{ "type": "bundle", "id": "bundle--56d42420-c838-4c85-80ee-1365950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:52.000Z", "modified": "2016-02-29T11:01:52.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--56d42420-c838-4c85-80ee-1365950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:52.000Z", "modified": "2016-02-29T11:01:52.000Z", "name": "OSINT - ATMZombie: banking trojan in Israeli waters", "published": "2016-02-29T11:02:21Z", "object_refs": [ "observed-data--56d4243d-8880-4f2f-a4b8-49d3950d210f", "url--56d4243d-8880-4f2f-a4b8-49d3950d210f", "x-misp-attribute--56d42452-69c8-434e-9609-18f0950d210f", "indicator--56d42468-6254-433d-b79d-18f2950d210f", "indicator--56d42468-e430-42c1-af5f-18f2950d210f", "indicator--56d42469-9174-4954-8e6a-18f2950d210f", "indicator--56d42469-07d4-412d-9308-18f2950d210f", "indicator--56d42478-dd34-408f-9189-49d1950d210f", "indicator--56d42478-5890-4c55-b27c-49d1950d210f", "indicator--56d42479-9f50-4c3f-978c-49d1950d210f", "indicator--56d42479-5f9c-42dd-a40d-49d1950d210f", "indicator--56d424cd-0a88-4d49-aedb-18f1950d210f", "indicator--56d424ce-e0bc-4609-8eea-18f1950d210f", "indicator--56d424cf-09c0-46b9-8200-18f1950d210f", "indicator--56d424cf-0fa0-405a-b234-18f1950d210f", "indicator--56d424d0-2454-4f64-b5df-18f1950d210f", "indicator--56d424d0-2d60-4f0c-84ed-18f1950d210f", "indicator--56d424d1-a3dc-4bb8-9e4b-18f1950d210f", "indicator--56d424d1-9ec0-4d57-9620-18f1950d210f", "indicator--56d424d2-58a0-4a99-8047-18f1950d210f", "indicator--56d424d2-8998-48fb-a9a9-18f1950d210f", "indicator--56d424d3-fab4-40b2-92f9-18f1950d210f", "indicator--56d42520-66bc-461c-aec3-136b02de0b81", "indicator--56d42521-e338-4251-8428-136b02de0b81", "observed-data--56d42521-3344-4d72-88f6-136b02de0b81", "url--56d42521-3344-4d72-88f6-136b02de0b81", "indicator--56d42521-c944-4a0e-a511-136b02de0b81", "indicator--56d42522-a070-4761-a5f3-136b02de0b81", "observed-data--56d42522-3e6c-4af5-8980-136b02de0b81", "url--56d42522-3e6c-4af5-8980-136b02de0b81", "indicator--56d42522-9e6c-47a6-99f7-136b02de0b81", "indicator--56d42523-e910-42d6-b138-136b02de0b81", "observed-data--56d42523-0830-4db2-8b0f-136b02de0b81", "url--56d42523-0830-4db2-8b0f-136b02de0b81", "indicator--56d42523-08d8-4dca-8255-136b02de0b81", "indicator--56d42524-d8cc-41ed-a85f-136b02de0b81", "observed-data--56d42524-36b8-4213-bceb-136b02de0b81", "url--56d42524-36b8-4213-bceb-136b02de0b81", "indicator--56d42524-1fa4-4522-8630-136b02de0b81", "indicator--56d42525-77c0-4fb8-8068-136b02de0b81", "observed-data--56d42525-8f14-4f99-b1bc-136b02de0b81", "url--56d42525-8f14-4f99-b1bc-136b02de0b81", "indicator--56d42525-c62c-4eda-b534-136b02de0b81", "indicator--56d42526-2cd8-4730-a95c-136b02de0b81", "observed-data--56d42526-e5e0-4644-9409-136b02de0b81", "url--56d42526-e5e0-4644-9409-136b02de0b81", "indicator--56d42526-b940-421e-afec-136b02de0b81", "indicator--56d42527-b530-4ded-897b-136b02de0b81", "observed-data--56d42527-1b18-478b-8c79-136b02de0b81", "url--56d42527-1b18-478b-8c79-136b02de0b81", "indicator--56d42527-f594-4545-9380-136b02de0b81", "indicator--56d42528-c570-4870-a192-136b02de0b81", "observed-data--56d42528-27d0-4167-8efa-136b02de0b81", "url--56d42528-27d0-4167-8efa-136b02de0b81", "indicator--56d42529-c32c-4905-b701-136b02de0b81", "indicator--56d42529-2ce0-4e55-971f-136b02de0b81", "observed-data--56d42529-3b94-45f4-90cf-136b02de0b81", "url--56d42529-3b94-45f4-90cf-136b02de0b81", "indicator--56d42529-55b0-4eab-94fd-136b02de0b81", "indicator--56d4252a-35bc-41ea-acb1-136b02de0b81", "observed-data--56d4252a-bc68-498b-a953-136b02de0b81", "url--56d4252a-bc68-498b-a953-136b02de0b81", "indicator--56d4252a-4c40-4bb8-b5d2-136b02de0b81", "indicator--56d4252b-e418-4b9c-b63b-136b02de0b81", "observed-data--56d4252b-1c9c-4338-9754-136b02de0b81", "url--56d4252b-1c9c-4338-9754-136b02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d4243d-8880-4f2f-a4b8-49d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T10:58:05.000Z", "modified": "2016-02-29T10:58:05.000Z", "first_observed": "2016-02-29T10:58:05Z", "last_observed": "2016-02-29T10:58:05Z", "number_observed": 1, "object_refs": [ "url--56d4243d-8880-4f2f-a4b8-49d3950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d4243d-8880-4f2f-a4b8-49d3950d210f", "value": "https://securelist.com/blog/research/73866/atmzombie-banking-trojan-in-israeli-waters/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--56d42452-69c8-434e-9609-18f0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T10:58:26.000Z", "modified": "2016-02-29T10:58:26.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "On November 2015, Kaspersky Lab researchers identified ATMZombie, a banking Trojan that is considered to be the first malware to ever steal money from Israeli banks. It uses insidious injection and other sophisticated and stealthy methods. The first method, dubbed \u00e2\u20ac\u0153proxy-changing\u00e2\u20ac\u009d, is commonly used for HTTP packets inspections. It involves modifying browser proxy configurations and capturing traffic between a client and a server, acting as Man-In-The-Middle.\r\n\r\nAlthough this is efficient for testing, streaming bank details isn\u00e2\u20ac\u2122t as easy. Banks are using encrypted channels, signed with authorized certificates, to prevent the data from being streamed in clear-text. The attackers, however, realized the missing piece and have since issued a certificate of their own, which is embedded in the dropper and is inserted in the root CA list of common browsers in the victim\u00e2\u20ac\u2122s machine.\r\n\r\nThe method of using a \u00e2\u20ac\u0153proxy-changer\u00e2\u20ac\u009d Trojan to steal bank credentials has been around since the end of 2005, and is being actively used by Brazilian cybercriminals; however, it wasn\u00e2\u20ac\u2122t until 2012 that Kaspersky Lab researchers compiled a full attack analysis. \u00e2\u20ac\u0153In Brazil malicious PAC files in Trojan bankers have been increasingly common since 2009, when several families such as Trojan.Win32.ProxyChanger started to force the URLs of PAC files in the browser of infected machines.\u00e2\u20ac\u0153, said Fabio Assolini, Senior Security Researcher at GReAT Kaspersky Lab, in his article." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42468-6254-433d-b79d-18f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T10:58:48.000Z", "modified": "2016-02-29T10:58:48.000Z", "pattern": "[domain-name:value = 'retsback.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T10:58:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42468-e430-42c1-af5f-18f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T10:58:48.000Z", "modified": "2016-02-29T10:58:48.000Z", "pattern": "[domain-name:value = 'updconfs.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T10:58:48Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42469-9174-4954-8e6a-18f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T10:58:49.000Z", "modified": "2016-02-29T10:58:49.000Z", "pattern": "[domain-name:value = 'systruster.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T10:58:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42469-07d4-412d-9308-18f2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T10:58:49.000Z", "modified": "2016-02-29T10:58:49.000Z", "pattern": "[domain-name:value = 'msupdcheck.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T10:58:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42478-dd34-408f-9189-49d1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T10:59:04.000Z", "modified": "2016-02-29T10:59:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.230.211.206']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T10:59:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42478-5890-4c55-b27c-49d1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T10:59:04.000Z", "modified": "2016-02-29T10:59:04.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '185.86.77.153']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T10:59:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42479-9f50-4c3f-978c-49d1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T10:59:05.000Z", "modified": "2016-02-29T10:59:05.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.215.154.90']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T10:59:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42479-5f9c-42dd-a40d-49d1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T10:59:05.000Z", "modified": "2016-02-29T10:59:05.000Z", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '88.214.236.121']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T10:59:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424cd-0a88-4d49-aedb-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:29.000Z", "modified": "2016-02-29T11:00:29.000Z", "description": "Trojan-Banker.Win32.Capper.zym", "pattern": "[file:hashes.MD5 = '6d11090c78e6621c21836c98808ff0f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:29Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424ce-e0bc-4609-8eea-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:30.000Z", "modified": "2016-02-29T11:00:30.000Z", "description": "Trojan-Banker.Win32.Capper.zyt", "pattern": "[file:hashes.MD5 = '4c5b7a8187475be251d05655edcaccbe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424cf-09c0-46b9-8200-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:31.000Z", "modified": "2016-02-29T11:00:31.000Z", "description": "Trojan-Banker.Win32.Capper.zyk", "pattern": "[file:hashes.MD5 = 'c0201ab2a45bc0e17ebd186059d5a59e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424cf-0fa0-405a-b234-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:31.000Z", "modified": "2016-02-29T11:00:31.000Z", "description": "Trojan-Banker.Win32.Capper.zyl", "pattern": "[file:hashes.MD5 = '47b316e3227d618089eb1625c4202142']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:31Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424d0-2454-4f64-b5df-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:32.000Z", "modified": "2016-02-29T11:00:32.000Z", "description": "PAC", "pattern": "[file:hashes.MD5 = '84bb5a77e28b3539a8022bc3612d4f4c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424d0-2d60-4f0c-84ed-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:32.000Z", "modified": "2016-02-29T11:00:32.000Z", "description": "Trojan-Banker.Win32.Capper.zyp", "pattern": "[file:hashes.MD5 = 'd2bf165284ab1953a96dfa7b642637a8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424d1-a3dc-4bb8-9e4b-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:33.000Z", "modified": "2016-02-29T11:00:33.000Z", "description": "Trojan-Banker.Win32.Capper.zyq", "pattern": "[file:hashes.MD5 = '80440e78a68583b180ad4d3e9a676a6e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424d1-9ec0-4d57-9620-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:33.000Z", "modified": "2016-02-29T11:00:33.000Z", "description": "Trojan-Banker.Win32.Capper.zyg", "pattern": "[file:hashes.MD5 = 'd08e51f8187df278296a8c4ff5cff0de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424d2-58a0-4a99-8047-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:34.000Z", "modified": "2016-02-29T11:00:34.000Z", "description": "Trojan-Banker.Win32.Capper.zyg", "pattern": "[file:hashes.MD5 = 'efa5ea2c511b08d0f8259a10a49b27ad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424d2-8998-48fb-a9a9-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:34.000Z", "modified": "2016-02-29T11:00:34.000Z", "description": "Trojan-Banker.Win32.Capper.zyg", "pattern": "[file:hashes.MD5 = '13d9352a27b626e501f5889bfd614b34']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:34Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d424d3-fab4-40b2-92f9-18f1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:00:35.000Z", "modified": "2016-02-29T11:00:35.000Z", "description": "Trojan-Banker.Win32.Capper.zyg", "pattern": "[file:hashes.MD5 = 'e5b7fd7eed59340027625ac39bae7c81']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:00:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42520-66bc-461c-aec3-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:52.000Z", "modified": "2016-02-29T11:01:52.000Z", "description": "Trojan-Banker.Win32.Capper.zyg - Xchecked via VT: e5b7fd7eed59340027625ac39bae7c81", "pattern": "[file:hashes.SHA256 = '83c8f47fb756860134a06eb2241467450c106059849de0a4838811f2af02f93d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42521-e338-4251-8428-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:53.000Z", "modified": "2016-02-29T11:01:53.000Z", "description": "Trojan-Banker.Win32.Capper.zyg - Xchecked via VT: e5b7fd7eed59340027625ac39bae7c81", "pattern": "[file:hashes.SHA1 = '64e27e0cafff0c230b22489baae98100a5417a86']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d42521-3344-4d72-88f6-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:53.000Z", "modified": "2016-02-29T11:01:53.000Z", "first_observed": "2016-02-29T11:01:53Z", "last_observed": "2016-02-29T11:01:53Z", "number_observed": 1, "object_refs": [ "url--56d42521-3344-4d72-88f6-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d42521-3344-4d72-88f6-136b02de0b81", "value": "https://www.virustotal.com/file/83c8f47fb756860134a06eb2241467450c106059849de0a4838811f2af02f93d/analysis/1447251902/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42521-c944-4a0e-a511-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:53.000Z", "modified": "2016-02-29T11:01:53.000Z", "description": "Trojan-Banker.Win32.Capper.zyg - Xchecked via VT: 13d9352a27b626e501f5889bfd614b34", "pattern": "[file:hashes.SHA256 = '76ef5d7d06e2a11bb3dd78b8a6e5f3042b79b69bec034d07f97540d8514dca3b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42522-a070-4761-a5f3-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:54.000Z", "modified": "2016-02-29T11:01:54.000Z", "description": "Trojan-Banker.Win32.Capper.zyg - Xchecked via VT: 13d9352a27b626e501f5889bfd614b34", "pattern": "[file:hashes.SHA1 = '8df6716038b03ba3bc1e31ee0587f2c093cdca48']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d42522-3e6c-4af5-8980-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:54.000Z", "modified": "2016-02-29T11:01:54.000Z", "first_observed": "2016-02-29T11:01:54Z", "last_observed": "2016-02-29T11:01:54Z", "number_observed": 1, "object_refs": [ "url--56d42522-3e6c-4af5-8980-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d42522-3e6c-4af5-8980-136b02de0b81", "value": "https://www.virustotal.com/file/76ef5d7d06e2a11bb3dd78b8a6e5f3042b79b69bec034d07f97540d8514dca3b/analysis/1447116816/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42522-9e6c-47a6-99f7-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:54.000Z", "modified": "2016-02-29T11:01:54.000Z", "description": "Trojan-Banker.Win32.Capper.zyg - Xchecked via VT: efa5ea2c511b08d0f8259a10a49b27ad", "pattern": "[file:hashes.SHA256 = 'd5a4b61207294f29c4f8abd317df38d8426ef9f0c7240132d9c33764e0b535d4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42523-e910-42d6-b138-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:55.000Z", "modified": "2016-02-29T11:01:55.000Z", "description": "Trojan-Banker.Win32.Capper.zyg - Xchecked via VT: efa5ea2c511b08d0f8259a10a49b27ad", "pattern": "[file:hashes.SHA1 = 'c4df3656bdea8b78ec50a5fc296f9c0e869b1864']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d42523-0830-4db2-8b0f-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:55.000Z", "modified": "2016-02-29T11:01:55.000Z", "first_observed": "2016-02-29T11:01:55Z", "last_observed": "2016-02-29T11:01:55Z", "number_observed": 1, "object_refs": [ "url--56d42523-0830-4db2-8b0f-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d42523-0830-4db2-8b0f-136b02de0b81", "value": "https://www.virustotal.com/file/d5a4b61207294f29c4f8abd317df38d8426ef9f0c7240132d9c33764e0b535d4/analysis/1456742204/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42523-08d8-4dca-8255-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:55.000Z", "modified": "2016-02-29T11:01:55.000Z", "description": "Trojan-Banker.Win32.Capper.zyg - Xchecked via VT: d08e51f8187df278296a8c4ff5cff0de", "pattern": "[file:hashes.SHA256 = '23dad1d88a73b3e4e7a938e228aa87f6af1d035d1f258644a38c085342c8eda4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42524-d8cc-41ed-a85f-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:56.000Z", "modified": "2016-02-29T11:01:56.000Z", "description": "Trojan-Banker.Win32.Capper.zyg - Xchecked via VT: d08e51f8187df278296a8c4ff5cff0de", "pattern": "[file:hashes.SHA1 = '79886aa3a13cd3ab782aa0e90bff665a70bc55b0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d42524-36b8-4213-bceb-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:56.000Z", "modified": "2016-02-29T11:01:56.000Z", "first_observed": "2016-02-29T11:01:56Z", "last_observed": "2016-02-29T11:01:56Z", "number_observed": 1, "object_refs": [ "url--56d42524-36b8-4213-bceb-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d42524-36b8-4213-bceb-136b02de0b81", "value": "https://www.virustotal.com/file/23dad1d88a73b3e4e7a938e228aa87f6af1d035d1f258644a38c085342c8eda4/analysis/1456742000/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42524-1fa4-4522-8630-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:56.000Z", "modified": "2016-02-29T11:01:56.000Z", "description": "Trojan-Banker.Win32.Capper.zyq - Xchecked via VT: 80440e78a68583b180ad4d3e9a676a6e", "pattern": "[file:hashes.SHA256 = 'dee548966f1e6f8d34684c98616da3021a2db5bd9b7de3543befa5a1c686ef20']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:56Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42525-77c0-4fb8-8068-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:57.000Z", "modified": "2016-02-29T11:01:57.000Z", "description": "Trojan-Banker.Win32.Capper.zyq - Xchecked via VT: 80440e78a68583b180ad4d3e9a676a6e", "pattern": "[file:hashes.SHA1 = 'e0514630ce24cef8b55f3d20dc43f40dd9564f13']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d42525-8f14-4f99-b1bc-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:57.000Z", "modified": "2016-02-29T11:01:57.000Z", "first_observed": "2016-02-29T11:01:57Z", "last_observed": "2016-02-29T11:01:57Z", "number_observed": 1, "object_refs": [ "url--56d42525-8f14-4f99-b1bc-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d42525-8f14-4f99-b1bc-136b02de0b81", "value": "https://www.virustotal.com/file/dee548966f1e6f8d34684c98616da3021a2db5bd9b7de3543befa5a1c686ef20/analysis/1456739595/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42525-c62c-4eda-b534-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:57.000Z", "modified": "2016-02-29T11:01:57.000Z", "description": "Trojan-Banker.Win32.Capper.zyp - Xchecked via VT: d2bf165284ab1953a96dfa7b642637a8", "pattern": "[file:hashes.SHA256 = '966d747a0dfdce90c32c9c8d33355c5493310b7abaa50eb0e208b35dc7614202']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42526-2cd8-4730-a95c-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:58.000Z", "modified": "2016-02-29T11:01:58.000Z", "description": "Trojan-Banker.Win32.Capper.zyp - Xchecked via VT: d2bf165284ab1953a96dfa7b642637a8", "pattern": "[file:hashes.SHA1 = '76efcf23219094f45a4acb289e772ca6c7fb38e2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d42526-e5e0-4644-9409-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:58.000Z", "modified": "2016-02-29T11:01:58.000Z", "first_observed": "2016-02-29T11:01:58Z", "last_observed": "2016-02-29T11:01:58Z", "number_observed": 1, "object_refs": [ "url--56d42526-e5e0-4644-9409-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d42526-e5e0-4644-9409-136b02de0b81", "value": "https://www.virustotal.com/file/966d747a0dfdce90c32c9c8d33355c5493310b7abaa50eb0e208b35dc7614202/analysis/1448457095/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42526-b940-421e-afec-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:58.000Z", "modified": "2016-02-29T11:01:58.000Z", "description": "PAC - Xchecked via VT: 84bb5a77e28b3539a8022bc3612d4f4c", "pattern": "[file:hashes.SHA256 = '0ea3e84cd40ee1a50a4161413154c983300b38aa4c78a910ba0f728618ec98e3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42527-b530-4ded-897b-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:59.000Z", "modified": "2016-02-29T11:01:59.000Z", "description": "PAC - Xchecked via VT: 84bb5a77e28b3539a8022bc3612d4f4c", "pattern": "[file:hashes.SHA1 = '926a44dcaf507955ad3ca9fa2fa0b8586036a2c3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d42527-1b18-478b-8c79-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:59.000Z", "modified": "2016-02-29T11:01:59.000Z", "first_observed": "2016-02-29T11:01:59Z", "last_observed": "2016-02-29T11:01:59Z", "number_observed": 1, "object_refs": [ "url--56d42527-1b18-478b-8c79-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d42527-1b18-478b-8c79-136b02de0b81", "value": "https://www.virustotal.com/file/0ea3e84cd40ee1a50a4161413154c983300b38aa4c78a910ba0f728618ec98e3/analysis/1447258543/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42527-f594-4545-9380-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:01:59.000Z", "modified": "2016-02-29T11:01:59.000Z", "description": "Trojan-Banker.Win32.Capper.zyl - Xchecked via VT: 47b316e3227d618089eb1625c4202142", "pattern": "[file:hashes.SHA256 = 'eb18f0d3abc6b9bfdd3d09082a027bebc4963c9bbee28b8708888cb276a00049']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:01:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42528-c570-4870-a192-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:00.000Z", "modified": "2016-02-29T11:02:00.000Z", "description": "Trojan-Banker.Win32.Capper.zyl - Xchecked via VT: 47b316e3227d618089eb1625c4202142", "pattern": "[file:hashes.SHA1 = 'cd0c4f2ab5f20d28c3b5d76cc7d8623fd56c78b8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:02:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d42528-27d0-4167-8efa-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:00.000Z", "modified": "2016-02-29T11:02:00.000Z", "first_observed": "2016-02-29T11:02:00Z", "last_observed": "2016-02-29T11:02:00Z", "number_observed": 1, "object_refs": [ "url--56d42528-27d0-4167-8efa-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d42528-27d0-4167-8efa-136b02de0b81", "value": "https://www.virustotal.com/file/eb18f0d3abc6b9bfdd3d09082a027bebc4963c9bbee28b8708888cb276a00049/analysis/1456743361/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42529-c32c-4905-b701-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:00.000Z", "modified": "2016-02-29T11:02:00.000Z", "description": "Trojan-Banker.Win32.Capper.zyk - Xchecked via VT: c0201ab2a45bc0e17ebd186059d5a59e", "pattern": "[file:hashes.SHA256 = '294f44963b3d1e305fb4b3498a0ee616313660bdf8197d0cb2a94c0cdfaf7539']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:02:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42529-2ce0-4e55-971f-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:01.000Z", "modified": "2016-02-29T11:02:01.000Z", "description": "Trojan-Banker.Win32.Capper.zyk - Xchecked via VT: c0201ab2a45bc0e17ebd186059d5a59e", "pattern": "[file:hashes.SHA1 = '987896a6befabeefcb0e42ff73ee3e1dda02f81b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:02:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d42529-3b94-45f4-90cf-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:01.000Z", "modified": "2016-02-29T11:02:01.000Z", "first_observed": "2016-02-29T11:02:01Z", "last_observed": "2016-02-29T11:02:01Z", "number_observed": 1, "object_refs": [ "url--56d42529-3b94-45f4-90cf-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d42529-3b94-45f4-90cf-136b02de0b81", "value": "https://www.virustotal.com/file/294f44963b3d1e305fb4b3498a0ee616313660bdf8197d0cb2a94c0cdfaf7539/analysis/1447092121/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d42529-55b0-4eab-94fd-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:01.000Z", "modified": "2016-02-29T11:02:01.000Z", "description": "Trojan-Banker.Win32.Capper.zyt - Xchecked via VT: 4c5b7a8187475be251d05655edcaccbe", "pattern": "[file:hashes.SHA256 = '64225a6e0815bc5b6c3414985ef5b3f374d4797d357bd243a19afc08d75c87e9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:02:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d4252a-35bc-41ea-acb1-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:02.000Z", "modified": "2016-02-29T11:02:02.000Z", "description": "Trojan-Banker.Win32.Capper.zyt - Xchecked via VT: 4c5b7a8187475be251d05655edcaccbe", "pattern": "[file:hashes.SHA1 = 'cd7b3d641628851ba59ac2a5260fc318c57c7fd6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:02:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d4252a-bc68-498b-a953-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:02.000Z", "modified": "2016-02-29T11:02:02.000Z", "first_observed": "2016-02-29T11:02:02Z", "last_observed": "2016-02-29T11:02:02Z", "number_observed": 1, "object_refs": [ "url--56d4252a-bc68-498b-a953-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d4252a-bc68-498b-a953-136b02de0b81", "value": "https://www.virustotal.com/file/64225a6e0815bc5b6c3414985ef5b3f374d4797d357bd243a19afc08d75c87e9/analysis/1448376105/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d4252a-4c40-4bb8-b5d2-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:02.000Z", "modified": "2016-02-29T11:02:02.000Z", "description": "Trojan-Banker.Win32.Capper.zym - Xchecked via VT: 6d11090c78e6621c21836c98808ff0f4", "pattern": "[file:hashes.SHA256 = '8662e3c0c564b85ee4af656dcf76fdafdacb41a2f13a3de509bca16b2e8928c7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:02:02Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--56d4252b-e418-4b9c-b63b-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:03.000Z", "modified": "2016-02-29T11:02:03.000Z", "description": "Trojan-Banker.Win32.Capper.zym - Xchecked via VT: 6d11090c78e6621c21836c98808ff0f4", "pattern": "[file:hashes.SHA1 = '6da3ea5941228a08113b643297d97078c4cafb4b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-02-29T11:02:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--56d4252b-1c9c-4338-9754-136b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-02-29T11:02:03.000Z", "modified": "2016-02-29T11:02:03.000Z", "first_observed": "2016-02-29T11:02:03Z", "last_observed": "2016-02-29T11:02:03Z", "number_observed": 1, "object_refs": [ "url--56d4252b-1c9c-4338-9754-136b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--56d4252b-1c9c-4338-9754-136b02de0b81", "value": "https://www.virustotal.com/file/8662e3c0c564b85ee4af656dcf76fdafdacb41a2f13a3de509bca16b2e8928c7/analysis/1447502166/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }