{ "type": "bundle", "id": "bundle--58dcfe62-ed84-4e5e-b293-4991950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-28T18:23:44.000Z", "modified": "2017-04-28T18:23:44.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58dcfe62-ed84-4e5e-b293-4991950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-28T18:23:44.000Z", "modified": "2017-04-28T18:23:44.000Z", "name": "OSINT - Carbon Paper: Peering into Turla\u00e2\u20ac\u2122s second stage backdoor", "published": "2017-04-28T20:02:31Z", "object_refs": [ "observed-data--58dcfe9d-297c-4342-9155-42b6950d210f", "url--58dcfe9d-297c-4342-9155-42b6950d210f", "x-misp-attribute--58dcfed4-9290-4b22-a5c4-4530950d210f", "indicator--58dcfef9-5b0c-4d85-b0d8-4490950d210f", "indicator--58dcfefa-f510-40f2-89a7-4b17950d210f", "indicator--58dcfefa-25e0-413a-9a20-45b9950d210f", "indicator--58dcfefb-62cc-407b-8f80-469b950d210f", "indicator--58dcfefc-c1e0-45bc-8145-4d80950d210f", "indicator--58dcfefd-d154-4651-8701-43e1950d210f", "indicator--58dcfefe-4d10-40ba-b545-486f950d210f", "indicator--58dcfeff-92dc-4bf1-93d7-4fb7950d210f", "indicator--58dcfeff-6fac-4823-aab5-42c6950d210f", "indicator--58dcff00-b88c-4883-808c-409b950d210f", "indicator--58dcff01-9700-41b4-9edd-4ef4950d210f", "indicator--58dcff02-93c4-4d80-8cf6-43f9950d210f", "indicator--58dcff03-df24-4707-97e5-4199950d210f", "indicator--58dcff04-7f1c-4262-9be6-4692950d210f", "indicator--58dcff04-eb80-4341-85fb-44a7950d210f", "indicator--58dcff05-ae78-4cf2-9304-4cdd950d210f", "indicator--58dcff06-9a44-4ae6-847b-45ae950d210f", "indicator--58dcff07-2680-4a30-b9d7-4011950d210f", "indicator--58dcff08-1a34-4739-8962-4427950d210f", "indicator--58dcff09-929c-4759-9bb9-41ea950d210f", "indicator--58dcff09-ca80-4976-8dcc-402b950d210f", "indicator--58dcff0a-1624-4412-a929-4c3a950d210f", "indicator--58dcff0b-ee34-4335-909c-4b7e950d210f", "indicator--58dcff6e-1954-4818-a306-44d9950d210f", "indicator--58dcff6f-9334-4ff6-974f-41de950d210f", "indicator--58dcff70-0fb0-4437-9781-4b6e950d210f", "indicator--58dcff71-7df8-45e7-8147-43a9950d210f", "indicator--58dcff72-f5c0-4a48-905e-449a950d210f", "indicator--58dcff73-fb90-4c4e-9f60-4227950d210f", "indicator--58dcffa3-f8f4-4c59-bbe4-4dc1950d210f", "indicator--58dcffbe-0f98-439c-a916-4524950d210f", "indicator--58dcffdf-e07c-4be4-b0af-4180950d210f", "indicator--58dd0020-5a10-4542-bdee-436202de0b81", "indicator--58dd0021-383c-416f-9302-4ba602de0b81", "observed-data--58dd0021-2968-4da8-bfcb-481702de0b81", "url--58dd0021-2968-4da8-bfcb-481702de0b81", "indicator--58dd0022-213c-42a4-9fac-460602de0b81", "indicator--58dd0023-17f4-444c-89ca-428302de0b81", "observed-data--58dd0024-6ac8-434b-877c-430c02de0b81", "url--58dd0024-6ac8-434b-877c-430c02de0b81", "indicator--58dd0025-cec4-42ff-a43d-48ef02de0b81", "indicator--58dd0026-146c-465b-acd3-434502de0b81", "observed-data--58dd0027-e934-4d33-a983-412202de0b81", "url--58dd0027-e934-4d33-a983-412202de0b81", "indicator--58dd0028-37f4-473e-9d2f-4caf02de0b81", "indicator--58dd0029-2d4c-47cb-ac4c-4beb02de0b81", "observed-data--58dd002a-5acc-4d51-b75b-468e02de0b81", "url--58dd002a-5acc-4d51-b75b-468e02de0b81", "indicator--58dd002a-f7b4-4527-853e-4fa002de0b81", "indicator--58dd002b-43c4-483a-b84e-4f0202de0b81", "observed-data--58dd002c-2a44-4162-8831-449d02de0b81", "url--58dd002c-2a44-4162-8831-449d02de0b81", "indicator--58dd002d-ee14-4e08-83e8-468b02de0b81", "indicator--58dd002e-38d0-496d-b553-488302de0b81", "observed-data--58dd002f-e984-4cc5-93e2-427202de0b81", "url--58dd002f-e984-4cc5-93e2-427202de0b81", "indicator--58dd0030-18bc-45aa-9365-4a3502de0b81", "indicator--58dd0030-6898-4767-9ad6-4ea602de0b81", "observed-data--58dd0031-cac4-4c84-9ebc-4c4a02de0b81", "url--58dd0031-cac4-4c84-9ebc-4c4a02de0b81", "indicator--58dd0032-fa80-4125-adbb-4e6f02de0b81", "indicator--58dd0033-60e0-4e52-b5ba-4e4902de0b81", "observed-data--58dd0034-c460-4ba5-b29d-44c802de0b81", "url--58dd0034-c460-4ba5-b29d-44c802de0b81", "indicator--58dd0035-adb0-4116-8b7f-4a3d02de0b81", "indicator--58dd0035-62f8-4558-9033-4e4302de0b81", "observed-data--58dd0036-68cc-4f5f-a571-4a3802de0b81", "url--58dd0036-68cc-4f5f-a571-4a3802de0b81", "indicator--58dd0037-8088-49e9-944f-45ff02de0b81", "indicator--58dd0038-5144-4ed3-adfe-4d3102de0b81", "observed-data--58dd0039-0208-4066-bc11-4eb502de0b81", "url--58dd0039-0208-4066-bc11-4eb502de0b81", "indicator--58dd003a-b738-4acc-a32b-470c02de0b81", "indicator--58dd003b-134c-47ef-9ec6-431402de0b81", "observed-data--58dd003c-06e4-456b-b541-4a0302de0b81", "url--58dd003c-06e4-456b-b541-4a0302de0b81", "indicator--58dd003d-9d0c-4261-9263-492e02de0b81", "indicator--58dd003d-866c-493e-ab08-42ad02de0b81", "observed-data--58dd003e-eca8-4aaa-ae60-4cca02de0b81", "url--58dd003e-eca8-4aaa-ae60-4cca02de0b81", "indicator--58dd003f-e27c-4949-aab7-490c02de0b81", "indicator--58dd0040-c27c-4ff6-bc0d-41d902de0b81", "observed-data--58dd0041-f364-447a-82a3-423c02de0b81", "url--58dd0041-f364-447a-82a3-423c02de0b81", "indicator--58dd0042-ff94-4d44-8926-42b202de0b81", "indicator--58dd0043-e258-4a82-b1cf-4f5b02de0b81", "observed-data--58dd0044-5cfc-4f5d-bed1-42ec02de0b81", "url--58dd0044-5cfc-4f5d-bed1-42ec02de0b81", "indicator--58dd0045-00c8-447f-b23a-4da402de0b81", "indicator--58dd0045-20e4-4b68-8b47-44a502de0b81", "observed-data--58dd0046-5560-49b6-8f5d-428102de0b81", "url--58dd0046-5560-49b6-8f5d-428102de0b81", "indicator--58dd0047-efc8-49f9-8a9d-4bc502de0b81", "indicator--58dd0048-f4bc-4507-9132-475902de0b81", "observed-data--58dd0049-3be8-4d8a-8293-4d8d02de0b81", "url--58dd0049-3be8-4d8a-8293-4d8d02de0b81", "indicator--58dd004a-9f74-4c4d-94da-4c6802de0b81", "indicator--58dd004b-5b70-47be-a686-4e3002de0b81", "observed-data--58dd004b-4d28-44d7-9414-425902de0b81", "url--58dd004b-4d28-44d7-9414-425902de0b81", "indicator--58dd004c-71f0-4e9c-85c4-4a4d02de0b81", "indicator--58dd004d-5b4c-46b6-8974-40c602de0b81", "observed-data--58dd004e-33e8-45a4-825d-491d02de0b81", "url--58dd004e-33e8-45a4-825d-491d02de0b81", "indicator--58dd004f-1e20-4e75-8e21-477f02de0b81", "indicator--58dd0050-d094-4d4f-86a3-4f4502de0b81", "observed-data--58dd0051-ce8c-4059-9ecb-476902de0b81", "url--58dd0051-ce8c-4059-9ecb-476902de0b81", "indicator--58dd0052-8e84-4b91-908a-40af02de0b81", "indicator--58dd0052-8680-469f-8cbb-4f3802de0b81", "observed-data--58dd0053-5978-4766-94a4-468f02de0b81", "url--58dd0053-5978-4766-94a4-468f02de0b81", "indicator--58dd0054-7e04-4ad1-b86f-47d002de0b81", "indicator--58dd0055-b800-4361-9aa0-47be02de0b81", "observed-data--58dd0056-6e74-43d5-b58b-494802de0b81", "url--58dd0056-6e74-43d5-b58b-494802de0b81", "indicator--58dd0057-5a14-4f5d-884b-490202de0b81", "indicator--58dd0057-cde0-4faa-a196-4a6302de0b81", "observed-data--58dd0058-dcd4-4271-8e57-432702de0b81", "url--58dd0058-dcd4-4271-8e57-432702de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:tool=\"Turla\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dcfe9d-297c-4342-9155-42b6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "first_observed": "2017-03-30T12:54:26Z", "last_observed": "2017-03-30T12:54:26Z", "number_observed": 1, "object_refs": [ "url--58dcfe9d-297c-4342-9155-42b6950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dcfe9d-297c-4342-9155-42b6950d210f", "value": "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58dcfed4-9290-4b22-a5c4-4530950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "The Turla espionage group has been targeting various institutions for many years. Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past.\r\n\r\nThis blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.\r\n\r\nLooking at the different versions numbers of Carbon we have, it is clear that it is still under active development. Through the internal versions embedded in the code, we see the new versions are pushed out regularly. The group is also known to change its tools once they are exposed. As such, we have seen that between two major versions, mutexes and file names are being changed." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcfef9-5b0c-4d85-b0d8-4490950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcfefa-f510-40f2-89a7-4b17950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = 'a08b8371ead1919500a4759c2f46553620d5a9d9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcfefa-25e0-413a-9a20-45b9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '4636dccac5acf1d95a474747bb7bcd9b1a506cc3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcfefb-62cc-407b-8f80-469b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = 'cbde204e7641830017bb84b89223131b2126bc46']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcfefc-c1e0-45bc-8145-4d80950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '1ad46547e3dc264f940bf62df455b26e65b0101f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcfefd-d154-4651-8701-43e1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = 'a28164de29e51f154be12d163ce5818fceb69233']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcfefe-4d10-40ba-b545-486f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '7c43f5df784bf50423620d8f1c96e43d8d9a9b28']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcfeff-92dc-4bf1-93d7-4fb7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '7ce746bb988cb3b7e64f08174bdb02938555ea53']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcfeff-6fac-4823-aab5-42c6950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '20393222d4eb1ba72a6536f7e67e139aadfa47fe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff00-b88c-4883-808c-409b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '1dbfcb9005abb2c83ffa6a3127257a009612798c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff01-9700-41b4-9edd-4ef4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '2f7e335e092e04f3f4734b60c5345003d10aa15d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff02-93c4-4d80-8cf6-43f9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '311f399c299741e80db8bec65bbf4b56109eedaf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff03-df24-4707-97e5-4199950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = 'fbc43636e3c9378162f3b9712cb6d87bd48ddbd3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff04-7f1c-4262-9be6-4692950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '554f59c1578f4ee77dbba6a23507401359a59f23']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff04-eb80-4341-85fb-44a7950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '2227fd6fc9d669a9b66c59593533750477669557']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff05-ae78-4cf2-9304-4cdd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '87d718f2d6e46c53490c6a22de399c13f05336f0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff06-9a44-4ae6-847b-45ae950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '1b233af41106d7915f6fa6fd1448b7f070b47eb3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff07-2680-4a30-b9d7-4011950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '851e538357598ed96f0123b47694e25c2d52552b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff08-1a34-4739-8962-4427950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '744b43d8c0fe8b217acf0494ad992df6d5191ed9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff09-929c-4759-9bb9-41ea950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = 'bcf52240cc7940185ce424224d39564257610340']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff09-ca80-4976-8dcc-402b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '777e2695ae408e1578a16991373144333732c3f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff0a-1624-4412-a929-4c3a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '56b5627debb93790fdbcc9ecbffc3260adeafbab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff0b-ee34-4335-909c-4b7e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "Carbon sample", "pattern": "[file:hashes.SHA1 = '678d486e21b001deb58353ca0255e3e5678f9614']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff6e-1954-4818-a306-44d9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "C&C server addresses (hacked websites used as 1st level of proxies", "pattern": "[url:value = 'http://soheylistore.ir:80:/modules/mod_feed/feed.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff6f-9334-4ff6-974f-41de950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "C&C server addresses (hacked websites used as 1st level of proxies", "pattern": "[url:value = 'http://tazohor.com:80:/wp-includes/feed-rss-comments.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff70-0fb0-4437-9781-4b6e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "C&C server addresses (hacked websites used as 1st level of proxies", "pattern": "[url:value = 'http://jucheafrica.com:80:/wp-includes/class-wp-edit.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff71-7df8-45e7-8147-43a9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "C&C server addresses (hacked websites used as 1st level of proxies", "pattern": "[url:value = 'http://61paris.fr:80:/wp-includes/ms-set.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff72-f5c0-4a48-905e-449a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "C&C server addresses (hacked websites used as 1st level of proxies", "pattern": "[url:value = 'http://doctorshand.org:80:/wp-content/about/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcff73-fb90-4c4e-9f60-4227950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "description": "C&C server addresses (hacked websites used as 1st level of proxies", "pattern": "[url:value = 'http://www.lasac.eu:80:/credit_payment/url/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcffa3-f8f4-4c59-bbe4-4dc1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "pattern": "[rule carbon_metadata\r\n{\r\ncondition:\r\n(pe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153SERVICE.EXE\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSIMGHLP.DLL\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSXIML.DLL\u00e2\u20ac\u009d)\r\nand pe.version_info[\u00e2\u20ac\u0153CompanyName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153Microsoft Corporation\u00e2\u20ac\u009d\r\n}]", "pattern_type": "yara", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcffbe-0f98-439c-a916-4524950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:26.000Z", "modified": "2017-03-30T12:54:26.000Z", "pattern": "[rule generic_carbon\r\n{\r\nstrings:\r\n$s1 = \u00e2\u20ac\u0153ModStart\u00e2\u20ac\u009d\r\n$s2 = \u00e2\u20ac\u0153ModuleStart\u00e2\u20ac\u009d\r\n$t1 = \u00e2\u20ac\u0153STOP|OK\u00e2\u20ac\u009d\r\n$t2 = \u00e2\u20ac\u0153STOP|KILL\u00e2\u20ac\u009d\r\ncondition:\r\n(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))\r\n}]", "pattern_type": "yara", "valid_from": "2017-03-30T12:54:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dcffdf-e07c-4be4-b0af-4180950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-28T18:23:44.000Z", "modified": "2017-04-28T18:23:44.000Z", "pattern": "[import \"pe\"\r\nimport \"hash\"\r\n\r\nrule generic_carbon\r\n{\r\nstrings:\r\n$s1 = \u00e2\u20ac\u0153ModStart\u00e2\u20ac\u009d\r\n$s2 = \u00e2\u20ac\u0153STOP|OK\u00e2\u20ac\u009d\r\n$s3 = \u00e2\u20ac\u0153STOP|KILL\u00e2\u20ac\u009d\r\ncondition:\r\n(uint16(0) == 0x5a4d) and all of them\r\n}\r\n\r\nrule carbon_metadata\r\n{\r\ncondition:\r\n(pe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153SERVICE.EXE\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSIMGHLP.DLL\u00e2\u20ac\u009d or\r\npe.version_info[\u00e2\u20ac\u0153InternalName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153MSXIML.DLL\u00e2\u20ac\u009d)\r\nand pe.version_info[\u00e2\u20ac\u0153CompanyName\u00e2\u20ac\u009d] contains \u00e2\u20ac\u0153Microsoft Corporation\u00e2\u20ac\u009d\r\nand not (tags contains \u00e2\u20ac\u0153signed\u00e2\u20ac\u009d)\r\n}\r\n\r\nrule carbon_2016_filenames\r\n{\r\ncondition:\r\nfile_name contains \u00e2\u20ac\u0153wkstrend.xml\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153cifrado.xml\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153fsbootfail.dat\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153encodebase.inf\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153zcerterror.png\u00e2\u20ac\u009d or\r\nfile_name contains \u00e2\u20ac\u0153mkfieldsec.dll\u00e2\u20ac\u009d\r\n}]", "pattern_type": "yara", "valid_from": "2017-04-28T18:23:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0020-5a10-4542-bdee-436202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:56.000Z", "modified": "2017-03-30T12:54:56.000Z", "description": "Carbon sample - Xchecked via VT: 56b5627debb93790fdbcc9ecbffc3260adeafbab", "pattern": "[file:hashes.SHA256 = 'af0e455f640b621c50d5c11efc3c8649691a9a661fa1bcf658aae48c007ff3c4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0021-383c-416f-9302-4ba602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:57.000Z", "modified": "2017-03-30T12:54:57.000Z", "description": "Carbon sample - Xchecked via VT: 56b5627debb93790fdbcc9ecbffc3260adeafbab", "pattern": "[file:hashes.MD5 = '4085820a53a7f8dd58d4ba5ecf94e42b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0021-2968-4da8-bfcb-481702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:57.000Z", "modified": "2017-03-30T12:54:57.000Z", "first_observed": "2017-03-30T12:54:57Z", "last_observed": "2017-03-30T12:54:57Z", "number_observed": 1, "object_refs": [ "url--58dd0021-2968-4da8-bfcb-481702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0021-2968-4da8-bfcb-481702de0b81", "value": "https://www.virustotal.com/file/af0e455f640b621c50d5c11efc3c8649691a9a661fa1bcf658aae48c007ff3c4/analysis/1459899966/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0022-213c-42a4-9fac-460602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:58.000Z", "modified": "2017-03-30T12:54:58.000Z", "description": "Carbon sample - Xchecked via VT: 777e2695ae408e1578a16991373144333732c3f6", "pattern": "[file:hashes.SHA256 = '050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0023-17f4-444c-89ca-428302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:54:59.000Z", "modified": "2017-03-30T12:54:59.000Z", "description": "Carbon sample - Xchecked via VT: 777e2695ae408e1578a16991373144333732c3f6", "pattern": "[file:hashes.MD5 = '1fb407a20373f3970f08d3f3c086841d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:54:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0024-6ac8-434b-877c-430c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:00.000Z", "modified": "2017-03-30T12:55:00.000Z", "first_observed": "2017-03-30T12:55:00Z", "last_observed": "2017-03-30T12:55:00Z", "number_observed": 1, "object_refs": [ "url--58dd0024-6ac8-434b-877c-430c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0024-6ac8-434b-877c-430c02de0b81", "value": "https://www.virustotal.com/file/050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a/analysis/1487311234/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0025-cec4-42ff-a43d-48ef02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:01.000Z", "modified": "2017-03-30T12:55:01.000Z", "description": "Carbon sample - Xchecked via VT: bcf52240cc7940185ce424224d39564257610340", "pattern": "[file:hashes.SHA256 = '2dc0f9e08bde378e8fe4e408b1b5f4bbbeacb251901009f25189a5a41a53ab47']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0026-146c-465b-acd3-434502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:02.000Z", "modified": "2017-03-30T12:55:02.000Z", "description": "Carbon sample - Xchecked via VT: bcf52240cc7940185ce424224d39564257610340", "pattern": "[file:hashes.MD5 = '13a81d857610d05f387c1aa86b4b49b9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0027-e934-4d33-a983-412202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:03.000Z", "modified": "2017-03-30T12:55:03.000Z", "first_observed": "2017-03-30T12:55:03Z", "last_observed": "2017-03-30T12:55:03Z", "number_observed": 1, "object_refs": [ "url--58dd0027-e934-4d33-a983-412202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0027-e934-4d33-a983-412202de0b81", "value": "https://www.virustotal.com/file/2dc0f9e08bde378e8fe4e408b1b5f4bbbeacb251901009f25189a5a41a53ab47/analysis/1460698324/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0028-37f4-473e-9d2f-4caf02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:04.000Z", "modified": "2017-03-30T12:55:04.000Z", "description": "Carbon sample - Xchecked via VT: 744b43d8c0fe8b217acf0494ad992df6d5191ed9", "pattern": "[file:hashes.SHA256 = '995d2b3924d5f517a795c0acc392e3d47f07787f58c77bb42ac2248393533f16']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0029-2d4c-47cb-ac4c-4beb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:05.000Z", "modified": "2017-03-30T12:55:05.000Z", "description": "Carbon sample - Xchecked via VT: 744b43d8c0fe8b217acf0494ad992df6d5191ed9", "pattern": "[file:hashes.MD5 = '278e56c4b171d4d8799b9a77c31e4484']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd002a-5acc-4d51-b75b-468e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:06.000Z", "modified": "2017-03-30T12:55:06.000Z", "first_observed": "2017-03-30T12:55:06Z", "last_observed": "2017-03-30T12:55:06Z", "number_observed": 1, "object_refs": [ "url--58dd002a-5acc-4d51-b75b-468e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd002a-5acc-4d51-b75b-468e02de0b81", "value": "https://www.virustotal.com/file/995d2b3924d5f517a795c0acc392e3d47f07787f58c77bb42ac2248393533f16/analysis/1460698430/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd002a-f7b4-4527-853e-4fa002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:06.000Z", "modified": "2017-03-30T12:55:06.000Z", "description": "Carbon sample - Xchecked via VT: 851e538357598ed96f0123b47694e25c2d52552b", "pattern": "[file:hashes.SHA256 = 'c3b85bc12c84b8d050e2b9f682df06d93ceaeb4a18480227358baa99f4989e47']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd002b-43c4-483a-b84e-4f0202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:07.000Z", "modified": "2017-03-30T12:55:07.000Z", "description": "Carbon sample - Xchecked via VT: 851e538357598ed96f0123b47694e25c2d52552b", "pattern": "[file:hashes.MD5 = '3b28045c0636f455a3fdf75bd44256ba']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd002c-2a44-4162-8831-449d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:08.000Z", "modified": "2017-03-30T12:55:08.000Z", "first_observed": "2017-03-30T12:55:08Z", "last_observed": "2017-03-30T12:55:08Z", "number_observed": 1, "object_refs": [ "url--58dd002c-2a44-4162-8831-449d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd002c-2a44-4162-8831-449d02de0b81", "value": "https://www.virustotal.com/file/c3b85bc12c84b8d050e2b9f682df06d93ceaeb4a18480227358baa99f4989e47/analysis/1460104267/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd002d-ee14-4e08-83e8-468b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:09.000Z", "modified": "2017-03-30T12:55:09.000Z", "description": "Carbon sample - Xchecked via VT: 1b233af41106d7915f6fa6fd1448b7f070b47eb3", "pattern": "[file:hashes.SHA256 = 'd581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd002e-38d0-496d-b553-488302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:10.000Z", "modified": "2017-03-30T12:55:10.000Z", "description": "Carbon sample - Xchecked via VT: 1b233af41106d7915f6fa6fd1448b7f070b47eb3", "pattern": "[file:hashes.MD5 = '1c84038a7aac6342894d5896a390913d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd002f-e984-4cc5-93e2-427202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:11.000Z", "modified": "2017-03-30T12:55:11.000Z", "first_observed": "2017-03-30T12:55:11Z", "last_observed": "2017-03-30T12:55:11Z", "number_observed": 1, "object_refs": [ "url--58dd002f-e984-4cc5-93e2-427202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd002f-e984-4cc5-93e2-427202de0b81", "value": "https://www.virustotal.com/file/d581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db/analysis/1463398122/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0030-18bc-45aa-9365-4a3502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:12.000Z", "modified": "2017-03-30T12:55:12.000Z", "description": "Carbon sample - Xchecked via VT: 87d718f2d6e46c53490c6a22de399c13f05336f0", "pattern": "[file:hashes.SHA256 = '7a68a6357868f19f698dacd12dea49655f9651fb01e2de4042e8bbc97095c121']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0030-6898-4767-9ad6-4ea602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:12.000Z", "modified": "2017-03-30T12:55:12.000Z", "description": "Carbon sample - Xchecked via VT: 87d718f2d6e46c53490c6a22de399c13f05336f0", "pattern": "[file:hashes.MD5 = 'ea23d67e41d1f0a7f7e7a8b59e7cb60f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0031-cac4-4c84-9ebc-4c4a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:13.000Z", "modified": "2017-03-30T12:55:13.000Z", "first_observed": "2017-03-30T12:55:13Z", "last_observed": "2017-03-30T12:55:13Z", "number_observed": 1, "object_refs": [ "url--58dd0031-cac4-4c84-9ebc-4c4a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0031-cac4-4c84-9ebc-4c4a02de0b81", "value": "https://www.virustotal.com/file/7a68a6357868f19f698dacd12dea49655f9651fb01e2de4042e8bbc97095c121/analysis/1490735057/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0032-fa80-4125-adbb-4e6f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:14.000Z", "modified": "2017-03-30T12:55:14.000Z", "description": "Carbon sample - Xchecked via VT: 2227fd6fc9d669a9b66c59593533750477669557", "pattern": "[file:hashes.SHA256 = '9184be433426f5c9fe8ce27e8df89d7849c6af61779a3835c89ad46815abe839']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0033-60e0-4e52-b5ba-4e4902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:15.000Z", "modified": "2017-03-30T12:55:15.000Z", "description": "Carbon sample - Xchecked via VT: 2227fd6fc9d669a9b66c59593533750477669557", "pattern": "[file:hashes.MD5 = 'd115532ed6189b3f74569f8012efe110']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0034-c460-4ba5-b29d-44c802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:16.000Z", "modified": "2017-03-30T12:55:16.000Z", "first_observed": "2017-03-30T12:55:16Z", "last_observed": "2017-03-30T12:55:16Z", "number_observed": 1, "object_refs": [ "url--58dd0034-c460-4ba5-b29d-44c802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0034-c460-4ba5-b29d-44c802de0b81", "value": "https://www.virustotal.com/file/9184be433426f5c9fe8ce27e8df89d7849c6af61779a3835c89ad46815abe839/analysis/1463724060/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0035-adb0-4116-8b7f-4a3d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:17.000Z", "modified": "2017-03-30T12:55:17.000Z", "description": "Carbon sample - Xchecked via VT: 554f59c1578f4ee77dbba6a23507401359a59f23", "pattern": "[file:hashes.SHA256 = 'd1ad698567b04ea5ce8197c0316444ad8ee0350b46e0414f53f54c278b393a19']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0035-62f8-4558-9033-4e4302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:17.000Z", "modified": "2017-03-30T12:55:17.000Z", "description": "Carbon sample - Xchecked via VT: 554f59c1578f4ee77dbba6a23507401359a59f23", "pattern": "[file:hashes.MD5 = '21802eb06e2b05b5db40381f296d67ad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0036-68cc-4f5f-a571-4a3802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:18.000Z", "modified": "2017-03-30T12:55:18.000Z", "first_observed": "2017-03-30T12:55:18Z", "last_observed": "2017-03-30T12:55:18Z", "number_observed": 1, "object_refs": [ "url--58dd0036-68cc-4f5f-a571-4a3802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0036-68cc-4f5f-a571-4a3802de0b81", "value": "https://www.virustotal.com/file/d1ad698567b04ea5ce8197c0316444ad8ee0350b46e0414f53f54c278b393a19/analysis/1487239958/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0037-8088-49e9-944f-45ff02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:19.000Z", "modified": "2017-03-30T12:55:19.000Z", "description": "Carbon sample - Xchecked via VT: fbc43636e3c9378162f3b9712cb6d87bd48ddbd3", "pattern": "[file:hashes.SHA256 = 'e82d4b6d037568a4602e70f099005572b587c220793afd8f90c13cb7bbde61ed']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0038-5144-4ed3-adfe-4d3102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:20.000Z", "modified": "2017-03-30T12:55:20.000Z", "description": "Carbon sample - Xchecked via VT: fbc43636e3c9378162f3b9712cb6d87bd48ddbd3", "pattern": "[file:hashes.MD5 = 'b4096859121998c065896d3d19e46e50']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0039-0208-4066-bc11-4eb502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:21.000Z", "modified": "2017-03-30T12:55:21.000Z", "first_observed": "2017-03-30T12:55:21Z", "last_observed": "2017-03-30T12:55:21Z", "number_observed": 1, "object_refs": [ "url--58dd0039-0208-4066-bc11-4eb502de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0039-0208-4066-bc11-4eb502de0b81", "value": "https://www.virustotal.com/file/e82d4b6d037568a4602e70f099005572b587c220793afd8f90c13cb7bbde61ed/analysis/1487240002/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd003a-b738-4acc-a32b-470c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:22.000Z", "modified": "2017-03-30T12:55:22.000Z", "description": "Carbon sample - Xchecked via VT: 311f399c299741e80db8bec65bbf4b56109eedaf", "pattern": "[file:hashes.SHA256 = 'c58d57f5ce9ca7689e6b71d3dcb48b2caf41a9e7105bb68bae113218869dd6a0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd003b-134c-47ef-9ec6-431402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:23.000Z", "modified": "2017-03-30T12:55:23.000Z", "description": "Carbon sample - Xchecked via VT: 311f399c299741e80db8bec65bbf4b56109eedaf", "pattern": "[file:hashes.MD5 = '4ae7e6011b550372d2a73ab3b4d67096']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd003c-06e4-456b-b541-4a0302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:24.000Z", "modified": "2017-03-30T12:55:24.000Z", "first_observed": "2017-03-30T12:55:24Z", "last_observed": "2017-03-30T12:55:24Z", "number_observed": 1, "object_refs": [ "url--58dd003c-06e4-456b-b541-4a0302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd003c-06e4-456b-b541-4a0302de0b81", "value": "https://www.virustotal.com/file/c58d57f5ce9ca7689e6b71d3dcb48b2caf41a9e7105bb68bae113218869dd6a0/analysis/1472552183/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd003d-9d0c-4261-9263-492e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:25.000Z", "modified": "2017-03-30T12:55:25.000Z", "description": "Carbon sample - Xchecked via VT: 2f7e335e092e04f3f4734b60c5345003d10aa15d", "pattern": "[file:hashes.SHA256 = '1311759943aabfe55ef2d42677432f14ed8fb549619473e5fb56f8a92d2daf72']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd003d-866c-493e-ab08-42ad02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:25.000Z", "modified": "2017-03-30T12:55:25.000Z", "description": "Carbon sample - Xchecked via VT: 2f7e335e092e04f3f4734b60c5345003d10aa15d", "pattern": "[file:hashes.MD5 = '244505129d96be57134cb00f27d4359c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd003e-eca8-4aaa-ae60-4cca02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:26.000Z", "modified": "2017-03-30T12:55:26.000Z", "first_observed": "2017-03-30T12:55:26Z", "last_observed": "2017-03-30T12:55:26Z", "number_observed": 1, "object_refs": [ "url--58dd003e-eca8-4aaa-ae60-4cca02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd003e-eca8-4aaa-ae60-4cca02de0b81", "value": "https://www.virustotal.com/file/1311759943aabfe55ef2d42677432f14ed8fb549619473e5fb56f8a92d2daf72/analysis/1472508860/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd003f-e27c-4949-aab7-490c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:27.000Z", "modified": "2017-03-30T12:55:27.000Z", "description": "Carbon sample - Xchecked via VT: 1dbfcb9005abb2c83ffa6a3127257a009612798c", "pattern": "[file:hashes.SHA256 = '31b176b9906211c14ee5b9cff4c56f71866ec47d7f7c783aeb31692168d66566']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0040-c27c-4ff6-bc0d-41d902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:28.000Z", "modified": "2017-03-30T12:55:28.000Z", "description": "Carbon sample - Xchecked via VT: 1dbfcb9005abb2c83ffa6a3127257a009612798c", "pattern": "[file:hashes.MD5 = '91a5594343b47462ebd6266a9c40abbe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:28Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0041-f364-447a-82a3-423c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:29.000Z", "modified": "2017-03-30T12:55:29.000Z", "first_observed": "2017-03-30T12:55:29Z", "last_observed": "2017-03-30T12:55:29Z", "number_observed": 1, "object_refs": [ "url--58dd0041-f364-447a-82a3-423c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0041-f364-447a-82a3-423c02de0b81", "value": "https://www.virustotal.com/file/31b176b9906211c14ee5b9cff4c56f71866ec47d7f7c783aeb31692168d66566/analysis/1487311644/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0042-ff94-4d44-8926-42b202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:30.000Z", "modified": "2017-03-30T12:55:30.000Z", "description": "Carbon sample - Xchecked via VT: 20393222d4eb1ba72a6536f7e67e139aadfa47fe", "pattern": "[file:hashes.SHA256 = 'ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0043-e258-4a82-b1cf-4f5b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:31.000Z", "modified": "2017-03-30T12:55:31.000Z", "description": "Carbon sample - Xchecked via VT: 20393222d4eb1ba72a6536f7e67e139aadfa47fe", "pattern": "[file:hashes.MD5 = 'df230db9bddf200b24d8744ad84d80e8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0044-5cfc-4f5d-bed1-42ec02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:32.000Z", "modified": "2017-03-30T12:55:32.000Z", "first_observed": "2017-03-30T12:55:32Z", "last_observed": "2017-03-30T12:55:32Z", "number_observed": 1, "object_refs": [ "url--58dd0044-5cfc-4f5d-bed1-42ec02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0044-5cfc-4f5d-bed1-42ec02de0b81", "value": "https://www.virustotal.com/file/ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f/analysis/1482320204/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0045-00c8-447f-b23a-4da402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:33.000Z", "modified": "2017-03-30T12:55:33.000Z", "description": "Carbon sample - Xchecked via VT: 7ce746bb988cb3b7e64f08174bdb02938555ea53", "pattern": "[file:hashes.SHA256 = '8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0045-20e4-4b68-8b47-44a502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:33.000Z", "modified": "2017-03-30T12:55:33.000Z", "description": "Carbon sample - Xchecked via VT: 7ce746bb988cb3b7e64f08174bdb02938555ea53", "pattern": "[file:hashes.MD5 = '554450c1ecb925693fedbb9e56702646']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0046-5560-49b6-8f5d-428102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:34.000Z", "modified": "2017-03-30T12:55:34.000Z", "first_observed": "2017-03-30T12:55:34Z", "last_observed": "2017-03-30T12:55:34Z", "number_observed": 1, "object_refs": [ "url--58dd0046-5560-49b6-8f5d-428102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0046-5560-49b6-8f5d-428102de0b81", "value": "https://www.virustotal.com/file/8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb/analysis/1472540442/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0047-efc8-49f9-8a9d-4bc502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:35.000Z", "modified": "2017-03-30T12:55:35.000Z", "description": "Carbon sample - Xchecked via VT: 7c43f5df784bf50423620d8f1c96e43d8d9a9b28", "pattern": "[file:hashes.SHA256 = 'ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0048-f4bc-4507-9132-475902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:36.000Z", "modified": "2017-03-30T12:55:36.000Z", "description": "Carbon sample - Xchecked via VT: 7c43f5df784bf50423620d8f1c96e43d8d9a9b28", "pattern": "[file:hashes.MD5 = 'e6d1dcc6c2601e592f2b03f35b06fa8f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0049-3be8-4d8a-8293-4d8d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:37.000Z", "modified": "2017-03-30T12:55:37.000Z", "first_observed": "2017-03-30T12:55:37Z", "last_observed": "2017-03-30T12:55:37Z", "number_observed": 1, "object_refs": [ "url--58dd0049-3be8-4d8a-8293-4d8d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0049-3be8-4d8a-8293-4d8d02de0b81", "value": "https://www.virustotal.com/file/ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45/analysis/1472563917/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd004a-9f74-4c4d-94da-4c6802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:38.000Z", "modified": "2017-03-30T12:55:38.000Z", "description": "Carbon sample - Xchecked via VT: a28164de29e51f154be12d163ce5818fceb69233", "pattern": "[file:hashes.SHA256 = '1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:38Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd004b-5b70-47be-a686-4e3002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:39.000Z", "modified": "2017-03-30T12:55:39.000Z", "description": "Carbon sample - Xchecked via VT: a28164de29e51f154be12d163ce5818fceb69233", "pattern": "[file:hashes.MD5 = '43e896ede6fe025ee90f7f27c6d376a4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd004b-4d28-44d7-9414-425902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:39.000Z", "modified": "2017-03-30T12:55:39.000Z", "first_observed": "2017-03-30T12:55:39Z", "last_observed": "2017-03-30T12:55:39Z", "number_observed": 1, "object_refs": [ "url--58dd004b-4d28-44d7-9414-425902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd004b-4d28-44d7-9414-425902de0b81", "value": "https://www.virustotal.com/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e/analysis/1484282511/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd004c-71f0-4e9c-85c4-4a4d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:40.000Z", "modified": "2017-03-30T12:55:40.000Z", "description": "Carbon sample - Xchecked via VT: 1ad46547e3dc264f940bf62df455b26e65b0101f", "pattern": "[file:hashes.SHA256 = '02f9501cb01b375e752a9cc4aa5ee084a504944bdc853e1bdfc860dd76e0d198']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd004d-5b4c-46b6-8974-40c602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:41.000Z", "modified": "2017-03-30T12:55:41.000Z", "description": "Carbon sample - Xchecked via VT: 1ad46547e3dc264f940bf62df455b26e65b0101f", "pattern": "[file:hashes.MD5 = '4c1017de62ea4788c7c8058a8f825a2d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd004e-33e8-45a4-825d-491d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:42.000Z", "modified": "2017-03-30T12:55:42.000Z", "first_observed": "2017-03-30T12:55:42Z", "last_observed": "2017-03-30T12:55:42Z", "number_observed": 1, "object_refs": [ "url--58dd004e-33e8-45a4-825d-491d02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd004e-33e8-45a4-825d-491d02de0b81", "value": "https://www.virustotal.com/file/02f9501cb01b375e752a9cc4aa5ee084a504944bdc853e1bdfc860dd76e0d198/analysis/1487306753/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd004f-1e20-4e75-8e21-477f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:43.000Z", "modified": "2017-03-30T12:55:43.000Z", "description": "Carbon sample - Xchecked via VT: cbde204e7641830017bb84b89223131b2126bc46", "pattern": "[file:hashes.SHA256 = '3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0050-d094-4d4f-86a3-4f4502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:44.000Z", "modified": "2017-03-30T12:55:44.000Z", "description": "Carbon sample - Xchecked via VT: cbde204e7641830017bb84b89223131b2126bc46", "pattern": "[file:hashes.MD5 = 'cb1b68d9971c2353c2d6a8119c49b51f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0051-ce8c-4059-9ecb-476902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:45.000Z", "modified": "2017-03-30T12:55:45.000Z", "first_observed": "2017-03-30T12:55:45Z", "last_observed": "2017-03-30T12:55:45Z", "number_observed": 1, "object_refs": [ "url--58dd0051-ce8c-4059-9ecb-476902de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0051-ce8c-4059-9ecb-476902de0b81", "value": "https://www.virustotal.com/file/3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122/analysis/1490734934/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0052-8e84-4b91-908a-40af02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:46.000Z", "modified": "2017-03-30T12:55:46.000Z", "description": "Carbon sample - Xchecked via VT: 4636dccac5acf1d95a474747bb7bcd9b1a506cc3", "pattern": "[file:hashes.SHA256 = '0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0052-8680-469f-8cbb-4f3802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:46.000Z", "modified": "2017-03-30T12:55:46.000Z", "description": "Carbon sample - Xchecked via VT: 4636dccac5acf1d95a474747bb7bcd9b1a506cc3", "pattern": "[file:hashes.MD5 = '7ddee9311d7ab2d548e9b252383863ef']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0053-5978-4766-94a4-468f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:47.000Z", "modified": "2017-03-30T12:55:47.000Z", "first_observed": "2017-03-30T12:55:47Z", "last_observed": "2017-03-30T12:55:47Z", "number_observed": 1, "object_refs": [ "url--58dd0053-5978-4766-94a4-468f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0053-5978-4766-94a4-468f02de0b81", "value": "https://www.virustotal.com/file/0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65/analysis/1485875623/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0054-7e04-4ad1-b86f-47d002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:48.000Z", "modified": "2017-03-30T12:55:48.000Z", "description": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", "pattern": "[file:hashes.SHA256 = '7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0055-b800-4361-9aa0-47be02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:49.000Z", "modified": "2017-03-30T12:55:49.000Z", "description": "Carbon sample - Xchecked via VT: a08b8371ead1919500a4759c2f46553620d5a9d9", "pattern": "[file:hashes.MD5 = 'e664b6f5f50d1a7991e254e5e81a683f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0056-6e74-43d5-b58b-494802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:50.000Z", "modified": "2017-03-30T12:55:50.000Z", "first_observed": "2017-03-30T12:55:50Z", "last_observed": "2017-03-30T12:55:50Z", "number_observed": 1, "object_refs": [ "url--58dd0056-6e74-43d5-b58b-494802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0056-6e74-43d5-b58b-494802de0b81", "value": "https://www.virustotal.com/file/7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452/analysis/1486030116/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0057-5a14-4f5d-884b-490202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:51.000Z", "modified": "2017-03-30T12:55:51.000Z", "description": "Carbon sample - Xchecked via VT: 7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b", "pattern": "[file:hashes.SHA256 = 'aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58dd0057-cde0-4faa-a196-4a6302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:51.000Z", "modified": "2017-03-30T12:55:51.000Z", "description": "Carbon sample - Xchecked via VT: 7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b", "pattern": "[file:hashes.MD5 = '213ca4db4c2abd3b631da00c299d75ef']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-03-30T12:55:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58dd0058-dcd4-4271-8e57-432702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-03-30T12:55:52.000Z", "modified": "2017-03-30T12:55:52.000Z", "first_observed": "2017-03-30T12:55:52Z", "last_observed": "2017-03-30T12:55:52Z", "number_observed": 1, "object_refs": [ "url--58dd0058-dcd4-4271-8e57-432702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58dd0058-dcd4-4271-8e57-432702de0b81", "value": "https://www.virustotal.com/file/aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c/analysis/1487398090/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }