{ "type": "bundle", "id": "bundle--57721a0d-8c48-47a5-86d4-458c950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:24.000Z", "modified": "2016-06-28T06:34:24.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57721a0d-8c48-47a5-86d4-458c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:24.000Z", "modified": "2016-06-28T06:34:24.000Z", "name": "OSINT - Retefe banking Trojan targets UK banking customers", "published": "2016-06-28T06:42:05Z", "object_refs": [ "observed-data--57721a2f-3864-4f37-88e8-46c0950d210f", "url--57721a2f-3864-4f37-88e8-46c0950d210f", "x-misp-attribute--57721a3c-bdd0-41bf-ae29-3123950d210f", "indicator--57721a50-b25c-4600-bd64-4006950d210f", "indicator--57721a50-8f34-4fcb-a230-41f8950d210f", "indicator--57721a51-d678-4635-ba54-4a05950d210f", "indicator--57721a51-c894-4204-b97a-42d3950d210f", "indicator--57721a51-d128-477b-87b7-424b950d210f", "indicator--57721a70-f550-4837-bc33-4a5702de0b81", "indicator--57721a70-21a0-4c15-b801-4e7a02de0b81", "observed-data--57721a70-a080-4624-98c4-4a6802de0b81", "url--57721a70-a080-4624-98c4-4a6802de0b81", "indicator--57721a70-1cbc-49d4-bb6e-4e8502de0b81", "indicator--57721a70-16a8-4552-b021-47c002de0b81", "observed-data--57721a71-d084-4252-87e9-49a202de0b81", "url--57721a71-d084-4252-87e9-49a202de0b81", "indicator--57721a71-b714-42be-83f2-462d02de0b81", "indicator--57721a71-6770-4209-8c97-49db02de0b81", "observed-data--57721a71-90fc-42ad-a4c1-405d02de0b81", "url--57721a71-90fc-42ad-a4c1-405d02de0b81", "indicator--57721a71-50fc-48c9-b413-4f2a02de0b81", "indicator--57721a72-7c60-481b-a0dc-40be02de0b81", "observed-data--57721a72-bacc-4de5-abb1-459802de0b81", "url--57721a72-bacc-4de5-abb1-459802de0b81", "indicator--57721a72-bc3c-4515-af66-402702de0b81", "indicator--57721a72-e328-43ca-8f9d-435502de0b81", "observed-data--57721a72-acd4-48da-9114-4bbd02de0b81", "url--57721a72-acd4-48da-9114-4bbd02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:topic=\"finance\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57721a2f-3864-4f37-88e8-46c0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:33:19.000Z", "modified": "2016-06-28T06:33:19.000Z", "first_observed": "2016-06-28T06:33:19Z", "last_observed": "2016-06-28T06:33:19Z", "number_observed": 1, "object_refs": [ "url--57721a2f-3864-4f37-88e8-46c0950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57721a2f-3864-4f37-88e8-46c0950d210f", "value": "https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customers" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57721a3c-bdd0-41bf-ae29-3123950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:33:32.000Z", "modified": "2016-06-28T06:33:32.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "The Retefe banking Trojan has been around for some time, targeting Sweden, Switzerland and Japan, as previously reported by Paloalto Research.\r\nWe recently noticed Retefe campaigns targeting UK banking customers. Using fake certificates, the Trojan is designed to trick victims into giving up their login credentials and other sensitive information.\r\n\r\nAt first, the victim receives a document with an embedded malicious JavaScript file per email. The document contains a very small image with a note asking the user to double click on it to view it better. After double clicking, the malicious embedded JavaScript is executed. The document has a notice message in German, however, the Trojan banker is targeting users in UK." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a50-b25c-4600-bd64-4006950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:33:52.000Z", "modified": "2016-06-28T06:33:52.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '0cf2c0165cdc3962ad8c3ac27258fdab4dcecb7121ba97856b66d22fd77aefca']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:33:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a50-8f34-4fcb-a230-41f8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:33:52.000Z", "modified": "2016-06-28T06:33:52.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '1166ce980f783c5ba18fd1904e00350dd3d25c19e64674816a1b35da4319ae54']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:33:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a51-d678-4635-ba54-4a05950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:33:53.000Z", "modified": "2016-06-28T06:33:53.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '50f729589fa850ade5834dd7fcd5f354f35b4515c8ecabbff91de3ceb45de052']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:33:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a51-c894-4204-b97a-42d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:33:53.000Z", "modified": "2016-06-28T06:33:53.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '5a578ccb2b1051273222359bf4ca18b8788df8f98a70cb0a8a354029ad7a9856']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:33:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a51-d128-477b-87b7-424b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:33:53.000Z", "modified": "2016-06-28T06:33:53.000Z", "description": "Sample", "pattern": "[file:hashes.SHA256 = '629db885c944187dd0a71715c7fef929e38f1927bc19182122ea1b594397a9bd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:33:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a70-f550-4837-bc33-4a5702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:24.000Z", "modified": "2016-06-28T06:34:24.000Z", "description": "Sample - Xchecked via VT: 629db885c944187dd0a71715c7fef929e38f1927bc19182122ea1b594397a9bd", "pattern": "[file:hashes.SHA1 = 'f4d48a8d9447de0f3e318b6c739d8a640134db8e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:34:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a70-21a0-4c15-b801-4e7a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:24.000Z", "modified": "2016-06-28T06:34:24.000Z", "description": "Sample - Xchecked via VT: 629db885c944187dd0a71715c7fef929e38f1927bc19182122ea1b594397a9bd", "pattern": "[file:hashes.MD5 = '1765232a9fd904d90ac7674a624669b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:34:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57721a70-a080-4624-98c4-4a6802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:24.000Z", "modified": "2016-06-28T06:34:24.000Z", "first_observed": "2016-06-28T06:34:24Z", "last_observed": "2016-06-28T06:34:24Z", "number_observed": 1, "object_refs": [ "url--57721a70-a080-4624-98c4-4a6802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57721a70-a080-4624-98c4-4a6802de0b81", "value": "https://www.virustotal.com/file/629db885c944187dd0a71715c7fef929e38f1927bc19182122ea1b594397a9bd/analysis/1467090128/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a70-1cbc-49d4-bb6e-4e8502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:24.000Z", "modified": "2016-06-28T06:34:24.000Z", "description": "Sample - Xchecked via VT: 5a578ccb2b1051273222359bf4ca18b8788df8f98a70cb0a8a354029ad7a9856", "pattern": "[file:hashes.SHA1 = '752e5d5f5443f21278afe32b4b556c88d9ad7d05']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:34:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a70-16a8-4552-b021-47c002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:24.000Z", "modified": "2016-06-28T06:34:24.000Z", "description": "Sample - Xchecked via VT: 5a578ccb2b1051273222359bf4ca18b8788df8f98a70cb0a8a354029ad7a9856", "pattern": "[file:hashes.MD5 = '4c42b28d75f3939b5a58631c090dceb1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:34:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57721a71-d084-4252-87e9-49a202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:25.000Z", "modified": "2016-06-28T06:34:25.000Z", "first_observed": "2016-06-28T06:34:25Z", "last_observed": "2016-06-28T06:34:25Z", "number_observed": 1, "object_refs": [ "url--57721a71-d084-4252-87e9-49a202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57721a71-d084-4252-87e9-49a202de0b81", "value": "https://www.virustotal.com/file/5a578ccb2b1051273222359bf4ca18b8788df8f98a70cb0a8a354029ad7a9856/analysis/1467090124/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a71-b714-42be-83f2-462d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:25.000Z", "modified": "2016-06-28T06:34:25.000Z", "description": "Sample - Xchecked via VT: 50f729589fa850ade5834dd7fcd5f354f35b4515c8ecabbff91de3ceb45de052", "pattern": "[file:hashes.SHA1 = 'e35cff87fec389a90bfe287aaa927fd7342977c7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:34:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a71-6770-4209-8c97-49db02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:25.000Z", "modified": "2016-06-28T06:34:25.000Z", "description": "Sample - Xchecked via VT: 50f729589fa850ade5834dd7fcd5f354f35b4515c8ecabbff91de3ceb45de052", "pattern": "[file:hashes.MD5 = 'dcfb8e42173746bb97436782b6b644bd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:34:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57721a71-90fc-42ad-a4c1-405d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:25.000Z", "modified": "2016-06-28T06:34:25.000Z", "first_observed": "2016-06-28T06:34:25Z", "last_observed": "2016-06-28T06:34:25Z", "number_observed": 1, "object_refs": [ "url--57721a71-90fc-42ad-a4c1-405d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57721a71-90fc-42ad-a4c1-405d02de0b81", "value": "https://www.virustotal.com/file/50f729589fa850ade5834dd7fcd5f354f35b4515c8ecabbff91de3ceb45de052/analysis/1467090120/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a71-50fc-48c9-b413-4f2a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:25.000Z", "modified": "2016-06-28T06:34:25.000Z", "description": "Sample - Xchecked via VT: 1166ce980f783c5ba18fd1904e00350dd3d25c19e64674816a1b35da4319ae54", "pattern": "[file:hashes.SHA1 = '2713fd96a36f08e14fcea92fe455bcbb4f752e91']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:34:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a72-7c60-481b-a0dc-40be02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:26.000Z", "modified": "2016-06-28T06:34:26.000Z", "description": "Sample - Xchecked via VT: 1166ce980f783c5ba18fd1904e00350dd3d25c19e64674816a1b35da4319ae54", "pattern": "[file:hashes.MD5 = '1c73db1b06b2b0967a33b39267972126']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:34:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57721a72-bacc-4de5-abb1-459802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:26.000Z", "modified": "2016-06-28T06:34:26.000Z", "first_observed": "2016-06-28T06:34:26Z", "last_observed": "2016-06-28T06:34:26Z", "number_observed": 1, "object_refs": [ "url--57721a72-bacc-4de5-abb1-459802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57721a72-bacc-4de5-abb1-459802de0b81", "value": "https://www.virustotal.com/file/1166ce980f783c5ba18fd1904e00350dd3d25c19e64674816a1b35da4319ae54/analysis/1467090115/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a72-bc3c-4515-af66-402702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:26.000Z", "modified": "2016-06-28T06:34:26.000Z", "description": "Sample - Xchecked via VT: 0cf2c0165cdc3962ad8c3ac27258fdab4dcecb7121ba97856b66d22fd77aefca", "pattern": "[file:hashes.SHA1 = 'a7057daba35ecd78876900a4212f2f5d03df1edb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:34:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57721a72-e328-43ca-8f9d-435502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:26.000Z", "modified": "2016-06-28T06:34:26.000Z", "description": "Sample - Xchecked via VT: 0cf2c0165cdc3962ad8c3ac27258fdab4dcecb7121ba97856b66d22fd77aefca", "pattern": "[file:hashes.MD5 = 'bf00ad68411fcd868d71c6bd6812f3df']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-06-28T06:34:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57721a72-acd4-48da-9114-4bbd02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-06-28T06:34:26.000Z", "modified": "2016-06-28T06:34:26.000Z", "first_observed": "2016-06-28T06:34:26Z", "last_observed": "2016-06-28T06:34:26Z", "number_observed": 1, "object_refs": [ "url--57721a72-acd4-48da-9114-4bbd02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57721a72-acd4-48da-9114-4bbd02de0b81", "value": "https://www.virustotal.com/file/0cf2c0165cdc3962ad8c3ac27258fdab4dcecb7121ba97856b66d22fd77aefca/analysis/1467090112/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }