{ "type": "bundle", "id": "bundle--5948c00e-8440-4137-9952-a922950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:44:06.000Z", "modified": "2017-06-20T06:44:06.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5948c00e-8440-4137-9952-a922950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:44:06.000Z", "modified": "2017-06-20T06:44:06.000Z", "name": "OSINT - McAfee Discovers Pinkslipbot Exploiting Infected Machines as Control Servers; Releases Free Tool to Detect, Disable Trojan", "published": "2017-06-20T08:03:23Z", "object_refs": [ "x-misp-attribute--5948c01e-5cd4-40b5-ac70-41e5950d210f", "observed-data--5948c02a-1448-47b2-a635-a8a6950d210f", "url--5948c02a-1448-47b2-a635-a8a6950d210f", "indicator--5948c03c-c7b0-4892-a21a-4510950d210f", "indicator--5948c03c-9cb4-4ad8-8426-4e9b950d210f", "indicator--5948c048-b978-4ded-8d45-a8a6950d210f", "indicator--5948c048-4fbc-4cfc-9656-a8a6950d210f", "indicator--5948c048-d744-4618-aefa-a8a6950d210f", "indicator--5948c080-02e0-41ff-8840-43e6950d210f", "indicator--5948c080-f950-44f1-bd9e-460b950d210f", "indicator--5948c080-3e10-492e-a85b-4b99950d210f", "indicator--5948c080-7620-4a6f-a9c1-4916950d210f", "indicator--5948c1df-8824-4967-96d5-40d902de0b81", "indicator--5948c1df-c12c-42db-b424-46f002de0b81", "observed-data--5948c1df-9fa4-4268-a4f1-45f802de0b81", "url--5948c1df-9fa4-4268-a4f1-45f802de0b81", "indicator--5948c1df-2078-4d5e-9b04-436302de0b81", "indicator--5948c1df-2cd0-4953-9158-4f4202de0b81", "observed-data--5948c1df-80d0-4d6c-95b3-486e02de0b81", "url--5948c1df-80d0-4d6c-95b3-486e02de0b81", "indicator--5948c1df-fb74-4e22-8fa4-447902de0b81", "indicator--5948c1df-5098-4512-9ecc-4cb802de0b81", "observed-data--5948c1df-bb38-4800-8ceb-464002de0b81", "url--5948c1df-bb38-4800-8ceb-464002de0b81", "indicator--5948c1df-bad0-4298-9deb-47bd02de0b81", "indicator--5948c1df-c0a8-417d-9604-44eb02de0b81", "observed-data--5948c1df-b440-4f96-a30d-498c02de0b81", "url--5948c1df-b440-4f96-a30d-498c02de0b81", "indicator--5948c1df-1810-4198-81c6-4b3102de0b81", "indicator--5948c1df-261c-4bd6-857c-400d02de0b81", "observed-data--5948c1df-85cc-494c-9319-435e02de0b81", "url--5948c1df-85cc-494c-9319-435e02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:tool=\"Akbot\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5948c01e-5cd4-40b5-ac70-41e5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "McAfee Labs has discovered that banking malware Pinkslipbot (also known as QakBot/QBot) has used infected machines as control servers since April 2016, even after its capability to steal personal and financial data from the infected machine has been removed by a security product. These include home users whose computers are usually behind a network address translation router. To do so, Pinkslipbot uses universal plug and play (UPnP) to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine. As far as we know, Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers and the second executable-based malware to use UPnP for port forwarding after the infamous W32/Conficker worm in 2008.\r\nPinkslipbot is a notorious banking-credential harvester that has been active since 2007. It primarily targets users and enterprises located within the United States and includes components for password stealers, keyloggers, and man-in-the-browser attacks that are used as vectors to steal various kinds of information\u00e2\u20ac\u201dincluding credit cards, social security numbers, online account credentials, email passwords, digital certificates, etc. Pinkslipbot controls a large botnet of more than 500,000 infected machines and steals over a half-million records every day. As a result, this malware has been documented extensively by the antimalware industry. The malware authors are clearly benefiting from Pinkslipbot; they have maintained the code base since 2007 and regularly add new features to it." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5948c02a-1448-47b2-a635-a8a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "first_observed": "2017-06-20T06:34:07Z", "last_observed": "2017-06-20T06:34:07Z", "number_observed": 1, "object_refs": [ "url--5948c02a-1448-47b2-a635-a8a6950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5948c02a-1448-47b2-a635-a8a6950d210f", "value": "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-discovers-pinkslipbot-exploiting-infected-machines-as-control-servers-releases-free-tool-to-detect-disable-trojan/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c03c-c7b0-4892-a21a-4510950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component droppers", "pattern": "[file:hashes.SHA256 = '22cf76f92aad53db1304dec026b834ad77d2272c7f2eaaabf299e953b98d570e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c03c-9cb4-4ad8-8426-4e9b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component droppers", "pattern": "[file:hashes.SHA256 = 'c23fe9f3a3035edb6fa306c7545cfd05bb310d85983dda5914cd9650c13b41d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c048-b978-4ded-8d45-a8a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component DLL (internal name: supernode_con.dll)", "pattern": "[file:hashes.SHA256 = '730e9864795ed8d6538064551ab95505dff3e92dd67888bee323cb341b2420c6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c048-4fbc-4cfc-9656-a8a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component DLL (internal name: supernode_con.dll)", "pattern": "[file:hashes.SHA256 = 'af25c5bed96e046ba1e25749ff51f0d8437a1ef66e469b4fd0348e372abc2f7f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c048-d744-4618-aefa-a8a6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component DLL (internal name: supernode_con.dll)", "pattern": "[file:hashes.SHA256 = '6d174dd4f29da814170e8f7c40ecd80794e1c27d8d94741a79bd1bd6eb75ea62']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c080-02e0-41ff-8840-43e6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "pattern": "[file:name = '\\\\%APPDATA\\\\%\\\\HardwareMonitor\\\\hardwaremonitor.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c080-f950-44f1-bd9e-460b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "pattern": "[file:name = '\\\\%ALLUSERSPROFILE\\\\%\\\\HardwareMonitor\\\\hardwaremonitor.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c080-3e10-492e-a85b-4b99950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "pattern": "[file:name = '\\\\%APPDATA\\\\%\\\\HardwareMonitor\\\\hardwaremonitor.ini']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c080-7620-4a6f-a9c1-4916950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "pattern": "[file:name = '\\\\%ALLUSERSPROFILE\\\\%\\\\HardwareMonitor\\\\hardwaremonitor.ini']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c1df-8824-4967-96d5-40d902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component DLL (internal name: supernode_con.dll) - Xchecked via VT: 6d174dd4f29da814170e8f7c40ecd80794e1c27d8d94741a79bd1bd6eb75ea62", "pattern": "[file:hashes.SHA1 = '61979d13bb058424ce585a867148a4cda91c0998']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c1df-c12c-42db-b424-46f002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component DLL (internal name: supernode_con.dll) - Xchecked via VT: 6d174dd4f29da814170e8f7c40ecd80794e1c27d8d94741a79bd1bd6eb75ea62", "pattern": "[file:hashes.MD5 = 'cebfd6d9b0290f933d95be059ea9342c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5948c1df-9fa4-4268-a4f1-45f802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "first_observed": "2017-06-20T06:34:07Z", "last_observed": "2017-06-20T06:34:07Z", "number_observed": 1, "object_refs": [ "url--5948c1df-9fa4-4268-a4f1-45f802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5948c1df-9fa4-4268-a4f1-45f802de0b81", "value": "https://www.virustotal.com/file/6d174dd4f29da814170e8f7c40ecd80794e1c27d8d94741a79bd1bd6eb75ea62/analysis/1497765996/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c1df-2078-4d5e-9b04-436302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component DLL (internal name: supernode_con.dll) - Xchecked via VT: af25c5bed96e046ba1e25749ff51f0d8437a1ef66e469b4fd0348e372abc2f7f", "pattern": "[file:hashes.SHA1 = '8fb933995998728aa86da88f7a3b9189412abcdf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c1df-2cd0-4953-9158-4f4202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component DLL (internal name: supernode_con.dll) - Xchecked via VT: af25c5bed96e046ba1e25749ff51f0d8437a1ef66e469b4fd0348e372abc2f7f", "pattern": "[file:hashes.MD5 = '91e7262e72ba0cb3e71e00f540ab9f73']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5948c1df-80d0-4d6c-95b3-486e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "first_observed": "2017-06-20T06:34:07Z", "last_observed": "2017-06-20T06:34:07Z", "number_observed": 1, "object_refs": [ "url--5948c1df-80d0-4d6c-95b3-486e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5948c1df-80d0-4d6c-95b3-486e02de0b81", "value": "https://www.virustotal.com/file/af25c5bed96e046ba1e25749ff51f0d8437a1ef66e469b4fd0348e372abc2f7f/analysis/1497666460/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c1df-fb74-4e22-8fa4-447902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component DLL (internal name: supernode_con.dll) - Xchecked via VT: 730e9864795ed8d6538064551ab95505dff3e92dd67888bee323cb341b2420c6", "pattern": "[file:hashes.SHA1 = '48e7f341d2a887fcbb2974c57f7269ec00c29c85']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c1df-5098-4512-9ecc-4cb802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component DLL (internal name: supernode_con.dll) - Xchecked via VT: 730e9864795ed8d6538064551ab95505dff3e92dd67888bee323cb341b2420c6", "pattern": "[file:hashes.MD5 = '72e300fd8a27d1d8afc42dd4b47f7a42']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5948c1df-bb38-4800-8ceb-464002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "first_observed": "2017-06-20T06:34:07Z", "last_observed": "2017-06-20T06:34:07Z", "number_observed": 1, "object_refs": [ "url--5948c1df-bb38-4800-8ceb-464002de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5948c1df-bb38-4800-8ceb-464002de0b81", "value": "https://www.virustotal.com/file/730e9864795ed8d6538064551ab95505dff3e92dd67888bee323cb341b2420c6/analysis/1497666456/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c1df-bad0-4298-9deb-47bd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component droppers - Xchecked via VT: c23fe9f3a3035edb6fa306c7545cfd05bb310d85983dda5914cd9650c13b41d3", "pattern": "[file:hashes.SHA1 = '56d9dfe06b3847d99c30ce0a8b527e2572eb8d06']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c1df-c0a8-417d-9604-44eb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component droppers - Xchecked via VT: c23fe9f3a3035edb6fa306c7545cfd05bb310d85983dda5914cd9650c13b41d3", "pattern": "[file:hashes.MD5 = 'e8e32892204adc612fdcfbc73abd60a0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5948c1df-b440-4f96-a30d-498c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "first_observed": "2017-06-20T06:34:07Z", "last_observed": "2017-06-20T06:34:07Z", "number_observed": 1, "object_refs": [ "url--5948c1df-b440-4f96-a30d-498c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5948c1df-b440-4f96-a30d-498c02de0b81", "value": "https://www.virustotal.com/file/c23fe9f3a3035edb6fa306c7545cfd05bb310d85983dda5914cd9650c13b41d3/analysis/1497316605/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c1df-1810-4198-81c6-4b3102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component droppers - Xchecked via VT: 22cf76f92aad53db1304dec026b834ad77d2272c7f2eaaabf299e953b98d570e", "pattern": "[file:hashes.SHA1 = 'c60a05988932f64e60e8482523043f9aded610c7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5948c1df-261c-4bd6-857c-400d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "description": "Proxy component droppers - Xchecked via VT: 22cf76f92aad53db1304dec026b834ad77d2272c7f2eaaabf299e953b98d570e", "pattern": "[file:hashes.MD5 = '80b6422d6edd2efb3bdc8751ae94efe9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-06-20T06:34:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5948c1df-85cc-494c-9319-435e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-20T06:34:07.000Z", "modified": "2017-06-20T06:34:07.000Z", "first_observed": "2017-06-20T06:34:07Z", "last_observed": "2017-06-20T06:34:07Z", "number_observed": 1, "object_refs": [ "url--5948c1df-85cc-494c-9319-435e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5948c1df-85cc-494c-9319-435e02de0b81", "value": "https://www.virustotal.com/file/22cf76f92aad53db1304dec026b834ad77d2272c7f2eaaabf299e953b98d570e/analysis/1497898598/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }