{ "type": "bundle", "id": "bundle--5dc3249f-6ebc-44fd-b78d-448d02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T20:00:02.000Z", "modified": "2019-11-06T20:00:02.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5dc3249f-6ebc-44fd-b78d-448d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T20:00:02.000Z", "modified": "2019-11-06T20:00:02.000Z", "name": "OSINT - BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0", "published": "2019-11-06T20:02:52Z", "object_refs": [ "indicator--5dc324da-8930-4832-84ae-428102de0b81", "indicator--5dc324da-3aa8-4672-a5c8-461502de0b81", "indicator--5dc324da-4734-4603-be54-44eb02de0b81", "indicator--5dc324da-7284-4a03-880f-4c9d02de0b81", "indicator--5dc324da-eef0-4d5e-bc21-4c5402de0b81", "indicator--5dc324da-7f9c-4659-abea-402a02de0b81", "x-misp-attribute--5dc32571-aa74-4179-8f74-42bc02de0b81", "indicator--5dc325b9-7018-496a-b223-4b7602de0b81", "indicator--5dc325b9-a748-403f-abcc-428c02de0b81", "observed-data--5dc325e5-6214-4a8f-bf43-441102de0b81", "url--5dc325e5-6214-4a8f-bf43-441102de0b81", "indicator--bca0440a-4555-4587-b5a2-a541bd2a4dc9", "x-misp-object--b9af0b6b-5e5d-43a1-84c7-21e1357665f1", "indicator--9ae6b1c8-d364-4e47-acf7-f6730fb4465c", "x-misp-object--b440661e-36e3-4b91-86ff-fa8760b84317", "indicator--756d7b88-3347-4a0c-9fef-01dbddfd34bb", "x-misp-object--6d1c9b11-06c8-4813-9485-89269e343f91", "indicator--c04e4714-a1ca-4318-98d3-a46cf6d6ad97", "x-misp-object--e943e2d5-8dec-4e03-8469-ee47c09f2568", "indicator--2a17501a-3480-46f0-b0bd-5888c2ee8c92", "x-misp-object--7fb41421-37ea-4910-ac68-319d59bdcbad", "indicator--25d7c94e-5aad-4634-878d-15010c84f0aa", "x-misp-object--f10bc385-bc29-4069-8374-abc49782561a", "relationship--d741a727-322c-4637-930f-80edfb2ad847", "relationship--22408634-ee41-4ea2-b767-2f2a9879772a", "relationship--dbe0e066-4162-43e6-a951-89ab2e50892d", "relationship--c4405d26-6b1e-4c59-826a-7acb5fcf4f77", "relationship--c64db77e-c64d-4e88-ae51-61eb118343f9", "relationship--1c9e16db-d688-4121-8a64-7d72594ae13c" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:malpedia=\"Dridex\"", "misp-galaxy:malpedia=\"FriedEx\"", "misp-galaxy:ransomware=\"Bitpaymer\"", "misp-galaxy:threat-actor=\"INDRIK SPIDER\"", "type:OSINT", "osint:lifetime=\"perpetual\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc324da-8930-4832-84ae-428102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:54:02.000Z", "modified": "2019-11-06T19:54:02.000Z", "description": "Encrypted PE Files Embedded in DoppelPaymer", "pattern": "[file:hashes.SHA256 = '51d8618ec86159327e883615ad8989c7638172cf801f65ab0367e5b2e6af596a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:54:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc324da-3aa8-4672-a5c8-461502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:54:02.000Z", "modified": "2019-11-06T19:54:02.000Z", "description": "Encrypted PE Files Embedded in DoppelPaymer", "pattern": "[file:hashes.SHA256 = 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:54:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc324da-4734-4603-be54-44eb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:54:02.000Z", "modified": "2019-11-06T19:54:02.000Z", "description": "Encrypted PE Files Embedded in DoppelPaymer", "pattern": "[file:hashes.SHA256 = '0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:54:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc324da-7284-4a03-880f-4c9d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:54:02.000Z", "modified": "2019-11-06T19:54:02.000Z", "description": "Encrypted PE Files Embedded in DoppelPaymer", "pattern": "[file:hashes.SHA256 = 'bfb7e62ba4ad5975e68a1beefb045cb72e056911fd7a8b070a15029dfcbbefe1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:54:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc324da-eef0-4d5e-bc21-4c5402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:54:02.000Z", "modified": "2019-11-06T19:54:02.000Z", "description": "Encrypted PE Files Embedded in DoppelPaymer", "pattern": "[file:hashes.SHA256 = 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:54:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc324da-7f9c-4659-abea-402a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:54:02.000Z", "modified": "2019-11-06T19:54:02.000Z", "description": "Encrypted PE Files Embedded in DoppelPaymer", "pattern": "[file:hashes.SHA256 = '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:54:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5dc32571-aa74-4179-8f74-42bc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:56:33.000Z", "modified": "2019-11-06T19:56:33.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "CrowdStrike\u00c2\u00ae Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture. \r\n\r\nWe have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER. However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of INDRIK SPIDER have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc325b9-7018-496a-b223-4b7602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:57:45.000Z", "modified": "2019-11-06T19:57:45.000Z", "description": "DoppelPaymer", "pattern": "[file:hashes.SHA256 = '801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:57:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5dc325b9-a748-403f-abcc-428c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:57:45.000Z", "modified": "2019-11-06T19:57:45.000Z", "description": "Dridex 2.0", "pattern": "[file:hashes.SHA256 = '813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:57:45Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5dc325e5-6214-4a8f-bf43-441102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:58:29.000Z", "modified": "2019-11-06T19:58:29.000Z", "first_observed": "2019-11-06T19:58:29Z", "last_observed": "2019-11-06T19:58:29Z", "number_observed": 1, "object_refs": [ "url--5dc325e5-6214-4a8f-bf43-441102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5dc325e5-6214-4a8f-bf43-441102de0b81", "value": "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bca0440a-4555-4587-b5a2-a541bd2a4dc9", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:15.000Z", "modified": "2019-11-06T19:59:15.000Z", "pattern": "[file:hashes.MD5 = '1b5c3c458e31bede55145d0644e88d75' AND file:hashes.SHA1 = 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347' AND file:hashes.SHA256 = '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:59:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--b9af0b6b-5e5d-43a1-84c7-21e1357665f1", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:15.000Z", "modified": "2019-11-06T19:59:15.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-11-05T13:32:39", "category": "Other", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "590eabf8-daae-48fa-93f7-a6881b74188d" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4/analysis/1572960759/", "category": "Payload delivery", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "7de0a36e-6553-4bca-b8f3-2496fa7c6ae6" }, { "type": "text", "object_relation": "detection-ratio", "value": "15/71", "category": "Payload delivery", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "28dc293f-7fb7-49e5-9c3e-8bee49d6f3b2" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9ae6b1c8-d364-4e47-acf7-f6730fb4465c", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:15.000Z", "modified": "2019-11-06T19:59:15.000Z", "pattern": "[file:hashes.MD5 = '68f9b52895f4d34e74112f3129b3b00d' AND file:hashes.SHA1 = 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e' AND file:hashes.SHA256 = 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:59:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--b440661e-36e3-4b91-86ff-fa8760b84317", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:16.000Z", "modified": "2019-11-06T19:59:16.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-11-05T15:07:41", "category": "Other", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "2d422e88-d201-4694-bbd7-866a38115bf8" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f/analysis/1572966461/", "category": "Payload delivery", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "3e29cdd3-6698-46ac-a2e0-37658066a1a7" }, { "type": "text", "object_relation": "detection-ratio", "value": "17/71", "category": "Payload delivery", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "4d55f6ac-dcd5-4ac6-8eca-d33081e4708a" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--756d7b88-3347-4a0c-9fef-01dbddfd34bb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:16.000Z", "modified": "2019-11-06T19:59:16.000Z", "pattern": "[file:hashes.MD5 = '6365fe1d37545c71cbe2719ac7831bdd' AND file:hashes.SHA1 = '9356d660cebd2604ec4e72967f44678741331d5a' AND file:hashes.SHA256 = '0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:59:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6d1c9b11-06c8-4813-9485-89269e343f91", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:17.000Z", "modified": "2019-11-06T19:59:17.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-11-04T12:24:35", "category": "Other", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "2087010a-da8e-4132-b113-308e02d41f06" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc/analysis/1572870275/", "category": "Payload delivery", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "d1cd1211-5d23-4442-94c1-6973a0b3e6cf" }, { "type": "text", "object_relation": "detection-ratio", "value": "14/70", "category": "Payload delivery", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "72338110-8f9a-4c07-ab93-d926bbe4fe0e" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c04e4714-a1ca-4318-98d3-a46cf6d6ad97", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:17.000Z", "modified": "2019-11-06T19:59:17.000Z", "pattern": "[file:hashes.MD5 = '47bc14f741779c3a7450adeeb66bb7e8' AND file:hashes.SHA1 = '980842b405d6df5385503044e102ad4a5d8b8573' AND file:hashes.SHA256 = '813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:59:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--e943e2d5-8dec-4e03-8469-ee47c09f2568", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:17.000Z", "modified": "2019-11-06T19:59:17.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-11-04T12:37:45", "category": "Other", "comment": "Dridex 2.0", "uuid": "4bd2567e-f3c3-4af6-8878-5cebbb3ee30f" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a/analysis/1572871065/", "category": "Payload delivery", "comment": "Dridex 2.0", "uuid": "f70fc547-6175-4e7d-aa3c-09fdcae120b9" }, { "type": "text", "object_relation": "detection-ratio", "value": "54/69", "category": "Payload delivery", "comment": "Dridex 2.0", "uuid": "094fb53d-08d6-44e0-9a00-ca0890f5175d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2a17501a-3480-46f0-b0bd-5888c2ee8c92", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:18.000Z", "modified": "2019-11-06T19:59:18.000Z", "pattern": "[file:hashes.MD5 = '9141d1d189afc2e300121e71a211c925' AND file:hashes.SHA1 = 'ee5ac27425616878a932516000c04dedbde5b715' AND file:hashes.SHA256 = '801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:59:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--7fb41421-37ea-4910-ac68-319d59bdcbad", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:18.000Z", "modified": "2019-11-06T19:59:18.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-11-04T23:59:41", "category": "Other", "comment": "DoppelPaymer", "uuid": "0bb87c96-21b6-4b12-997c-d8e329e3678d" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b/analysis/1572911981/", "category": "Payload delivery", "comment": "DoppelPaymer", "uuid": "556bfa2e-6a6d-405a-a050-051f2ba65972" }, { "type": "text", "object_relation": "detection-ratio", "value": "54/68", "category": "Payload delivery", "comment": "DoppelPaymer", "uuid": "26ceb39d-61ca-4f10-a6d9-d565989705e2" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--25d7c94e-5aad-4634-878d-15010c84f0aa", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:18.000Z", "modified": "2019-11-06T19:59:18.000Z", "pattern": "[file:hashes.MD5 = 'b365af317ae730a67c936f21432b9c71' AND file:hashes.SHA1 = 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d' AND file:hashes.SHA256 = 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-11-06T19:59:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--f10bc385-bc29-4069-8374-abc49782561a", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-11-06T19:59:18.000Z", "modified": "2019-11-06T19:59:18.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-11-05T08:08:47", "category": "Other", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "35be71bd-7536-4d04-8ef0-608d868fe3ce" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4/analysis/1572941327/", "category": "Payload delivery", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "5d316b72-97a1-4935-bf13-366b77f8c6fd" }, { "type": "text", "object_relation": "detection-ratio", "value": "17/71", "category": "Payload delivery", "comment": "Encrypted PE Files Embedded in DoppelPaymer", "uuid": "1d009b4d-d054-4cbe-bef2-6d8b6d5e9112" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d741a727-322c-4637-930f-80edfb2ad847", "created": "2019-11-06T19:59:18.000Z", "modified": "2019-11-06T19:59:18.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--bca0440a-4555-4587-b5a2-a541bd2a4dc9", "target_ref": "x-misp-object--b9af0b6b-5e5d-43a1-84c7-21e1357665f1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--22408634-ee41-4ea2-b767-2f2a9879772a", "created": "2019-11-06T19:59:19.000Z", "modified": "2019-11-06T19:59:19.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--9ae6b1c8-d364-4e47-acf7-f6730fb4465c", "target_ref": "x-misp-object--b440661e-36e3-4b91-86ff-fa8760b84317" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dbe0e066-4162-43e6-a951-89ab2e50892d", "created": "2019-11-06T19:59:19.000Z", "modified": "2019-11-06T19:59:19.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--756d7b88-3347-4a0c-9fef-01dbddfd34bb", "target_ref": "x-misp-object--6d1c9b11-06c8-4813-9485-89269e343f91" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c4405d26-6b1e-4c59-826a-7acb5fcf4f77", "created": "2019-11-06T19:59:19.000Z", "modified": "2019-11-06T19:59:19.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--c04e4714-a1ca-4318-98d3-a46cf6d6ad97", "target_ref": "x-misp-object--e943e2d5-8dec-4e03-8469-ee47c09f2568" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c64db77e-c64d-4e88-ae51-61eb118343f9", "created": "2019-11-06T19:59:19.000Z", "modified": "2019-11-06T19:59:19.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--2a17501a-3480-46f0-b0bd-5888c2ee8c92", "target_ref": "x-misp-object--7fb41421-37ea-4910-ac68-319d59bdcbad" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1c9e16db-d688-4121-8a64-7d72594ae13c", "created": "2019-11-06T19:59:20.000Z", "modified": "2019-11-06T19:59:20.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--25d7c94e-5aad-4634-878d-15010c84f0aa", "target_ref": "x-misp-object--f10bc385-bc29-4069-8374-abc49782561a" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }