--58a0ae8a-f9ac-4c37-8975-41c102de0b81", "indicator--58a0ae8b-c33c-4d49-b603-4ae702de0b81", "indicator--58a0ae8c-95e0-4ce6-b163-44c302de0b81", "indicator--58a0ae8d-56dc-4075-91bc-473902de0b81", "indicator--58a0aea4-1d00-407f-9c35-20e102de0b81", "indicator--58a0aea5-e9ac-4674-984b-20e102de0b81", "indicator--58a0af48-a1d4-4fa4-8a25-4c9602de0b81", "indicator--58a0af49-97c0-483e-9932-47b602de0b81", "observed-data--58a0af4a-9fc0-4b59-a45f-4c4102de0b81", "url--58a0af4a-9fc0-4b59-a45f-4c4102de0b81", "indicator--58a0af4b-69ac-4337-8996-400402de0b81", "indicator--58a0af4b-4d18-4453-9182-4de602de0b81", "observed-data--58a0af4c-9a04-4f4a-af0e-445802de0b81", "url--58a0af4c-9a04-4f4a-af0e-445802de0b81", "indicator--58a0af4d-b688-4c75-812b-403802de0b81", "indicator--58a0af4e-4d6c-4b97-8c12-476a02de0b81", "observed-data--58a0af4e-a2a8-422f-9ab8-40d902de0b81", "url--58a0af4e-a2a8-422f-9ab8-40d902de0b81", "indicator--58a0af4f-6ad4-4e25-a3f1-4c8302de0b81", "indicator--58a0af50-a848-4477-8bb7-464202de0b81", "observed-data--58a0af51-cfe0-4a6c-a672-4f1202de0b81", "url--58a0af51-cfe0-4a6c-a672-4f1202de0b81", "indicator--58a0af51-c974-4bb5-abeb-40cf02de0b81", "indicator--58a0af52-e68c-47d2-8f47-497a02de0b81", "observed-data--58a0af53-5434-4242-a959-44b602de0b81", "url--58a0af53-5434-4242-a959-44b602de0b81", "indicator--58a0af54-453c-46fb-989c-4af002de0b81", "indicator--58a0af55-442c-4726-bad9-4dd702de0b81", "observed-data--58a0af55-8fb4-4e48-bec2-464b02de0b81", "url--58a0af55-8fb4-4e48-bec2-464b02de0b81", "observed-data--58a0afdd-1758-47f9-a269-447902de0b81", "network-traffic--58a0afdd-1758-47f9-a269-447902de0b81", "ipv4-addr--58a0afdd-1758-47f9-a269-447902de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:threat-actor=\"Lazarus Group\"", "circl:topic=\"finance\"", "veris:action:social:target=\"Finance\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58a0ae24-bedc-4399-8c2d-4fa002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "first_observed": "2017-02-12T18:53:51Z", "last_observed": "2017-02-12T18:53:51Z", "number_observed": 1, "object_refs": [ "url--58a0ae24-bedc-4399-8c2d-4fa002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"", "admiralty-scale:source-reliability=\"b\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58a0ae24-bedc-4399-8c2d-4fa002de0b81", "value": "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58a0ae39-1e30-42d6-b78a-20e102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or \u00e2\u20ac\u0153watering holes\u00e2\u20ac\u009d to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.\r\n\r\nThe attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers. The bank then shared indicators of compromise (IOCs) with other institutions and a number of other institutions confirmed that they too had been compromised.\r\n\r\nAs reported, the source of the attack appears to have been the website of the Polish financial regulator. The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.\r\n\r\nSymantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0ae50-a948-465d-8e9f-20e102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "description": "Backdoor.Destover", "pattern": "[file:hashes.SHA256 = '4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0ae6f-1010-4e03-ac4b-419802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "description": "Hacktool", "pattern": "[file:hashes.SHA256 = 'efa57ca7aa5f42578ab83c9d510393fcf4e981a3eb422197973c65b7415863e7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0ae8a-1364-42e1-82af-4ce102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "description": "Downloader.Ratankba", "pattern": "[file:hashes.SHA256 = '99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0ae8a-f9ac-4c37-8975-41c102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "description": "Downloader.Ratankba", "pattern": "[file:hashes.SHA256 = '825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0ae8b-c33c-4d49-b603-4ae702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "description": "Downloader.Ratankba", "pattern": "[file:hashes.SHA256 = '200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0ae8c-95e0-4ce6-b163-44c302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "description": "Downloader.Ratankba", "pattern": "[file:hashes.SHA256 = '95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0ae8d-56dc-4075-91bc-473902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "description": "Downloader.Ratankba", "pattern": "[file:hashes.SHA256 = '7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0aea4-1d00-407f-9c35-20e102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "description": "Command and control infrastructure", "pattern": "[domain-name:value = 'eye-watch.in']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0aea5-e9ac-4674-984b-20e102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:53:51.000Z", "modified": "2017-02-12T18:53:51.000Z", "description": "Command and control infrastructure", "pattern": "[domain-name:value = 'sap.misapor.ch']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:53:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af48-a1d4-4fa4-8a25-4c9602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:00.000Z", "modified": "2017-02-12T18:54:00.000Z", "description": "Backdoor.Destover - Xchecked via VT: 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b", "pattern": "[file:hashes.SHA1 = '9876f8650d75938f8a2e4fb4df4321cc819d0f58']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af49-97c0-483e-9932-47b602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:01.000Z", "modified": "2017-02-12T18:54:01.000Z", "description": "Backdoor.Destover - Xchecked via VT: 4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b", "pattern": "[file:hashes.MD5 = '7fe80cee04003fed91c02e3a372f4b01']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58a0af4a-9fc0-4b59-a45f-4c4102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:02.000Z", "modified": "2017-02-12T18:54:02.000Z", "first_observed": "2017-02-12T18:54:02Z", "last_observed": "2017-02-12T18:54:02Z", "number_observed": 1, "object_refs": [ "url--58a0af4a-9fc0-4b59-a45f-4c4102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58a0af4a-9fc0-4b59-a45f-4c4102de0b81", "value": "https://www.virustotal.com/file/4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b/analysis/1486115878/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af4b-69ac-4337-8996-400402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:03.000Z", "modified": "2017-02-12T18:54:03.000Z", "description": "Downloader.Ratankba - Xchecked via VT: 99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d", "pattern": "[file:hashes.SHA1 = '178994ab2d4fc0a32a328e97d7d220c8bbb9150c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af4b-4d18-4453-9182-4de602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:03.000Z", "modified": "2017-02-12T18:54:03.000Z", "description": "Downloader.Ratankba - Xchecked via VT: 99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d", "pattern": "[file:hashes.MD5 = '1f7897b041a812f96f1925138ea38c46']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58a0af4c-9a04-4f4a-af0e-445802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:04.000Z", "modified": "2017-02-12T18:54:04.000Z", "first_observed": "2017-02-12T18:54:04Z", "last_observed": "2017-02-12T18:54:04Z", "number_observed": 1, "object_refs": [ "url--58a0af4c-9a04-4f4a-af0e-445802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58a0af4c-9a04-4f4a-af0e-445802de0b81", "value": "https://www.virustotal.com/file/99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d/analysis/1486354947/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af4d-b688-4c75-812b-403802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:05.000Z", "modified": "2017-02-12T18:54:05.000Z", "description": "Downloader.Ratankba - Xchecked via VT: 825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc", "pattern": "[file:hashes.SHA1 = '09c1756064f15fcdd29ff8f239b3d5dcc22ac492']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af4e-4d6c-4b97-8c12-476a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:06.000Z", "modified": "2017-02-12T18:54:06.000Z", "description": "Downloader.Ratankba - Xchecked via VT: 825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc", "pattern": "[file:hashes.MD5 = '911de8d67af652a87415f8c0a30688b2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58a0af4e-a2a8-422f-9ab8-40d902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:06.000Z", "modified": "2017-02-12T18:54:06.000Z", "first_observed": "2017-02-12T18:54:06Z", "last_observed": "2017-02-12T18:54:06Z", "number_observed": 1, "object_refs": [ "url--58a0af4e-a2a8-422f-9ab8-40d902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58a0af4e-a2a8-422f-9ab8-40d902de0b81", "value": "https://www.virustotal.com/file/825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc/analysis/1486355454/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af4f-6ad4-4e25-a3f1-4c8302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:07.000Z", "modified": "2017-02-12T18:54:07.000Z", "description": "Downloader.Ratankba - Xchecked via VT: 200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22", "pattern": "[file:hashes.SHA1 = '97a3698ffffdb63df79faeaf58169f9755db1f90']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af50-a848-4477-8bb7-464202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:08.000Z", "modified": "2017-02-12T18:54:08.000Z", "description": "Downloader.Ratankba - Xchecked via VT: 200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22", "pattern": "[file:hashes.MD5 = '1507e7a741367745425e0530e23768e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:08Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58a0af51-cfe0-4a6c-a672-4f1202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:09.000Z", "modified": "2017-02-12T18:54:09.000Z", "first_observed": "2017-02-12T18:54:09Z", "last_observed": "2017-02-12T18:54:09Z", "number_observed": 1, "object_refs": [ "url--58a0af51-cfe0-4a6c-a672-4f1202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58a0af51-cfe0-4a6c-a672-4f1202de0b81", "value": "https://www.virustotal.com/file/200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22/analysis/1486354903/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af51-c974-4bb5-abeb-40cf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:09.000Z", "modified": "2017-02-12T18:54:09.000Z", "description": "Downloader.Ratankba - Xchecked via VT: 95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2", "pattern": "[file:hashes.SHA1 = '2c6c244b3858ce06a0b646ae386f65e69ae5c046']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af52-e68c-47d2-8f47-497a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:10.000Z", "modified": "2017-02-12T18:54:10.000Z", "description": "Downloader.Ratankba - Xchecked via VT: 95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2", "pattern": "[file:hashes.MD5 = 'cb52c013f7af0219d45953bae663c9a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58a0af53-5434-4242-a959-44b602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:11.000Z", "modified": "2017-02-12T18:54:11.000Z", "first_observed": "2017-02-12T18:54:11Z", "last_observed": "2017-02-12T18:54:11Z", "number_observed": 1, "object_refs": [ "url--58a0af53-5434-4242-a959-44b602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58a0af53-5434-4242-a959-44b602de0b81", "value": "https://www.virustotal.com/file/95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2/analysis/1486356061/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af54-453c-46fb-989c-4af002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:12.000Z", "modified": "2017-02-12T18:54:12.000Z", "description": "Downloader.Ratankba - Xchecked via VT: 7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836", "pattern": "[file:hashes.SHA1 = 'da967dc59a7b61aeaeaee380b2c147c5bb1b3bc5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58a0af55-442c-4726-bad9-4dd702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:13.000Z", "modified": "2017-02-12T18:54:13.000Z", "description": "Downloader.Ratankba - Xchecked via VT: 7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836", "pattern": "[file:hashes.MD5 = '18a451d70f96a1335623b385f0993bcc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-02-12T18:54:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58a0af55-8fb4-4e48-bec2-464b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:54:13.000Z", "modified": "2017-02-12T18:54:13.000Z", "first_observed": "2017-02-12T18:54:13Z", "last_observed": "2017-02-12T18:54:13Z", "number_observed": 1, "object_refs": [ "url--58a0af55-8fb4-4e48-bec2-464b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58a0af55-8fb4-4e48-bec2-464b02de0b81", "value": "https://www.virustotal.com/file/7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836/analysis/1486760308/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58a0afdd-1758-47f9-a269-447902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-02-12T18:56:29.000Z", "modified": "2017-02-12T18:56:29.000Z", "first_observed": "2017-02-12T18:56:29Z", "last_observed": "2017-02-12T18:56:29Z", "number_observed": 1, "object_refs": [ "network-traffic--58a0afdd-1758-47f9-a269-447902de0b81", "ipv4-addr--58a0afdd-1758-47f9-a269-447902de0b81" ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--58a0afdd-1758-47f9-a269-447902de0b81", "src_ref": "ipv4-addr--58a0afdd-1758-47f9-a269-447902de0b81", "protocols": [ "tcp" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--58a0afdd-1758-47f9-a269-447902de0b81", "value": "54.235.197.176" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }