{ "type": "bundle", "id": "bundle--5d108cdd-eae4-471e-b0ca-7ad4950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-07-19T09:16:26.000Z", "modified": "2019-07-19T09:16:26.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5d108cdd-eae4-471e-b0ca-7ad4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-07-19T09:16:26.000Z", "modified": "2019-07-19T09:16:26.000Z", "name": "OSINT - Felipe, a new infostealer Trojan", "context": "suspicious-activity", "object_refs": [ "indicator--5d109aae-7258-4c36-82d2-349d950d210f", "indicator--5d10a4dd-9130-4c72-b3ec-482d950d210f", "indicator--5d10a4dd-8900-4d2d-89a9-4b84950d210f", "indicator--5d109029-f448-4859-b7c3-acd8950d210f", "indicator--5d1092e1-eb28-463b-83ec-47da950d210f", "indicator--5d10960d-6330-4179-8a72-34c0950d210f", "indicator--5d10968d-e280-472b-9a3f-55b2950d210f", "indicator--5d10a495-ca5c-4920-bb2d-4e7a950d210f", "indicator--88a609e6-3d3d-4325-bac6-6be3cd920d7b", "x-misp-object--855e4596-70af-4ec9-8471-2efd8ba7ea66", "indicator--0b40b29f-6b71-4cfb-b529-2b30ea155b66", "x-misp-object--25782699-9e62-4a5c-a1d3-f6bbdcec04cb", "x-misp-object--02aee86e-c588-4ea9-bd2e-aef1535846cd", "x-misp-object--ecc0c45a-2208-4171-a606-ccacbe28b955", "relationship--e1860d49-68bb-41a9-b421-64c280f4e04f", "relationship--fdb482bf-00bc-4a4b-9551-eb997ff77481", "relationship--95a105d0-e7e5-4047-b0d9-971f22d08b7b", "relationship--bacb93fd-56da-4bae-8947-5b012cc277fb" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "malware_classification:malware-category=\"Trojan\"", "ms-caro-malware:malware-type=\"Trojan\"", "ms-caro-malware-full:malware-type=\"Trojan\"", "ecsirt:malicious-code=\"trojan\"", "CERT-XLM:malicious-code=\"trojan-malware\"", "keylogger/infostealer", "workflow:state=\"incomplete\"", "workflow:todo=\"add-missing-misp-galaxy-cluster-values\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d109aae-7258-4c36-82d2-349d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-24T09:41:02.000Z", "modified": "2019-06-24T09:41:02.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.99.215.95']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-24T09:41:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d10a4dd-9130-4c72-b3ec-482d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-24T10:24:29.000Z", "modified": "2019-06-24T10:24:29.000Z", "description": "Download URLs", "pattern": "[url:value = '192.99.215.95/uploads']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-24T10:24:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d10a4dd-8900-4d2d-89a9-4b84950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-24T10:24:29.000Z", "modified": "2019-06-24T10:24:29.000Z", "description": "Download URLs", "pattern": "[domain-name:value = 'inmemory.tech']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-24T10:24:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d109029-f448-4859-b7c3-acd8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-07-19T09:16:19.000Z", "modified": "2019-07-19T09:16:19.000Z", "pattern": "[file:hashes.MD5 = '15ce8f849fff4cc8675900ec838a93f9' AND file:name = 'vshost.exe' AND file:parent_directory_ref.path = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\' AND file:x_misp_fullpath = '\\\\%UserProfile\\\\%\\\\Local Settings\\\\Temp\\\\vshost.exe' AND file:x_misp_fullpath = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\vshost.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-07-19T09:16:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d1092e1-eb28-463b-83ec-47da950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-07-19T09:16:20.000Z", "modified": "2019-07-19T09:16:20.000Z", "pattern": "[file:hashes.MD5 = 'd912771c8cd5720ad835e08eb80a77b6' AND file:name = 'explorer32.exe' AND file:parent_directory_ref.path = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\' AND file:x_misp_fullpath = '\\\\%UserProfile\\\\%\\\\Local Settings\\\\Temp\\\\explorer32.exe' AND file:x_misp_fullpath = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\explorer32.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-07-19T09:16:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d10960d-6330-4179-8a72-34c0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-24T09:50:02.000Z", "modified": "2019-06-24T09:50:02.000Z", "pattern": "[file:hashes.MD5 = '7d016a3bb29904a6e00161694fc6ab4e' AND file:name = 'install2.bat' AND file:parent_directory_ref.path = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\' AND file:x_misp_fullpath = '\\\\%UserProfile\\\\%\\\\Local Settings\\\\Temp\\\\install2.bat' AND file:x_misp_fullpath = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\install2.bat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-24T09:50:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d10968d-e280-472b-9a3f-55b2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-24T09:23:25.000Z", "modified": "2019-06-24T09:23:25.000Z", "pattern": "[file:name = 'infect.txt' AND file:parent_directory_ref.path = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\' AND file:x_misp_fullpath = '\\\\%UserProfile\\\\%\\\\Local Settings\\\\Temp\\\\infect.txt' AND file:x_misp_fullpath = '\\\\%UserProfile\\\\%\\\\AppData\\\\Local\\\\Temp\\\\infect.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-24T09:23:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d10a495-ca5c-4920-bb2d-4e7a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-06-24T10:23:17.000Z", "modified": "2019-06-24T10:23:17.000Z", "pattern": "[file:hashes.MD5 = '61b06e49d514f3dc5be4f4ef08f6b43c' AND file:name = 'down.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-06-24T10:23:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--88a609e6-3d3d-4325-bac6-6be3cd920d7b", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-07-18T09:41:39.000Z", "modified": "2019-07-18T09:41:39.000Z", "pattern": "[file:hashes.MD5 = '15ce8f849fff4cc8675900ec838a93f9' AND file:hashes.SHA1 = '5089aa7a2895e07a9f182a77407f8d7570c7ad56' AND file:hashes.SHA256 = 'bf6e6c7808a9bb023fc1fea1822438ad0b6ebefd1bdc703d2acb280c328a4eb1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-07-18T09:41:39Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--855e4596-70af-4ec9-8471-2efd8ba7ea66", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-07-18T09:41:39.000Z", "modified": "2019-07-18T09:41:39.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-06-19 21:05:11", "category": "Other", "uuid": "cbaec671-305f-4f57-aef0-4cd165490955" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/bf6e6c7808a9bb023fc1fea1822438ad0b6ebefd1bdc703d2acb280c328a4eb1/analysis/1560978311/", "category": "Payload delivery", "uuid": "05e95691-153a-4e2d-8120-a6da025b555a" }, { "type": "text", "object_relation": "detection-ratio", "value": "46/72", "category": "Payload delivery", "uuid": "e402f89d-c139-423b-90a9-9432114dd561" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0b40b29f-6b71-4cfb-b529-2b30ea155b66", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-07-18T09:41:40.000Z", "modified": "2019-07-18T09:41:40.000Z", "pattern": "[file:hashes.MD5 = 'd912771c8cd5720ad835e08eb80a77b6' AND file:hashes.SHA1 = '24767b14ab8ab53a3194ad16ba65cf9a5e2279e7' AND file:hashes.SHA256 = 'ae0655e0a18286a797171a891c96ca9fed5e880ad171bfeb21ed6c0afc00261d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-07-18T09:41:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--25782699-9e62-4a5c-a1d3-f6bbdcec04cb", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-07-18T09:41:41.000Z", "modified": "2019-07-18T09:41:41.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-06-20 22:19:40", "category": "Other", "uuid": "ee2f27a1-5677-47a6-8e25-ddc8113659fb" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/ae0655e0a18286a797171a891c96ca9fed5e880ad171bfeb21ed6c0afc00261d/analysis/1561069180/", "category": "Payload delivery", "uuid": "ad6c4b04-e40b-4195-83ae-3320c5554afd" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/72", "category": "Payload delivery", "uuid": "48eda93b-9a4a-4564-95b5-0bf61abfd7ff" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--02aee86e-c588-4ea9-bd2e-aef1535846cd", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-07-19T09:16:20.000Z", "modified": "2019-07-19T09:16:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-06-20 22:19:40", "category": "Other", "uuid": "a34f65ae-9d55-4730-b4bc-d9743afa3bd9" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/ae0655e0a18286a797171a891c96ca9fed5e880ad171bfeb21ed6c0afc00261d/analysis/1561069180/", "category": "Payload delivery", "uuid": "749ba503-e2a8-4491-8c9c-0e607d2cd3dc" }, { "type": "text", "object_relation": "detection-ratio", "value": "48/72", "category": "Payload delivery", "uuid": "c9a70846-ec1a-4716-85a2-18ae57937c17" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--ecc0c45a-2208-4171-a606-ccacbe28b955", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-07-19T09:16:20.000Z", "modified": "2019-07-19T09:16:20.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-06-19 21:05:11", "category": "Other", "uuid": "7f93341a-29e0-4a52-b71a-15b07b632f4a" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/bf6e6c7808a9bb023fc1fea1822438ad0b6ebefd1bdc703d2acb280c328a4eb1/analysis/1560978311/", "category": "Payload delivery", "uuid": "f3e93485-3178-490f-a77a-0412f6d09e1a" }, { "type": "text", "object_relation": "detection-ratio", "value": "46/72", "category": "Payload delivery", "uuid": "52fb0fb6-0dce-4d09-a876-820f06f4762d" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e1860d49-68bb-41a9-b421-64c280f4e04f", "created": "2019-07-19T09:16:20.000Z", "modified": "2019-07-19T09:16:20.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5d109029-f448-4859-b7c3-acd8950d210f", "target_ref": "x-misp-object--ecc0c45a-2208-4171-a606-ccacbe28b955" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fdb482bf-00bc-4a4b-9551-eb997ff77481", "created": "2019-07-19T09:16:20.000Z", "modified": "2019-07-19T09:16:20.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--5d1092e1-eb28-463b-83ec-47da950d210f", "target_ref": "x-misp-object--02aee86e-c588-4ea9-bd2e-aef1535846cd" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--95a105d0-e7e5-4047-b0d9-971f22d08b7b", "created": "2019-07-18T09:41:42.000Z", "modified": "2019-07-18T09:41:42.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--88a609e6-3d3d-4325-bac6-6be3cd920d7b", "target_ref": "x-misp-object--855e4596-70af-4ec9-8471-2efd8ba7ea66" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bacb93fd-56da-4bae-8947-5b012cc277fb", "created": "2019-07-18T09:41:42.000Z", "modified": "2019-07-18T09:41:42.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--0b40b29f-6b71-4cfb-b529-2b30ea155b66", "target_ref": "x-misp-object--25782699-9e62-4a5c-a1d3-f6bbdcec04cb" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }