{ "type": "bundle", "id": "bundle--5c502e8e-09e8-4c7c-9135-4c1b950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-29T13:19:12.000Z", "modified": "2019-01-29T13:19:12.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5c502e8e-09e8-4c7c-9135-4c1b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-29T13:19:12.000Z", "modified": "2019-01-29T13:19:12.000Z", "name": "2019-01-28: Turla Kazuar RAT", "published": "2019-01-29T13:19:37Z", "object_refs": [ "indicator--5c5037a7-d6f4-47ee-bb67-4cc3950d210f", "indicator--5c5037a8-fcf8-4d3c-bab5-4c1e950d210f", "x-misp-object--5c5032b0-5a34-4e58-bcf7-0435950d210f", "indicator--5c5038be-fe38-403c-a413-0435950d210f", "indicator--8670f30a-fed5-4ecf-8486-544baa950b1d", "x-misp-object--9001b360-5644-40b6-8310-2c8aa8711aab", "relationship--92ee7b7c-d64b-4297-bffb-2a1a6d4cc7e1" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:malpedia=\"Turla RAT\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla\"", "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"", "misp-galaxy:threat-actor=\"Turla Group\"", "misp-galaxy:tool=\"Turla\"", "misp-galaxy:malpedia=\"Kazuar\"", "misp-galaxy:mitre-malware=\"Kazuar - S0265\"", "misp-galaxy:tool=\"Kazuar\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "ms-caro-malware:malware-type=\"RemoteAccess\"", "enisa:nefarious-activity-abuse=\"remote-access-tool\"", "veris:asset:variety=\"S - Remote access\"", "veris:action:misuse:vector=\"Remote access\"", "ms-caro-malware-full:malware-type=\"RemoteAccess\"", "CERT-XLM:malicious-code=\"spyware-rat\"", "osint:source-type=\"microblog-post\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c5037a7-d6f4-47ee-bb67-4cc3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-29T11:23:19.000Z", "modified": "2019-01-29T11:23:19.000Z", "description": "C2", "pattern": "[url:value = 'northviewcanada.com/wp-content/galler/slider/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-29T11:23:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c5037a8-fcf8-4d3c-bab5-4c1e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-29T11:23:20.000Z", "modified": "2019-01-29T11:23:20.000Z", "description": "C2", "pattern": "[url:value = 'zycie-chotomowa.pl/wp-content/languages/index.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-29T11:23:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--5c5032b0-5a34-4e58-bcf7-0435950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-29T11:02:08.000Z", "modified": "2019-01-29T11:02:08.000Z", "labels": [ "misp:name=\"microblog\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "text", "object_relation": "post", "value": "2019-01-28: #Turla #Kazuar #RAT: Component: { loader, service, solver, sender, singler, scripter } C2: { northviewcanada[.com/wp-content/galler/slider/, zycie-chotomowa[.pl/wp-content/languages/index.php } MD5: 988df2967a7239a4b916cc9fcedaff68 cc @DrunkBinary", "category": "Other", "uuid": "5c5032b0-929c-4c5c-bd49-0435950d210f" }, { "type": "text", "object_relation": "type", "value": "Twitter", "category": "Other", "uuid": "5c5032b0-6b0c-42df-8c8b-0435950d210f" }, { "type": "url", "object_relation": "url", "value": "https://twitter.com/VK_Intel/status/1089959988116799491", "category": "Network activity", "to_ids": true, "uuid": "5c5032b0-ea2c-4c6f-9ba0-0435950d210f" }, { "type": "text", "object_relation": "username-quoted", "value": "DrunkBinary", "category": "Other", "uuid": "5c5032b0-e2a8-4d81-a227-0435950d210f" }, { "type": "datetime", "object_relation": "creation-date", "value": "2019-01-28T10:54:00", "category": "Other", "uuid": "5c5032b0-6d34-4368-8ba7-0435950d210f" }, { "type": "text", "object_relation": "username", "value": "VK_Intel", "category": "Other", "uuid": "5c5032b0-4528-4080-bbb4-0435950d210f" } ], "x_misp_meta_category": "misc", "x_misp_name": "microblog" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5c5038be-fe38-403c-a413-0435950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-29T11:27:58.000Z", "modified": "2019-01-29T11:27:58.000Z", "pattern": "[file:hashes.MD5 = '988df2967a7239a4b916cc9fcedaff68' AND file:x_misp_state = 'Malicious']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-29T11:27:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8670f30a-fed5-4ecf-8486-544baa950b1d", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-29T13:19:03.000Z", "modified": "2019-01-29T13:19:03.000Z", "pattern": "[file:hashes.MD5 = '988df2967a7239a4b916cc9fcedaff68' AND file:hashes.SHA1 = '321fac7d4cabce35ce0adc67c700f47d47359021' AND file:hashes.SHA256 = '44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-01-29T13:19:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--9001b360-5644-40b6-8310-2c8aa8711aab", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-01-29T13:19:03.000Z", "modified": "2019-01-29T13:19:03.000Z", "labels": [ "misp:name=\"virustotal-report\"", "misp:meta-category=\"misc\"" ], "x_misp_attributes": [ { "type": "datetime", "object_relation": "last-submission", "value": "2019-01-29T07:35:34", "category": "Other", "uuid": "d510388b-8e85-4a4d-90a3-54861f1c0110" }, { "type": "link", "object_relation": "permalink", "value": "https://www.virustotal.com/file/44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac/analysis/1548747334/", "category": "External analysis", "uuid": "c8f2c1f7-80d2-4ea5-9750-e9a85809f91d" }, { "type": "text", "object_relation": "detection-ratio", "value": "42/69", "category": "Other", "uuid": "c977a42a-64e2-4f6d-b065-86ac107beec4" } ], "x_misp_meta_category": "misc", "x_misp_name": "virustotal-report" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--92ee7b7c-d64b-4297-bffb-2a1a6d4cc7e1", "created": "2019-01-29T13:19:03.000Z", "modified": "2019-01-29T13:19:03.000Z", "relationship_type": "analysed-with", "source_ref": "indicator--8670f30a-fed5-4ecf-8486-544baa950b1d", "target_ref": "x-misp-object--9001b360-5644-40b6-8310-2c8aa8711aab" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }