{ "type": "bundle", "id": "bundle--59a0220c-51e8-48f3-8812-8192950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:12.000Z", "modified": "2017-08-25T13:27:12.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--59a0220c-51e8-48f3-8812-8192950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:12.000Z", "modified": "2017-08-25T13:27:12.000Z", "name": "OSINT - \u201cTick\u201d Group Continues Attacks", "context": "suspicious-activity", "object_refs": [ "observed-data--59a0221a-ef98-492f-a41f-7fe0950d210f", "url--59a0221a-ef98-492f-a41f-7fe0950d210f", "x-misp-attribute--59a02236-ddb0-47c8-95b4-db90950d210f", "indicator--59a02292-f024-4763-a91a-d9c4950d210f", "indicator--59a02292-44e8-4d6f-8ffb-d9c4950d210f", "indicator--59a02292-db5c-46a6-8d0d-d9c4950d210f", "indicator--59a02292-3e08-487c-bf2e-d9c4950d210f", "indicator--59a02292-c580-4a84-83a2-d9c4950d210f", "indicator--59a02292-9a34-4d31-a50a-d9c4950d210f", "indicator--59a02342-c370-4577-a8ec-d9c2950d210f", "indicator--59a02342-35b0-4722-8936-d9c2950d210f", "indicator--59a02342-7000-46ab-b384-d9c2950d210f", "indicator--59a02342-55a4-4df9-b078-d9c2950d210f", "indicator--59a02342-0520-402f-8750-d9c2950d210f", "indicator--59a02342-6698-4bcb-8e08-d9c2950d210f", "indicator--59a02342-fab4-489a-95ad-d9c2950d210f", "indicator--59a02342-aa28-4cb7-8520-d9c2950d210f", "indicator--59a02342-e728-40da-ab8e-d9c2950d210f", "indicator--59a02342-baf0-4747-85a6-d9c2950d210f", "indicator--59a02342-22cc-4ea0-93c1-d9c2950d210f", "indicator--59a02342-41e4-4077-8f36-d9c2950d210f", "indicator--59a02342-7dac-4b2b-a355-d9c2950d210f", "indicator--59a02342-f680-47a4-8497-d9c2950d210f", "indicator--59a02342-cd3c-4920-a97c-d9c2950d210f", "indicator--59a02393-ec70-4b26-927e-4d01950d210f", "indicator--59a02393-7574-4cf5-9e2c-47d3950d210f", "indicator--59a023ab-cc18-4bbc-9627-d9c1950d210f", "indicator--59a023ab-3fdc-44c0-b218-d9c1950d210f", "indicator--59a023ab-238c-4e0d-9e77-d9c1950d210f", "indicator--59a023b8-74e0-4df6-8c52-43b7950d210f", "indicator--59a023b9-fdf0-45e4-94dc-4ccc950d210f", "indicator--59a023b9-977c-4501-9392-4376950d210f", "indicator--59a023b9-d44c-46c6-b391-44bd950d210f", "indicator--59a023b9-2698-494f-b7f0-4272950d210f", "indicator--59a023b9-8650-42f4-9d9e-4302950d210f", "indicator--59a023b9-68a4-4742-bcc0-44b9950d210f", "indicator--59a023b9-2190-4dfc-bcd1-46ed950d210f", "indicator--59a025a9-5dcc-4e07-aa39-dd3702de0b81", "indicator--59a025a9-de30-4f19-ac6e-dd3702de0b81", "observed-data--59a025a9-b4a8-4acb-9dd5-dd3702de0b81", "url--59a025a9-b4a8-4acb-9dd5-dd3702de0b81", "indicator--59a025a9-1840-4efe-ae94-dd3702de0b81", "indicator--59a025a9-ebd8-4b34-8849-dd3702de0b81", "observed-data--59a025a9-8b7c-4219-aca3-dd3702de0b81", "url--59a025a9-8b7c-4219-aca3-dd3702de0b81", "indicator--59a025a9-d124-4f1f-b965-dd3702de0b81", "indicator--59a025a9-a518-4cd3-865b-dd3702de0b81", "observed-data--59a025a9-6be0-40fc-a248-dd3702de0b81", "url--59a025a9-6be0-40fc-a248-dd3702de0b81", "indicator--59a025a9-3104-4434-ba22-dd3702de0b81", "indicator--59a025a9-9548-4dcd-9ebe-dd3702de0b81", "observed-data--59a025a9-d108-46f6-808d-dd3702de0b81", "url--59a025a9-d108-46f6-808d-dd3702de0b81", "indicator--59a025a9-bc40-4922-8375-dd3702de0b81", "indicator--59a025a9-6128-4527-b4f0-dd3702de0b81", "observed-data--59a025a9-4e30-4986-b6ac-dd3702de0b81", "url--59a025a9-4e30-4986-b6ac-dd3702de0b81", "indicator--59a025a9-ed3c-4635-8ded-dd3702de0b81", "indicator--59a025a9-9fa0-4eac-ae0e-dd3702de0b81", "observed-data--59a025a9-ba74-4d1c-be4e-dd3702de0b81", "url--59a025a9-ba74-4d1c-be4e-dd3702de0b81", "indicator--59a025a9-3240-4992-a4ce-dd3702de0b81", "indicator--59a025a9-fc9c-4f10-b5e7-dd3702de0b81", "observed-data--59a025a9-d184-4b9d-9f4d-dd3702de0b81", "url--59a025a9-d184-4b9d-9f4d-dd3702de0b81", "indicator--59a025a9-1818-491c-b754-dd3702de0b81", "indicator--59a025a9-0150-4332-b565-dd3702de0b81", "observed-data--59a025a9-cd18-48a2-8471-dd3702de0b81", "url--59a025a9-cd18-48a2-8471-dd3702de0b81", "indicator--59a025a9-b650-476f-b889-dd3702de0b81", "indicator--59a025a9-c5d0-4153-a989-dd3702de0b81", "observed-data--59a025a9-023c-43d6-9177-dd3702de0b81", "url--59a025a9-023c-43d6-9177-dd3702de0b81", "indicator--59a025a9-6848-4e61-8f53-dd3702de0b81", "indicator--59a025a9-dd24-4ade-9898-dd3702de0b81", "observed-data--59a025a9-a488-410d-b2fb-dd3702de0b81", "url--59a025a9-a488-410d-b2fb-dd3702de0b81", "indicator--59a025a9-8384-49d9-9b0b-dd3702de0b81", "indicator--59a025a9-ef34-4242-9eb4-dd3702de0b81", "observed-data--59a025a9-f37c-447c-b49c-dd3702de0b81", "url--59a025a9-f37c-447c-b49c-dd3702de0b81", "indicator--59a025a9-6088-4ae8-858f-dd3702de0b81", "indicator--59a025a9-f674-4823-a4c4-dd3702de0b81", "observed-data--59a025a9-d78c-458d-b0ae-dd3702de0b81", "url--59a025a9-d78c-458d-b0ae-dd3702de0b81", "indicator--59a025a9-f150-425a-9f96-dd3702de0b81", "indicator--59a025a9-9dc0-4492-90a5-dd3702de0b81", "observed-data--59a025a9-edc8-47cd-999d-dd3702de0b81", "url--59a025a9-edc8-47cd-999d-dd3702de0b81", "indicator--59a025a9-efa8-4a2d-872d-dd3702de0b81", "indicator--59a025a9-4b84-4680-b393-dd3702de0b81", "observed-data--59a025a9-399c-4616-aecf-dd3702de0b81", "url--59a025a9-399c-4616-aecf-dd3702de0b81", "indicator--59a025a9-e5cc-45e4-af56-dd3702de0b81", "indicator--59a025a9-ddc4-4358-9c8f-dd3702de0b81", "observed-data--59a025a9-b5e0-4e34-9b8a-dd3702de0b81", "url--59a025a9-b5e0-4e34-9b8a-dd3702de0b81", "indicator--59a025a9-7dc0-4bd6-9b64-dd3702de0b81", "indicator--59a025a9-9c7c-4fd6-8363-dd3702de0b81", "observed-data--59a025a9-b4f8-40df-8638-dd3702de0b81", "url--59a025a9-b4f8-40df-8638-dd3702de0b81", "indicator--59a025a9-809c-4b65-ac7b-dd3702de0b81", "indicator--59a025a9-96f0-47eb-ac81-dd3702de0b81", "observed-data--59a025a9-0e88-4de3-adae-dd3702de0b81", "url--59a025a9-0e88-4de3-adae-dd3702de0b81", "indicator--59a025a9-75b8-4d2f-b685-dd3702de0b81", "indicator--59a025a9-5904-4561-bd14-dd3702de0b81", "observed-data--59a025a9-75b4-4d3d-8c19-dd3702de0b81", "url--59a025a9-75b4-4d3d-8c19-dd3702de0b81", "indicator--59a025a9-0138-493b-9fd8-dd3702de0b81", "indicator--59a025a9-8ef0-4341-a183-dd3702de0b81", "observed-data--59a025a9-2d10-43f9-8529-dd3702de0b81", "url--59a025a9-2d10-43f9-8529-dd3702de0b81", "indicator--59a025a9-e0ac-48fa-9844-dd3702de0b81", "indicator--59a025a9-29a4-4994-a328-dd3702de0b81", "observed-data--59a025a9-d468-4905-8b79-dd3702de0b81", "url--59a025a9-d468-4905-8b79-dd3702de0b81", "indicator--59a025a9-9c88-4724-913c-dd3702de0b81", "indicator--59a025a9-fe50-46cf-acde-dd3702de0b81", "observed-data--59a025a9-77ec-4843-9820-dd3702de0b81", "url--59a025a9-77ec-4843-9820-dd3702de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:source-type=\"blog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a0221a-ef98-492f-a41f-7fe0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "first_observed": "2017-08-25T13:27:04Z", "last_observed": "2017-08-25T13:27:04Z", "number_observed": 1, "object_refs": [ "url--59a0221a-ef98-492f-a41f-7fe0950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a0221a-ef98-492f-a41f-7fe0950d210f", "value": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59a02236-ddb0-47c8-95b4-db90950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "The \u201cTick\u201d group has conducted cyber espionage attacks against organizations in the Republic of Korea and Japan for several years. The group focuses on companies that have intellectual property or sensitive information like those in the Defense and High-Tech industries. The group is known to use custom malware called Daserf, but also employs multiple commodity and custom tools, exploit vulnerabilities, and use social engineering techniques.\r\n\r\nRegarding the command and control (C2) infrastructure, Tick previously used domains registered through privacy protection services to keep their anonymity, but have moved to compromised websites in recent attacks. With multiple tools and anonymous infrastructure, they are running longstanding and persistent attack campaigns. We have observed that the adversary has repeatedly attacked a high-profile target in Japan using multiple malware families for the last three years." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02292-f024-4763-a91a-d9c4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Daserf", "pattern": "[file:hashes.SHA256 = '04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02292-44e8-4d6f-8ffb-d9c4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Daserf", "pattern": "[file:hashes.SHA256 = 'f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02292-db5c-46a6-8d0d-d9c4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Daserf", "pattern": "[file:hashes.SHA256 = 'e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02292-3e08-487c-bf2e-d9c4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Daserf", "pattern": "[file:hashes.SHA256 = '21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02292-c580-4a84-83a2-d9c4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Daserf", "pattern": "[file:hashes.SHA256 = '9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02292-9a34-4d31-a50a-d9c4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Daserf", "pattern": "[file:hashes.SHA256 = '01d681c51ad0c7c3d4b320973c61c28a353624ac665fd390553b364d17911f46']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-c370-4577-a8ec-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Invader", "pattern": "[file:hashes.SHA256 = '0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-35b0-4722-8936-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Invader", "pattern": "[file:hashes.SHA256 = 'e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-7000-46ab-b384-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Invader", "pattern": "[file:hashes.SHA256 = '57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-55a4-4df9-b078-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "9002", "pattern": "[file:hashes.SHA256 = '933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-0520-402f-8750-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "9002", "pattern": "[file:hashes.SHA256 = '2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-6698-4bcb-8e08-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "9002", "pattern": "[file:hashes.SHA256 = '055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-fab4-489a-95ad-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Minzen", "pattern": "[file:hashes.SHA256 = '797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-aa28-4cb7-8520-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Minzen", "pattern": "[file:hashes.SHA256 = '9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-e728-40da-ab8e-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Minzen", "pattern": "[file:hashes.SHA256 = '26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-baf0-4747-85a6-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "NamelessHdoor", "pattern": "[file:hashes.SHA256 = 'dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-22cc-4ea0-93c1-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Gh0stRAt Downloader", "pattern": "[file:hashes.SHA256 = 'ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-41e4-4077-8f36-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Gh0stRAt Downloader", "pattern": "[file:hashes.SHA256 = 'e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-7dac-4b2b-a355-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Custom Gh0st", "pattern": "[file:hashes.SHA256 = '8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-f680-47a4-8497-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "Datper", "pattern": "[file:hashes.SHA256 = '7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02342-cd3c-4920-a97c-d9c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "HomamDownloader", "pattern": "[file:hashes.SHA256 = 'a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02393-ec70-4b26-927e-4d01950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "pattern": "[domain-name:value = 'softfix.co.kr']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a02393-7574-4cf5-9e2c-47d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "pattern": "[domain-name:value = 'bbs.softfix.co.kr']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023ab-cc18-4bbc-9627-d9c1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2 server of Daserf", "pattern": "[domain-name:value = 'news.softfix.co.kr']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023ab-3fdc-44c0-b218-d9c1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2 server of Invader", "pattern": "[domain-name:value = 'bbs.gokickes.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023ab-238c-4e0d-9e77-d9c1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2 server of Invader", "pattern": "[domain-name:value = 'www.gokickes.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023b8-74e0-4df6-8c52-43b7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2", "pattern": "[domain-name:value = 'lywjrea.gmarketshop.net']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023b9-fdf0-45e4-94dc-4ccc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2", "pattern": "[domain-name:value = 'krjregh.sacreeflame.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023b9-977c-4501-9392-4376950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2", "pattern": "[domain-name:value = 'psfir.sacreeflame.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023b9-d44c-46c6-b391-44bd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2", "pattern": "[domain-name:value = 'lywja.healthsvsolu.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023b9-2698-494f-b7f0-4272950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2", "pattern": "[domain-name:value = 'phot.healthsvsolu.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023b9-8650-42f4-9d9e-4302950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2", "pattern": "[domain-name:value = 'blog.softfix.co.kr']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023b9-68a4-4742-bcc0-44b9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2", "pattern": "[domain-name:value = 'log.gokickes.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a023b9-2190-4dfc-bcd1-46ed950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:04.000Z", "modified": "2017-08-25T13:27:04.000Z", "description": "C2", "pattern": "[domain-name:value = 'sansei.jpn.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"hostname\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-5dcc-4e07-aa39-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "HomamDownloader - Xchecked via VT: a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7", "pattern": "[file:hashes.SHA1 = '632b8eb977f61d8ce693d9de2b4d712f1d5cf95c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-de30-4f19-ac6e-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "HomamDownloader - Xchecked via VT: a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7", "pattern": "[file:hashes.MD5 = 'ea50237e4947cefd204aebe89e7055f3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-b4a8-4acb-9dd5-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-b4a8-4acb-9dd5-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-b4a8-4acb-9dd5-dd3702de0b81", "value": "https://www.virustotal.com/file/a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7/analysis/1500964953/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-1840-4efe-ae94-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Datper - Xchecked via VT: 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849", "pattern": "[file:hashes.SHA1 = 'f400b4d0008390314d663b8aa9ce9b525691a5e9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-ebd8-4b34-8849-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Datper - Xchecked via VT: 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849", "pattern": "[file:hashes.MD5 = 'c7323e635841980e38129b3a5a90b0da']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-8b7c-4219-aca3-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-8b7c-4219-aca3-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-8b7c-4219-aca3-dd3702de0b81", "value": "https://www.virustotal.com/file/7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849/analysis/1503338749/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-d124-4f1f-b965-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Custom Gh0st - Xchecked via VT: 8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40", "pattern": "[file:hashes.SHA1 = '1262b97f8f16b1c436b28b25383a20c067e69a9f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-a518-4cd3-865b-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Custom Gh0st - Xchecked via VT: 8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40", "pattern": "[file:hashes.MD5 = '49ce81d7975e732a3a3191b32d93a254']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-6be0-40fc-a248-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-6be0-40fc-a248-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-6be0-40fc-a248-dd3702de0b81", "value": "https://www.virustotal.com/file/8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40/analysis/1501706788/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-3104-4434-ba22-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Gh0stRAt Downloader - Xchecked via VT: e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c", "pattern": "[file:hashes.SHA1 = '03b43106d58645b3e58217d6f0dafdbe8c88f5fb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-9548-4dcd-9ebe-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Gh0stRAt Downloader - Xchecked via VT: e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c", "pattern": "[file:hashes.MD5 = '6540714dd32c62f3664cd02153c5780b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-d108-46f6-808d-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-d108-46f6-808d-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-d108-46f6-808d-dd3702de0b81", "value": "https://www.virustotal.com/file/e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c/analysis/1430158030/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-bc40-4922-8375-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Gh0stRAt Downloader - Xchecked via VT: ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974", "pattern": "[file:hashes.SHA1 = '0e40d5ef368803c26244da5d5be57a4850e1cdb6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-6128-4527-b4f0-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Gh0stRAt Downloader - Xchecked via VT: ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974", "pattern": "[file:hashes.MD5 = 'd05b9d77ee59deaebaaa02084d6f8507']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-4e30-4986-b6ac-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-4e30-4986-b6ac-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-4e30-4986-b6ac-dd3702de0b81", "value": "https://www.virustotal.com/file/ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974/analysis/1501160072/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-ed3c-4635-8ded-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "NamelessHdoor - Xchecked via VT: dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f", "pattern": "[file:hashes.SHA1 = 'ccd527b7b66374c93fb01101eb7b86c22981492d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-9fa0-4eac-ae0e-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "NamelessHdoor - Xchecked via VT: dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f", "pattern": "[file:hashes.MD5 = '044e2e7c4813accdbe030c49cef3326b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-ba74-4d1c-be4e-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-ba74-4d1c-be4e-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-ba74-4d1c-be4e-dd3702de0b81", "value": "https://www.virustotal.com/file/dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f/analysis/1501706644/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-3240-4992-a4ce-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Minzen - Xchecked via VT: 26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82", "pattern": "[file:hashes.SHA1 = 'ff05e0f60aeabd2497bb70182c0641f19c5af269']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-fc9c-4f10-b5e7-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Minzen - Xchecked via VT: 26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82", "pattern": "[file:hashes.MD5 = 'c5d1626ca67376532af253c9673b1101']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-d184-4b9d-9f4d-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-d184-4b9d-9f4d-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-d184-4b9d-9f4d-dd3702de0b81", "value": "https://www.virustotal.com/file/26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82/analysis/1501899010/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-1818-491c-b754-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Minzen - Xchecked via VT: 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2", "pattern": "[file:hashes.SHA1 = 'db7d62ef93fb16768a421ad17568b044a1af8825']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-0150-4332-b565-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Minzen - Xchecked via VT: 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2", "pattern": "[file:hashes.MD5 = '73c79f84361fc8d74ec53c36e07b39e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-cd18-48a2-8471-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-cd18-48a2-8471-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-cd18-48a2-8471-dd3702de0b81", "value": "https://www.virustotal.com/file/9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2/analysis/1503058545/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-b650-476f-b889-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Minzen - Xchecked via VT: 797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1", "pattern": "[file:hashes.SHA1 = '116878319499c594e29f1af6ead46cffd73efcc8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-c5d0-4153-a989-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Minzen - Xchecked via VT: 797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1", "pattern": "[file:hashes.MD5 = '6ef5cdca1fe65f88a7213d6cc62abb79']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-023c-43d6-9177-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-023c-43d6-9177-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-023c-43d6-9177-dd3702de0b81", "value": "https://www.virustotal.com/file/797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1/analysis/1501159875/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-6848-4e61-8f53-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "9002 - Xchecked via VT: 055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831", "pattern": "[file:hashes.SHA1 = 'c044f8b39653c72c6861da43475ff9f094e0edb6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-dd24-4ade-9898-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "9002 - Xchecked via VT: 055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831", "pattern": "[file:hashes.MD5 = '7246a7528649333dc64b03e46d84c9f0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-a488-410d-b2fb-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-a488-410d-b2fb-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-a488-410d-b2fb-dd3702de0b81", "value": "https://www.virustotal.com/file/055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831/analysis/1497242017/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-8384-49d9-9b0b-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "9002 - Xchecked via VT: 2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe", "pattern": "[file:hashes.SHA1 = 'c30361a20f1c42a6cdb33376d3d80e15610afd5d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-ef34-4242-9eb4-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "9002 - Xchecked via VT: 2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe", "pattern": "[file:hashes.MD5 = '181d4f01c8d6d1abae0847ce74e24268']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-f37c-447c-b49c-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-f37c-447c-b49c-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-f37c-447c-b49c-dd3702de0b81", "value": "https://www.virustotal.com/file/2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe/analysis/1501215779/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-6088-4ae8-858f-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "9002 - Xchecked via VT: 933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e", "pattern": "[file:hashes.SHA1 = 'd18b4ca7472a0a7fe31e88a0e0f6889dd45454b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-f674-4823-a4c4-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "9002 - Xchecked via VT: 933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e", "pattern": "[file:hashes.MD5 = '955a2287fb560b1b9f98ae131a13558b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-d78c-458d-b0ae-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-d78c-458d-b0ae-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-d78c-458d-b0ae-dd3702de0b81", "value": "https://www.virustotal.com/file/933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e/analysis/1501898610/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-f150-425a-9f96-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Invader - Xchecked via VT: 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb", "pattern": "[file:hashes.SHA1 = 'f0ea963a86d0ef8e1ecf72b58d3f75e0ea8f18e0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-9dc0-4492-90a5-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Invader - Xchecked via VT: 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb", "pattern": "[file:hashes.MD5 = 'b44722b197ec495cee00bff373b2a3f7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-edc8-47cd-999d-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-edc8-47cd-999d-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-edc8-47cd-999d-dd3702de0b81", "value": "https://www.virustotal.com/file/57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb/analysis/1501707143/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-efa8-4a2d-872d-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Invader - Xchecked via VT: e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e", "pattern": "[file:hashes.SHA1 = '8ca2085c68f802d6efdadf6f7c174582d6f480a5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-4b84-4680-b393-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Invader - Xchecked via VT: e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e", "pattern": "[file:hashes.MD5 = 'e9a1d96a1b1b2bfe41ae1b6327d44f21']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-399c-4616-aecf-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-399c-4616-aecf-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-399c-4616-aecf-dd3702de0b81", "value": "https://www.virustotal.com/file/e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e/analysis/1501025628/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-e5cc-45e4-af56-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Invader - Xchecked via VT: 0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287", "pattern": "[file:hashes.SHA1 = '4ce27f07dbf0c20bbc9d567664da73188dbdf444']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-ddc4-4358-9c8f-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Invader - Xchecked via VT: 0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287", "pattern": "[file:hashes.MD5 = '848a087df1a6cbbe68760df603cc4323']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-b5e0-4e34-9b8a-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-b5e0-4e34-9b8a-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-b5e0-4e34-9b8a-dd3702de0b81", "value": "https://www.virustotal.com/file/0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287/analysis/1501025628/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-7dc0-4bd6-9b64-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: 01d681c51ad0c7c3d4b320973c61c28a353624ac665fd390553b364d17911f46", "pattern": "[file:hashes.SHA1 = '3fa7215e2377df23a088f53a81efcb0562f4b142']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-9c7c-4fd6-8363-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: 01d681c51ad0c7c3d4b320973c61c28a353624ac665fd390553b364d17911f46", "pattern": "[file:hashes.MD5 = 'd8be46cc4642faac37d8167fed433950']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-b4f8-40df-8638-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-b4f8-40df-8638-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-b4f8-40df-8638-dd3702de0b81", "value": "https://www.virustotal.com/file/01d681c51ad0c7c3d4b320973c61c28a353624ac665fd390553b364d17911f46/analysis/1501985025/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-809c-4b65-ac7b-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423", "pattern": "[file:hashes.SHA1 = 'ba932ba5d07f153498d274117a96feacb21c074c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-96f0-47eb-ac81-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423", "pattern": "[file:hashes.MD5 = '5f938ec8dc3ae7f19c8a970c6b95059b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-0e88-4de3-adae-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-0e88-4de3-adae-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-0e88-4de3-adae-dd3702de0b81", "value": "https://www.virustotal.com/file/9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423/analysis/1501706838/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-75b8-4d2f-b685-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: 21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd", "pattern": "[file:hashes.SHA1 = 'e5c9d7b498021f33e6930b7419e1298a360df3d7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-5904-4561-bd14-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: 21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd", "pattern": "[file:hashes.MD5 = 'caafc4b6154022e7d50869d50d67148a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-75b4-4d3d-8c19-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-75b4-4d3d-8c19-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-75b4-4d3d-8c19-dd3702de0b81", "value": "https://www.virustotal.com/file/21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd/analysis/1500965130/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-0138-493b-9fd8-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51", "pattern": "[file:hashes.SHA1 = 'cb515cfa0a9887fdeffe80e4c41ccb3dcefe992c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-8ef0-4341-a183-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51", "pattern": "[file:hashes.MD5 = '3ba5d5690ca63ca16a444557f1411c85']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-2d10-43f9-8529-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-2d10-43f9-8529-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-2d10-43f9-8529-dd3702de0b81", "value": "https://www.virustotal.com/file/e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51/analysis/1501691519/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-e0ac-48fa-9844-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06", "pattern": "[file:hashes.SHA1 = '15c88b16850479dec1366be33683a60aebd8d453']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-29a4-4994-a328-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06", "pattern": "[file:hashes.MD5 = '22b3dda332fcc5362bfa91518a511e3e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-d468-4905-8b79-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-d468-4905-8b79-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-d468-4905-8b79-dd3702de0b81", "value": "https://www.virustotal.com/file/f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06/analysis/1501706715/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-9c88-4724-913c-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: 04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a", "pattern": "[file:hashes.SHA1 = '518857ae1c884b750c16142dbeddc76f2add08c5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59a025a9-fe50-46cf-acde-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "description": "Daserf - Xchecked via VT: 04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a", "pattern": "[file:hashes.MD5 = 'f4d02c412d465893497b91f3ce0e1ad7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-08-25T13:27:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59a025a9-77ec-4843-9820-dd3702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-08-25T13:27:05.000Z", "modified": "2017-08-25T13:27:05.000Z", "first_observed": "2017-08-25T13:27:05Z", "last_observed": "2017-08-25T13:27:05Z", "number_observed": 1, "object_refs": [ "url--59a025a9-77ec-4843-9820-dd3702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59a025a9-77ec-4843-9820-dd3702de0b81", "value": "https://www.virustotal.com/file/04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a/analysis/1501756421/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }