{ "type": "bundle", "id": "bundle--572efbbc-ba08-4a82-b879-400d02de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:48:44.000Z", "modified": "2016-05-08T08:48:44.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--572efbbc-ba08-4a82-b879-400d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:48:44.000Z", "modified": "2016-05-08T08:48:44.000Z", "name": "Fake scan campaings (20160505 - 20160507) using docm - Dridex", "published": "2016-05-08T08:52:06Z", "object_refs": [ "indicator--572efbef-6894-4dd0-a438-480602de0b81", "indicator--572efbef-28e4-487d-835b-4ecc02de0b81", "indicator--572efbef-6b4c-485a-96b8-4c2402de0b81", "indicator--572efbf0-65fc-41dc-9dd6-48d102de0b81", "indicator--572efc0d-33dc-4c5a-86b2-424602de0b81", "indicator--572efc0d-c538-47f4-9f65-477c02de0b81", "indicator--572efc0e-66ec-433d-a8aa-408d02de0b81", "indicator--572efc4e-cc64-4b0f-9b5f-427f02de0b81", "indicator--572efc66-9ccc-4e82-8172-41a202de0b81", "indicator--572efc67-9714-4709-8f5f-49d302de0b81", "observed-data--572efc67-a9ac-4e71-91f3-482302de0b81", "url--572efc67-a9ac-4e71-91f3-482302de0b81", "indicator--572efc9d-79a4-4199-bde2-46cc02de0b81", "indicator--572efd0b-677c-4f67-a705-4cb302de0b81", "indicator--572efd13-8974-4e7a-947f-465102de0b81", "indicator--572efd14-e58c-42aa-865b-4e5d02de0b81", "observed-data--572efd14-f9e8-4c6b-8e9c-4bb802de0b81", "url--572efd14-f9e8-4c6b-8e9c-4bb802de0b81", "indicator--572efd55-bef4-4d63-9929-46d002de0b81", "indicator--572efd6c-7f24-4459-9832-43d202de0b81", "indicator--572efd6c-e894-4c0f-be22-4f2902de0b81", "observed-data--572efd6c-e2b4-44ed-9962-470b02de0b81", "url--572efd6c-e2b4-44ed-9962-470b02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efbef-6894-4dd0-a438-480602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:42:23.000Z", "modified": "2016-05-08T08:42:23.000Z", "pattern": "[url:value = 'fm1.ntlweb.org/87hcnrewe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:42:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efbef-28e4-487d-835b-4ecc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:42:23.000Z", "modified": "2016-05-08T08:42:23.000Z", "pattern": "[url:value = 'iconigram.com/87hcnrewe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:42:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efbef-6b4c-485a-96b8-4c2402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:42:23.000Z", "modified": "2016-05-08T08:42:23.000Z", "pattern": "[url:value = 'www.sammelarmband.de/87hcnrewe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:42:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efbf0-65fc-41dc-9dd6-48d102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:42:24.000Z", "modified": "2016-05-08T08:42:24.000Z", "pattern": "[url:value = 'hospice.psy.free.fr/87hcnrewe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:42:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efc0d-33dc-4c5a-86b2-424602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:42:53.000Z", "modified": "2016-05-08T08:42:53.000Z", "description": "C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.241.252.152']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:42:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efc0d-c538-47f4-9f65-477c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:42:53.000Z", "modified": "2016-05-08T08:42:53.000Z", "description": "C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.169.147.26']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:42:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efc0e-66ec-433d-a8aa-408d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:42:54.000Z", "modified": "2016-05-08T08:42:54.000Z", "description": "C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '70.164.127.132']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:42:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efc4e-cc64-4b0f-9b5f-427f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:43:58.000Z", "modified": "2016-05-08T08:43:58.000Z", "description": "Dropped binary", "pattern": "[file:hashes.SHA256 = '84997e293dd1707b95c5ade8cc241742dd697f04f8f592545f8d140c801b6b3e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:43:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efc66-9ccc-4e82-8172-41a202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:44:22.000Z", "modified": "2016-05-08T08:44:22.000Z", "description": "Dropped binary - Xchecked via VT: 84997e293dd1707b95c5ade8cc241742dd697f04f8f592545f8d140c801b6b3e", "pattern": "[file:hashes.SHA1 = 'a835542d280eb8a3cc508cd57bcd94fd2393fc31']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:44:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efc67-9714-4709-8f5f-49d302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:44:23.000Z", "modified": "2016-05-08T08:44:23.000Z", "description": "Dropped binary - Xchecked via VT: 84997e293dd1707b95c5ade8cc241742dd697f04f8f592545f8d140c801b6b3e", "pattern": "[file:hashes.MD5 = '803358c128aae4faed24e194d6388e68']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:44:23Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--572efc67-a9ac-4e71-91f3-482302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:44:23.000Z", "modified": "2016-05-08T08:44:23.000Z", "first_observed": "2016-05-08T08:44:23Z", "last_observed": "2016-05-08T08:44:23Z", "number_observed": 1, "object_refs": [ "url--572efc67-a9ac-4e71-91f3-482302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--572efc67-a9ac-4e71-91f3-482302de0b81", "value": "https://www.virustotal.com/file/84997e293dd1707b95c5ade8cc241742dd697f04f8f592545f8d140c801b6b3e/analysis/1462526126/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efc9d-79a4-4199-bde2-46cc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:45:17.000Z", "modified": "2016-05-08T08:45:17.000Z", "pattern": "[url:value = 'http://meregivo.com.ua/87hcnrewe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:45:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efd0b-677c-4f67-a705-4cb302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:47:07.000Z", "modified": "2016-05-08T08:47:07.000Z", "description": "malicious docm", "pattern": "[file:hashes.SHA256 = 'af69220c029de7fa6f180f98c176263d24d187d1be7321e866b9d96e5c314fab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:47:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efd13-8974-4e7a-947f-465102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:47:15.000Z", "modified": "2016-05-08T08:47:15.000Z", "description": "malicious docm - Xchecked via VT: af69220c029de7fa6f180f98c176263d24d187d1be7321e866b9d96e5c314fab", "pattern": "[file:hashes.SHA1 = 'f9cb0984f6fcc3e76070bd8f71c193f58000c1a7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:47:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efd14-e58c-42aa-865b-4e5d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:47:16.000Z", "modified": "2016-05-08T08:47:16.000Z", "description": "malicious docm - Xchecked via VT: af69220c029de7fa6f180f98c176263d24d187d1be7321e866b9d96e5c314fab", "pattern": "[file:hashes.MD5 = 'a52fc2b17771577ee1e72a08f99fa432']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:47:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--572efd14-f9e8-4c6b-8e9c-4bb802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:47:16.000Z", "modified": "2016-05-08T08:47:16.000Z", "first_observed": "2016-05-08T08:47:16Z", "last_observed": "2016-05-08T08:47:16Z", "number_observed": 1, "object_refs": [ "url--572efd14-f9e8-4c6b-8e9c-4bb802de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--572efd14-f9e8-4c6b-8e9c-4bb802de0b81", "value": "https://www.virustotal.com/file/af69220c029de7fa6f180f98c176263d24d187d1be7321e866b9d96e5c314fab/analysis/1462544836/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efd55-bef4-4d63-9929-46d002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:48:37.000Z", "modified": "2016-05-08T08:48:37.000Z", "description": "malicious docm", "pattern": "[file:hashes.SHA256 = '0ec823c91274f3fad610d5ac8a89cfcac0dfdf506c214384320d864c163b2d25']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:48:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efd6c-7f24-4459-9832-43d202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:48:44.000Z", "modified": "2016-05-08T08:48:44.000Z", "description": "malicious docm - Xchecked via VT: 0ec823c91274f3fad610d5ac8a89cfcac0dfdf506c214384320d864c163b2d25", "pattern": "[file:hashes.SHA1 = '892d09d04fa087df98fb0c2941b7a39c4c938822']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:48:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--572efd6c-e894-4c0f-be22-4f2902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:48:44.000Z", "modified": "2016-05-08T08:48:44.000Z", "description": "malicious docm - Xchecked via VT: 0ec823c91274f3fad610d5ac8a89cfcac0dfdf506c214384320d864c163b2d25", "pattern": "[file:hashes.MD5 = '22feec8b1b12603a6efc8d098817b99a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-05-08T08:48:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--572efd6c-e2b4-44ed-9962-470b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-05-08T08:48:44.000Z", "modified": "2016-05-08T08:48:44.000Z", "first_observed": "2016-05-08T08:48:44Z", "last_observed": "2016-05-08T08:48:44Z", "number_observed": 1, "object_refs": [ "url--572efd6c-e2b4-44ed-9962-470b02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--572efd6c-e2b4-44ed-9962-470b02de0b81", "value": "https://www.virustotal.com/file/0ec823c91274f3fad610d5ac8a89cfcac0dfdf506c214384320d864c163b2d25/analysis/1462544863/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }