{ "type": "bundle", "id": "bundle--5defbf60-c77c-4611-b627-03e368f8e8cf", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "name": "VK_INTEL_EVIL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5defbf60-c77c-4611-b627-03e368f8e8cf", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "name": "2019-12-10: TrickBot Project \u00e2\u20ac\u0153Anchor:\u00e2\u20ac\u009d Window Into Sophisticated Operation", "published": "2021-05-26T11:42:18Z", "object_refs": [ "indicator--5defbfce-cb0c-4c33-8b93-74cf68f8e8cf", "indicator--5defc04d-a59c-47ac-a1a5-03fd19d2faa1", "indicator--5defc04d-4b78-433d-9f82-03fd19d2faa1", "indicator--5defc04d-08c0-4909-85e3-03fd19d2faa1", "indicator--5defc04d-e5c0-4a82-b368-03fd19d2faa1", "indicator--5defc04d-f520-4bdf-9db1-03fd19d2faa1", "indicator--5defc04d-d238-48e8-889e-03fd19d2faa1", "indicator--5defc04d-9ca4-4559-b23a-03fd19d2faa1", "indicator--5defc04d-2934-4c99-a39f-03fd19d2faa1", "indicator--5defc0ca-4190-4543-9d3a-040819d2faa1", "indicator--5defc425-9808-4e88-a170-74d168f8e8cf", "indicator--5defc425-8690-4042-9e2d-74d168f8e8cf", "observed-data--5defcbb1-1128-4567-a936-ab51950d210f", "url--5defcbb1-1128-4567-a936-ab51950d210f", "indicator--d0cb4e83-d39b-4be9-bf27-865cf449ee58", "x-misp-object--8d59f261-04a2-4b38-9fe0-a1ed372ae412", "indicator--59697923-f806-485e-92e4-5c80f254cda0", "x-misp-object--a52de72c-ff08-4e4b-9557-989baeb96fa2", "indicator--3c20a8d5-ca69-433e-aef1-2a352ccf3221", "x-misp-object--d7e9e070-4a02-42c2-b6bc-a91da8b91667", "indicator--d2357103-d172-43df-9bef-4c018472adca", "x-misp-object--9fe3729a-9873-4b8c-8e4d-34564bf95f06", "indicator--f44bb30f-2c90-4d8f-b088-65c56436b223", "x-misp-object--3abbd5dc-13da-4144-9380-e725ca133b00", "indicator--325ddfbb-45e8-4357-a973-bb90f7cfb770", "x-misp-object--ba638838-9beb-4f15-99b9-2c65b2e5ae49", "indicator--7ac12301-9e22-4429-9236-127671f59fe3", "x-misp-object--8d2aeb0f-bff6-443e-a008-49d67bae2c25", "indicator--45d92c99-a5a1-45f2-85d9-01a8c2a0b12a", "x-misp-object--46194cae-7b60-4c07-8074-213e6dac9195", "indicator--7d3ddce8-bd13-42f3-b6d6-2698e9abc59d", "x-misp-object--4e9f91a3-50c9-4881-ae9a-dcc491ad9ac0", "indicator--c00e9e68-c6f6-4f46-b65d-cf2409b16c92", "x-misp-object--c261cdfa-356e-4cbb-8b09-fd82a644e2a2", "relationship--91950258-1919-48fa-8295-086f82be57f3", "relationship--111935f7-9f09-410a-ae3f-fd14afa9085d", "relationship--eb3fec52-7699-445e-8dc2-de3a993b9df0", "relationship--3e9028de-ef0e-4f67-9e05-f262fc57535c", "relationship--75200e4b-ed30-4344-b5eb-bac2c0c61826", "relationship--791fcee7-5dca-4875-aae7-2be63eb9689b", "relationship--9601c8d1-9fd7-467a-bde7-8dedaf94bc3c", "relationship--33b2c8be-3f2b-49e9-afe7-694b64d7e647", "relationship--d09fabe6-0886-4067-bf6d-c923c27ee110", "relationship--2f80460b-58eb-4cbf-8935-f38f580ad5af" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "Banker: TrickBot", "Anchor", "Memory Scraper", "misp-galaxy:malpedia=\"TrickBot\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defbfce-cb0c-4c33-8b93-74cf68f8e8cf", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T15:54:54.000Z", "modified": "2019-12-10T15:54:54.000Z", "description": "Trick Anchor Yara", "pattern": "[rule crime_win32_anchor_trick_1\r\n{\r\nmeta:\r\n description = \"Detects Anchor malware\"\r\n author = \"Jason Reaves\"\r\n\r\nstrings: \r\n$s1 = \"D:\\\\Win32.ogw0rm\" nocase\r\n$s2 = \"MyProjects\\\\memoryScraper\" nocase\r\n$s3 = \"\\\\MyProjects\\\\secondWork\\\\Anchor\" nocase\r\n$s4 = \"\\\\MyProjects\\\\secondWork\\\\psExecutor\" nocase\r\n$s5 = \"\\\\MyProjects\\\\mailCollection\" nocase\r\n$s6 = \"\\\\MyProjects\\\\spreader\" nocase\r\ncondition:\r\nany of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2019-12-10T15:54:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Payload installation\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc04d-a59c-47ac-a1a5-03fd19d2faa1", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T15:57:01.000Z", "modified": "2019-12-10T15:57:01.000Z", "description": "Memscraper payload", "pattern": "[file:hashes.SHA256 = 'e54a267e788cc076c870eba0ff16920f9cb49207a034a8b6bfd92abc5a5f7434']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T15:57:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc04d-4b78-433d-9f82-03fd19d2faa1", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T15:57:01.000Z", "modified": "2019-12-10T15:57:01.000Z", "description": "Memscraper payload", "pattern": "[file:hashes.SHA256 = 'd584e868f867c6251e115b7909559da784f25b778192c6a24e49685f80257e4d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T15:57:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc04d-08c0-4909-85e3-03fd19d2faa1", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T15:57:01.000Z", "modified": "2019-12-10T15:57:01.000Z", "description": "Memscraper DNS variant", "pattern": "[file:hashes.SHA256 = '354936f4265a5e870374a3fe9378cf9a3e7dd45ee4626b971d6b7b0837f4f181']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T15:57:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc04d-e5c0-4a82-b368-03fd19d2faa1", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T15:57:01.000Z", "modified": "2019-12-10T15:57:01.000Z", "description": "Memscraper DNS variant", "pattern": "[file:hashes.SHA256 = '54257aa2394ef87dd510da00e0583b670f3eb43e2eef86be4db69c3432e99abd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T15:57:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc04d-f520-4bdf-9db1-03fd19d2faa1", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T15:57:01.000Z", "modified": "2019-12-10T15:57:01.000Z", "description": "Anchor Deinstaller", "pattern": "[file:hashes.SHA256 = 'b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T15:57:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc04d-d238-48e8-889e-03fd19d2faa1", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T15:57:01.000Z", "modified": "2019-12-10T15:57:01.000Z", "description": "Anchor Installer", "pattern": "[file:hashes.SHA256 = '52a1ca4e65a99f997db0314add8c3b84c6f257844eda73ae6e5debce6abc2bd4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T15:57:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc04d-9ca4-4559-b23a-03fd19d2faa1", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T15:57:01.000Z", "modified": "2019-12-10T15:57:01.000Z", "description": "Anchor Bot", "pattern": "[file:hashes.SHA256 = '6500190bf8253c015700eb071416cbe33a1c8f3b84aeb28b7118a6abe96005e3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T15:57:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc04d-2934-4c99-a39f-03fd19d2faa1", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T15:57:01.000Z", "modified": "2019-12-10T15:57:01.000Z", "description": "Anchor DNS variant", "pattern": "[file:hashes.SHA256 = '6b1759936993f02df80b330d11c1b12accd53a80b6207cd1defc555e6e4bf57c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T15:57:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc0ca-4190-4543-9d3a-040819d2faa1", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T15:59:06.000Z", "modified": "2019-12-10T15:59:06.000Z", "description": "Anchor DNS variant", "pattern": "[file:hashes.SHA256 = 'e49e6f0b194ff7c83ec02b3c2efc9e746a4b2ba74607a4aad8fbdcdc66baa8dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T15:59:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc425-9808-4e88-a170-74d168f8e8cf", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:13:25.000Z", "modified": "2019-12-10T16:13:25.000Z", "description": "Anchor DNS variant", "pattern": "[file:hashes.SHA256 = 'b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:13:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5defc425-8690-4042-9e2d-74d168f8e8cf", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:13:25.000Z", "modified": "2019-12-10T16:13:25.000Z", "description": "Anchor DNS variant", "pattern": "[file:hashes.SHA256 = 'c6d466600371ced9d962594474a4b8b0ccff19adc59dbd2027c10d930afbe282']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:13:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload installation" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload installation\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5defcbb1-1128-4567-a936-ab51950d210f", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:37.000Z", "modified": "2019-12-10T16:45:37.000Z", "first_observed": "2019-12-10T16:45:37Z", "last_observed": "2019-12-10T16:45:37Z", "number_observed": 1, "object_refs": [ "url--5defcbb1-1128-4567-a936-ab51950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5defcbb1-1128-4567-a936-ab51950d210f", "value": "https://github.com/SentineLabs/TrickBot-Anchor/blob/master/2019-12-10-trickbot-anchor-blog.vk.misp.json" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d0cb4e83-d39b-4be9-bf27-865cf449ee58", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:01.000Z", "modified": "2019-12-10T16:45:01.000Z", "pattern": "[file:hashes.MD5 = 'ae48b4d1d0da879512b495ec1f80cf67' AND file:hashes.SHA1 = 'b388243bf5899c99091ac2df13339f141659bbd4' AND file:hashes.SHA256 = 'b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:45:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8d59f261-04a2-4b38-9fe0-a1ed372ae412", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:01.000Z", "modified": "2019-12-10T16:45:01.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-10-15T18:47:28", "category": "Other", "comment": "Anchor DNS variant", "uuid": "31d66a22-e70d-43e4-af6f-ac9ca2856207" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329/analysis/1571165248/", "category": "External analysis", "comment": "Anchor DNS variant", "uuid": "81544988-2b02-4a5d-a8be-4519393f64d7" }, { "type": "text", "object_relation": "detection-ratio", "value": "53/70", "category": "Payload installation", "comment": "Anchor DNS variant", "uuid": "7b2c1ba8-7583-488b-88e2-b5336e3ea744" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59697923-f806-485e-92e4-5c80f254cda0", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:02.000Z", "modified": "2019-12-10T16:45:02.000Z", "pattern": "[file:hashes.MD5 = '8ae6cd70b4acf2b17b3b678eb741344e' AND file:hashes.SHA1 = '299d63fef8274c51325a6f7b3e2bb7578c978d19' AND file:hashes.SHA256 = 'd584e868f867c6251e115b7909559da784f25b778192c6a24e49685f80257e4d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:45:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--a52de72c-ff08-4e4b-9557-989baeb96fa2", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:02.000Z", "modified": "2019-12-10T16:45:02.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-09-13T09:37:29", "category": "Other", "comment": "Memscraper payload", "uuid": "c31388c5-410e-456c-93d8-bd92a56c94a0" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/d584e868f867c6251e115b7909559da784f25b778192c6a24e49685f80257e4d/analysis/1536831449/", "category": "Payload delivery", "comment": "Memscraper payload", "uuid": "830a634d-51b7-42e1-af5b-6d05b45f13c2" }, { "type": "text", "object_relation": "detection-ratio", "value": "1/68", "category": "Payload delivery", "comment": "Memscraper payload", "uuid": "9ea82fdf-c020-439f-bfc4-78f4222b43d1" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3c20a8d5-ca69-433e-aef1-2a352ccf3221", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:02.000Z", "modified": "2019-12-10T16:45:02.000Z", "pattern": "[file:hashes.MD5 = '9998b8cf8f204cadb9a855f42af0ddc5' AND file:hashes.SHA1 = '314967cc074e31b448d42ca15ab43fff27d716c7' AND file:hashes.SHA256 = 'e54a267e788cc076c870eba0ff16920f9cb49207a034a8b6bfd92abc5a5f7434']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:45:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--d7e9e070-4a02-42c2-b6bc-a91da8b91667", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:03.000Z", "modified": "2019-12-10T16:45:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2018-08-15T14:40:18", "category": "Other", "comment": "Memscraper payload", "uuid": "290a435a-597a-493f-8687-33fd7883999d" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e54a267e788cc076c870eba0ff16920f9cb49207a034a8b6bfd92abc5a5f7434/analysis/1534344018/", "category": "Payload delivery", "comment": "Memscraper payload", "uuid": "5b3ac3e7-faa0-4a8a-ae01-ecfc3717229a" }, { "type": "text", "object_relation": "detection-ratio", "value": "4/68", "category": "Payload delivery", "comment": "Memscraper payload", "uuid": "5aba37ab-b2fb-4754-918f-c1039daa36b4" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d2357103-d172-43df-9bef-4c018472adca", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:03.000Z", "modified": "2019-12-10T16:45:03.000Z", "pattern": "[file:hashes.MD5 = '737346c9511b32f1b6f878667785dc32' AND file:hashes.SHA1 = '945852060bea021b20855f4cd913951f5b1b14c9' AND file:hashes.SHA256 = '354936f4265a5e870374a3fe9378cf9a3e7dd45ee4626b971d6b7b0837f4f181']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:45:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--9fe3729a-9873-4b8c-8e4d-34564bf95f06", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:03.000Z", "modified": "2019-12-10T16:45:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-03-11T09:23:25", "category": "Other", "comment": "Memscraper DNS variant", "uuid": "c414d184-c756-40a7-8525-e99b49a6b3e8" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/354936f4265a5e870374a3fe9378cf9a3e7dd45ee4626b971d6b7b0837f4f181/analysis/1552296205/", "category": "Payload delivery", "comment": "Memscraper DNS variant", "uuid": "dc5736ac-4bba-484e-8a61-e0c14ebd6245" }, { "type": "text", "object_relation": "detection-ratio", "value": "3/68", "category": "Payload delivery", "comment": "Memscraper DNS variant", "uuid": "add6615e-45c7-448d-a62c-ee332c0d374b" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f44bb30f-2c90-4d8f-b088-65c56436b223", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:03.000Z", "modified": "2019-12-10T16:45:03.000Z", "pattern": "[file:hashes.MD5 = '488ec17aff5f12732fc3a5c7503e26ba' AND file:hashes.SHA1 = 'a96fe2efc6a0b661cf30420d13584b4ffbd654fe' AND file:hashes.SHA256 = '6500190bf8253c015700eb071416cbe33a1c8f3b84aeb28b7118a6abe96005e3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:45:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--3abbd5dc-13da-4144-9380-e725ca133b00", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:03.000Z", "modified": "2019-12-10T16:45:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-10-24T02:09:12", "category": "Other", "comment": "Anchor Bot", "uuid": "8dbd1370-04fb-4bea-8359-b34a391270cf" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/6500190bf8253c015700eb071416cbe33a1c8f3b84aeb28b7118a6abe96005e3/analysis/1571882952/", "category": "Payload delivery", "comment": "Anchor Bot", "uuid": "81502d9d-a6d9-41ce-a263-9f517d5b0e6f" }, { "type": "text", "object_relation": "detection-ratio", "value": "25/71", "category": "Payload delivery", "comment": "Anchor Bot", "uuid": "43fcfa2f-ead0-48ce-91d6-e17128f78d0b" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--325ddfbb-45e8-4357-a973-bb90f7cfb770", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:03.000Z", "modified": "2019-12-10T16:45:03.000Z", "pattern": "[file:hashes.MD5 = 'ad4e7904c241bb64955bd066806b25a8' AND file:hashes.SHA1 = '33c9a73ec1150f0b55903537e79e11413954e58f' AND file:hashes.SHA256 = 'e49e6f0b194ff7c83ec02b3c2efc9e746a4b2ba74607a4aad8fbdcdc66baa8dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:45:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--ba638838-9beb-4f15-99b9-2c65b2e5ae49", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:03.000Z", "modified": "2019-12-10T16:45:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-10-15T19:32:52", "category": "Other", "comment": "Anchor DNS variant", "uuid": "db9fe6d4-d514-4964-a57b-b0501ff0a308" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/e49e6f0b194ff7c83ec02b3c2efc9e746a4b2ba74607a4aad8fbdcdc66baa8dc/analysis/1571167972/", "category": "Payload delivery", "comment": "Anchor DNS variant", "uuid": "e407382e-ed51-4a60-9be0-319f391d78ae" }, { "type": "text", "object_relation": "detection-ratio", "value": "26/69", "category": "Payload delivery", "comment": "Anchor DNS variant", "uuid": "9adbfe67-fec1-494c-b00c-14dde0e50dd7" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7ac12301-9e22-4429-9236-127671f59fe3", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:04.000Z", "modified": "2019-12-10T16:45:04.000Z", "pattern": "[file:hashes.MD5 = '7dd84d1e59e01f4409e5239bae78ae23' AND file:hashes.SHA1 = '8b185b88519206b883554613a8660cd73dc8fff5' AND file:hashes.SHA256 = 'c6d466600371ced9d962594474a4b8b0ccff19adc59dbd2027c10d930afbe282']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:45:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--8d2aeb0f-bff6-443e-a008-49d67bae2c25", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:04.000Z", "modified": "2019-12-10T16:45:04.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-12-04T19:54:22", "category": "Other", "comment": "Anchor DNS variant", "uuid": "cc973c30-1507-49b1-b692-4296a905d10b" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/c6d466600371ced9d962594474a4b8b0ccff19adc59dbd2027c10d930afbe282/analysis/1575489262/", "category": "External analysis", "comment": "Anchor DNS variant", "uuid": "29b23c8e-9a19-4020-942f-731201eafaee" }, { "type": "text", "object_relation": "detection-ratio", "value": "37/71", "category": "Payload installation", "comment": "Anchor DNS variant", "uuid": "f2d5079e-02d4-440a-8f87-0712e3788c81" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--45d92c99-a5a1-45f2-85d9-01a8c2a0b12a", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:04.000Z", "modified": "2019-12-10T16:45:04.000Z", "pattern": "[file:hashes.MD5 = 'b9b5f5039c19f15ca610baa095642f8a' AND file:hashes.SHA1 = '6464f52a47c362195a219bd5cf529338bf29a5c9' AND file:hashes.SHA256 = 'b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:45:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--46194cae-7b60-4c07-8074-213e6dac9195", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:04.000Z", "modified": "2019-12-10T16:45:04.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-08-16T13:42:12", "category": "Other", "comment": "Anchor Deinstaller", "uuid": "83380f01-b9ea-4fa8-8a19-dd471362abbc" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5/analysis/1565962932/", "category": "Payload delivery", "comment": "Anchor Deinstaller", "uuid": "74f02707-1c5f-4f1f-88a2-0dc51cf65d12" }, { "type": "text", "object_relation": "detection-ratio", "value": "46/67", "category": "Payload delivery", "comment": "Anchor Deinstaller", "uuid": "69130a7e-3ad9-4d85-9bd2-b37d51016fd4" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7d3ddce8-bd13-42f3-b6d6-2698e9abc59d", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:04.000Z", "modified": "2019-12-10T16:45:04.000Z", "pattern": "[file:hashes.MD5 = 'b21646d0e17312079f3e509d5e5a7830' AND file:hashes.SHA1 = '8beef55eee4608afe013741033f060c8f47804b5' AND file:hashes.SHA256 = '6b1759936993f02df80b330d11c1b12accd53a80b6207cd1defc555e6e4bf57c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:45:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--4e9f91a3-50c9-4881-ae9a-dcc491ad9ac0", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:04.000Z", "modified": "2019-12-10T16:45:04.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-11-27T02:02:59", "category": "Other", "comment": "Anchor DNS variant", "uuid": "d6009263-d189-4690-bf00-6a13b5c8bfb9" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/6b1759936993f02df80b330d11c1b12accd53a80b6207cd1defc555e6e4bf57c/analysis/1574820179/", "category": "Payload delivery", "comment": "Anchor DNS variant", "uuid": "7fe80e07-3bfa-4a4e-8632-51edb7f824af" }, { "type": "text", "object_relation": "detection-ratio", "value": "28/68", "category": "Payload delivery", "comment": "Anchor DNS variant", "uuid": "4b8324b6-c59c-4dd0-9ff8-b119d25bc766" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c00e9e68-c6f6-4f46-b65d-cf2409b16c92", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:05.000Z", "modified": "2019-12-10T16:45:05.000Z", "pattern": "[file:hashes.MD5 = '3045fb2685124532f28829e07d2d07fb' AND file:hashes.SHA1 = 'b437667e8f3e6b2676cb4c4d7f05435fbc2ba168' AND file:hashes.SHA256 = '54257aa2394ef87dd510da00e0583b670f3eb43e2eef86be4db69c3432e99abd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-12-10T16:45:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--c261cdfa-356e-4cbb-8b09-fd82a644e2a2", "created_by_ref": "identity--5d2fbc3a-e520-4bf9-89b7-1b0a68f8e8cf", "created": "2019-12-10T16:45:05.000Z", "modified": "2019-12-10T16:45:05.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-04-09T16:34:27", "category": "Other", "comment": "Memscraper DNS variant", "uuid": "ec9b20a9-4286-4421-91dd-9046797d55af" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/54257aa2394ef87dd510da00e0583b670f3eb43e2eef86be4db69c3432e99abd/analysis/1554827667/", "category": "Payload delivery", "comment": "Memscraper DNS variant", "uuid": "c4360cc4-1826-4682-849f-29b193e44d51" }, { "type": "text", "object_relation": "detection-ratio", "value": "4/66", "category": "Payload delivery", "comment": "Memscraper DNS variant", "uuid": "30f6b412-8f65-4aba-b678-9e7228eaeb2d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--91950258-1919-48fa-8295-086f82be57f3", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d0cb4e83-d39b-4be9-bf27-865cf449ee58", "target_ref": "x-misp-object--8d59f261-04a2-4b38-9fe0-a1ed372ae412" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--111935f7-9f09-410a-ae3f-fd14afa9085d", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--59697923-f806-485e-92e4-5c80f254cda0", "target_ref": "x-misp-object--a52de72c-ff08-4e4b-9557-989baeb96fa2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--eb3fec52-7699-445e-8dc2-de3a993b9df0", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--3c20a8d5-ca69-433e-aef1-2a352ccf3221", "target_ref": "x-misp-object--d7e9e070-4a02-42c2-b6bc-a91da8b91667" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3e9028de-ef0e-4f67-9e05-f262fc57535c", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--d2357103-d172-43df-9bef-4c018472adca", "target_ref": "x-misp-object--9fe3729a-9873-4b8c-8e4d-34564bf95f06" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--75200e4b-ed30-4344-b5eb-bac2c0c61826", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--f44bb30f-2c90-4d8f-b088-65c56436b223", "target_ref": "x-misp-object--3abbd5dc-13da-4144-9380-e725ca133b00" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--791fcee7-5dca-4875-aae7-2be63eb9689b", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--325ddfbb-45e8-4357-a973-bb90f7cfb770", "target_ref": "x-misp-object--ba638838-9beb-4f15-99b9-2c65b2e5ae49" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9601c8d1-9fd7-467a-bde7-8dedaf94bc3c", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--7ac12301-9e22-4429-9236-127671f59fe3", "target_ref": "x-misp-object--8d2aeb0f-bff6-443e-a008-49d67bae2c25" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--33b2c8be-3f2b-49e9-afe7-694b64d7e647", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--45d92c99-a5a1-45f2-85d9-01a8c2a0b12a", "target_ref": "x-misp-object--46194cae-7b60-4c07-8074-213e6dac9195" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d09fabe6-0886-4067-bf6d-c923c27ee110", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--7d3ddce8-bd13-42f3-b6d6-2698e9abc59d", "target_ref": "x-misp-object--4e9f91a3-50c9-4881-ae9a-dcc491ad9ac0" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2f80460b-58eb-4cbf-8935-f38f580ad5af", "created": "2021-05-24T10:01:46.000Z", "modified": "2021-05-24T10:01:46.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--c00e9e68-c6f6-4f46-b65d-cf2409b16c92", "target_ref": "x-misp-object--c261cdfa-356e-4cbb-8b09-fd82a644e2a2" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }