{ "type": "bundle", "id": "bundle--57931fd5-3c78-4dab-b1e9-4cc302de0b81", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:47:22.000Z", "modified": "2016-07-23T07:47:22.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57931fd5-3c78-4dab-b1e9-4cc302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:47:22.000Z", "modified": "2016-07-23T07:47:22.000Z", "name": "OSINT - Kovter becomes almost file-less, creates a new file type, and gets some new certificates", "published": "2016-07-23T07:47:38Z", "object_refs": [ "indicator--5793200d-b68c-41b3-8296-4d1f02de0b81", "indicator--5793200d-14b8-4146-b84d-45af02de0b81", "indicator--5793200d-7c40-41b6-9fed-4fce02de0b81", "indicator--5793200e-cf2c-40e7-8523-479f02de0b81", "indicator--5793200e-2cf0-427d-8982-4a6402de0b81", "indicator--5793200e-eefc-4fcb-85c9-4f9002de0b81", "indicator--5793200e-f2f0-434f-ad2a-490e02de0b81", "indicator--5793200e-cab8-4f3e-864d-4e5102de0b81", "indicator--5793203d-0d10-4cdd-a2dd-404102de0b81", "indicator--5793203d-c6a4-4753-b3ea-4de602de0b81", "indicator--5793203e-17b8-4118-93e8-435e02de0b81", "indicator--5793203e-ccf8-4d8f-a7a5-487f02de0b81", "indicator--5793203e-1ef8-4134-82f2-4e3402de0b81", "indicator--5793203e-ad0c-4952-addf-423c02de0b81", "indicator--5793203f-1bb4-43cd-b5f4-4ca002de0b81", "indicator--57932073-e494-4aa4-aadb-4db602de0b81", "indicator--57932073-86d0-423f-a8d6-4ff202de0b81", "indicator--57932074-9d0c-49a4-bd99-45eb02de0b81", "indicator--57932074-f678-4467-a322-4f3d02de0b81", "indicator--57932074-c224-4667-9752-435202de0b81", "indicator--57932074-32e4-44bb-b8ed-4b5602de0b81", "indicator--57932074-8868-4798-83d1-4c9002de0b81", "indicator--57932095-f574-45fd-b1f6-4b9d02de0b81", "indicator--57932095-ad7c-4efc-ba28-407d02de0b81", "observed-data--57932095-6dc8-42f4-b071-400e02de0b81", "url--57932095-6dc8-42f4-b071-400e02de0b81", "indicator--57932096-c044-4f67-a760-485a02de0b81", "indicator--57932096-bfe4-4010-8f08-43ec02de0b81", "observed-data--57932096-7a0c-4d72-a7cd-482e02de0b81", "url--57932096-7a0c-4d72-a7cd-482e02de0b81", "indicator--57932096-2970-4903-bf44-4c3a02de0b81", "indicator--57932096-32a4-433b-a558-4f1d02de0b81", "observed-data--57932097-6b24-4988-9716-48c302de0b81", "url--57932097-6b24-4988-9716-48c302de0b81", "indicator--57932097-ef18-48e3-ae1c-48ff02de0b81", "indicator--57932097-bf8c-48cd-b559-4a7302de0b81", "observed-data--57932097-2e98-428f-9354-4e4c02de0b81", "url--57932097-2e98-428f-9354-4e4c02de0b81", "observed-data--579320af-d86c-4d75-bf38-42de02de0b81", "url--579320af-d86c-4d75-bf38-42de02de0b81", "x-misp-attribute--579320ce-a6bc-4bbc-8cf4-4d2902de0b81", "x-misp-attribute--5793210a-2368-429a-992f-431f02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "circl:incident-classification=\"malware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793200d-b68c-41b3-8296-4d1f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:09.000Z", "modified": "2016-07-23T07:43:09.000Z", "description": "We have seen Kovter downloaded from a large list of URLs, including", "pattern": "[url:value = 'https://eepheverseoftheday.org/2811826639187/2811826639187/146819749948281/FlashPlayer.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793200d-14b8-4146-b84d-45af02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:09.000Z", "modified": "2016-07-23T07:43:09.000Z", "description": "We have seen Kovter downloaded from a large list of URLs, including", "pattern": "[url:value = 'https://deequglutenfreeclub.org/8961166952189/8961166952189/146809673281840/FlashPlayer.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793200d-7c40-41b6-9fed-4fce02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:09.000Z", "modified": "2016-07-23T07:43:09.000Z", "description": "We have seen Kovter downloaded from a large list of URLs, including", "pattern": "[url:value = 'https://zaixovinmonopolet.net/5261173544131/5261173544131/146785099939564/FlashPlayer.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:09Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793200e-cf2c-40e7-8523-479f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:10.000Z", "modified": "2016-07-23T07:43:10.000Z", "description": "We have seen Kovter downloaded from a large list of URLs, including", "pattern": "[url:value = 'https://feehacitysocialising.net/7561659755159/1468089713424429/firefox-patch.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793200e-2cf0-427d-8982-4a6402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:10.000Z", "modified": "2016-07-23T07:43:10.000Z", "description": "We have seen Kovter downloaded from a large list of URLs, including", "pattern": "[url:value = 'https://eepheverseoftheday.org/1851760268603/1851760268603/1468192094476645/firefox-patch.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793200e-eefc-4fcb-85c9-4f9002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:10.000Z", "modified": "2016-07-23T07:43:10.000Z", "description": "We have seen Kovter downloaded from a large list of URLs, including", "pattern": "[url:value = 'https://uchuhfsbox.net/8031143191240/8031143191240/1467996389305283/firefox-patch.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793200e-f2f0-434f-ad2a-490e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:10.000Z", "modified": "2016-07-23T07:43:10.000Z", "description": "We have seen Kovter downloaded from a large list of URLs, including", "pattern": "[url:value = 'https://ierairosihanari.org/1461656983266/1461656983266/1467987174641688/firefox-patch.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793200e-cab8-4f3e-864d-4e5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:10.000Z", "modified": "2016-07-23T07:43:10.000Z", "description": "We have seen Kovter downloaded from a large list of URLs, including", "pattern": "[url:value = 'https://anayimovilyeuros.net/7601143032510/7601143032510/1465468888898207/chrome-patch.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793203d-0d10-4cdd-a2dd-404102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:57.000Z", "modified": "2016-07-23T07:43:57.000Z", "description": "Kovter has also rotated through a series of new digital certificates, including the following", "pattern": "[x509-certificate:hashes.SHA1 = '7e93cc85ed87ddfb31ac84154f28ae9d6bee0116']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"x509-fingerprint-sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793203d-c6a4-4753-b3ea-4de602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:57.000Z", "modified": "2016-07-23T07:43:57.000Z", "description": "Kovter has also rotated through a series of new digital certificates, including the following", "pattern": "[x509-certificate:hashes.SHA1 = '78d98ccccc41e0dea1791d24595c2e90f796fd48']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"x509-fingerprint-sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793203e-17b8-4118-93e8-435e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:58.000Z", "modified": "2016-07-23T07:43:58.000Z", "description": "Kovter has also rotated through a series of new digital certificates, including the following", "pattern": "[x509-certificate:hashes.SHA1 = 'c6305ea8aba8b095d31a7798f957d9c91fc17cf6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"x509-fingerprint-sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793203e-ccf8-4d8f-a7a5-487f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:58.000Z", "modified": "2016-07-23T07:43:58.000Z", "description": "Kovter has also rotated through a series of new digital certificates, including the following", "pattern": "[x509-certificate:hashes.SHA1 = 'b780af39e1bf684b7d2579edfff4ed26519b05f6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"x509-fingerprint-sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793203e-1ef8-4134-82f2-4e3402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:58.000Z", "modified": "2016-07-23T07:43:58.000Z", "description": "Kovter has also rotated through a series of new digital certificates, including the following", "pattern": "[x509-certificate:hashes.SHA1 = 'a286affc5f6e92bdc93374646676ebc49e21bcae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"x509-fingerprint-sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793203e-ad0c-4952-addf-423c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:58.000Z", "modified": "2016-07-23T07:43:58.000Z", "description": "Kovter has also rotated through a series of new digital certificates, including the following", "pattern": "[x509-certificate:hashes.SHA1 = 'ac4325c9837cd8fa72d6bcaf4b00186957713414']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"x509-fingerprint-sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5793203f-1bb4-43cd-b5f4-4ca002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:43:59.000Z", "modified": "2016-07-23T07:43:59.000Z", "description": "Kovter has also rotated through a series of new digital certificates, including the following", "pattern": "[x509-certificate:hashes.SHA1 = 'ce75af3b8be1ecef9d0eb51f2f3281b846add3fc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:43:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"x509-fingerprint-sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932073-e494-4aa4-aadb-4db602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:44:51.000Z", "modified": "2016-07-23T07:44:51.000Z", "description": "Kovter SHA1", "pattern": "[file:hashes.SHA1 = '7177811e2f7be8db2a7d9b1f690dc9e764fdc8a2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:44:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932073-86d0-423f-a8d6-4ff202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:44:51.000Z", "modified": "2016-07-23T07:44:51.000Z", "description": "Kovter SHA1", "pattern": "[file:hashes.SHA1 = 'da3261ceff37a56797b47b998dafe6e0376f8446']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:44:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932074-9d0c-49a4-bd99-45eb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:44:52.000Z", "modified": "2016-07-23T07:44:52.000Z", "description": "Kovter SHA1", "pattern": "[file:hashes.SHA1 = 'c3f3ecf24b6d39b0e4ff51af31002f3d37677476']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:44:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932074-f678-4467-a322-4f3d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:44:52.000Z", "modified": "2016-07-23T07:44:52.000Z", "description": "Kovter SHA1", "pattern": "[file:hashes.SHA1 = 'c49febe1e240e47364a649b4cd19e37bb14534d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:44:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932074-c224-4667-9752-435202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:44:52.000Z", "modified": "2016-07-23T07:44:52.000Z", "description": "Kovter SHA1", "pattern": "[file:hashes.SHA1 = '3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:44:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932074-32e4-44bb-b8ed-4b5602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:44:52.000Z", "modified": "2016-07-23T07:44:52.000Z", "description": "Kovter SHA1", "pattern": "[file:hashes.SHA1 = 'e428de0899cb13de47ac16618a53c5831337c5e6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:44:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932074-8868-4798-83d1-4c9002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:44:52.000Z", "modified": "2016-07-23T07:44:52.000Z", "description": "Kovter SHA1", "pattern": "[file:hashes.SHA1 = 'b8cace9f517bad05d8dc89d7f76f79aae8717a24']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:44:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932095-f574-45fd-b1f6-4b9d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:25.000Z", "modified": "2016-07-23T07:45:25.000Z", "description": "Kovter SHA1 - Xchecked via VT: c3f3ecf24b6d39b0e4ff51af31002f3d37677476", "pattern": "[file:hashes.SHA256 = 'cd7a7ef59534293d8f059fef4ebd2cacf5dc3f598c2a34ae1bf9b952f9b022a0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:45:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932095-ad7c-4efc-ba28-407d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:25.000Z", "modified": "2016-07-23T07:45:25.000Z", "description": "Kovter SHA1 - Xchecked via VT: c3f3ecf24b6d39b0e4ff51af31002f3d37677476", "pattern": "[file:hashes.MD5 = '7df17844ee9f36c35629c54646953445']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:45:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57932095-6dc8-42f4-b071-400e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:25.000Z", "modified": "2016-07-23T07:45:25.000Z", "first_observed": "2016-07-23T07:45:25Z", "last_observed": "2016-07-23T07:45:25Z", "number_observed": 1, "object_refs": [ "url--57932095-6dc8-42f4-b071-400e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57932095-6dc8-42f4-b071-400e02de0b81", "value": "https://www.virustotal.com/file/cd7a7ef59534293d8f059fef4ebd2cacf5dc3f598c2a34ae1bf9b952f9b022a0/analysis/1468240910/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932096-c044-4f67-a760-485a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:26.000Z", "modified": "2016-07-23T07:45:26.000Z", "description": "Kovter SHA1 - Xchecked via VT: 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39", "pattern": "[file:hashes.SHA256 = '3bc1d770a7ecc99c014739e7db3b0ed6cf8f0063e593e0f501df701c85ce6e22']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:45:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932096-bfe4-4010-8f08-43ec02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:26.000Z", "modified": "2016-07-23T07:45:26.000Z", "description": "Kovter SHA1 - Xchecked via VT: 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39", "pattern": "[file:hashes.MD5 = '4167da9574e5e334205f5be8b9181aab']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:45:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57932096-7a0c-4d72-a7cd-482e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:26.000Z", "modified": "2016-07-23T07:45:26.000Z", "first_observed": "2016-07-23T07:45:26Z", "last_observed": "2016-07-23T07:45:26Z", "number_observed": 1, "object_refs": [ "url--57932096-7a0c-4d72-a7cd-482e02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57932096-7a0c-4d72-a7cd-482e02de0b81", "value": "https://www.virustotal.com/file/3bc1d770a7ecc99c014739e7db3b0ed6cf8f0063e593e0f501df701c85ce6e22/analysis/1466283391/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932096-2970-4903-bf44-4c3a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:26.000Z", "modified": "2016-07-23T07:45:26.000Z", "description": "Kovter SHA1 - Xchecked via VT: c49febe1e240e47364a649b4cd19e37bb14534d0", "pattern": "[file:hashes.SHA256 = '45b2ceb2ed61d75156a001d7c1aa64f5d3f71c188c433c085f2d2383543d24bf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:45:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932096-32a4-433b-a558-4f1d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:26.000Z", "modified": "2016-07-23T07:45:26.000Z", "description": "Kovter SHA1 - Xchecked via VT: c49febe1e240e47364a649b4cd19e37bb14534d0", "pattern": "[file:hashes.MD5 = '5d908526f1a84e96ce00f5bb1e093ede']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:45:26Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57932097-6b24-4988-9716-48c302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:27.000Z", "modified": "2016-07-23T07:45:27.000Z", "first_observed": "2016-07-23T07:45:27Z", "last_observed": "2016-07-23T07:45:27Z", "number_observed": 1, "object_refs": [ "url--57932097-6b24-4988-9716-48c302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57932097-6b24-4988-9716-48c302de0b81", "value": "https://www.virustotal.com/file/45b2ceb2ed61d75156a001d7c1aa64f5d3f71c188c433c085f2d2383543d24bf/analysis/1463744476/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932097-ef18-48e3-ae1c-48ff02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:27.000Z", "modified": "2016-07-23T07:45:27.000Z", "description": "Kovter SHA1 - Xchecked via VT: e428de0899cb13de47ac16618a53c5831337c5e6", "pattern": "[file:hashes.SHA256 = '744c3eba00f668e5e766ff6268b73c419b204fc51fe48fd1f75359c528d5681b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:45:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57932097-bf8c-48cd-b559-4a7302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:27.000Z", "modified": "2016-07-23T07:45:27.000Z", "description": "Kovter SHA1 - Xchecked via VT: e428de0899cb13de47ac16618a53c5831337c5e6", "pattern": "[file:hashes.MD5 = '1885e38dce5d58cf8e7436256e019065']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-07-23T07:45:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57932097-2e98-428f-9354-4e4c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:27.000Z", "modified": "2016-07-23T07:45:27.000Z", "first_observed": "2016-07-23T07:45:27Z", "last_observed": "2016-07-23T07:45:27Z", "number_observed": 1, "object_refs": [ "url--57932097-2e98-428f-9354-4e4c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57932097-2e98-428f-9354-4e4c02de0b81", "value": "https://www.virustotal.com/file/744c3eba00f668e5e766ff6268b73c419b204fc51fe48fd1f75359c528d5681b/analysis/1464087978/" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--579320af-d86c-4d75-bf38-42de02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:45:51.000Z", "modified": "2016-07-23T07:45:51.000Z", "first_observed": "2016-07-23T07:45:51Z", "last_observed": "2016-07-23T07:45:51Z", "number_observed": 1, "object_refs": [ "url--579320af-d86c-4d75-bf38-42de02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--579320af-d86c-4d75-bf38-42de02de0b81", "value": "https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-file-less-creates-a-new-file-type-and-gets-some-new-certificates/" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--579320ce-a6bc-4bbc-8cf4-4d2902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:46:22.000Z", "modified": "2016-07-23T07:46:22.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter\u00e2\u20ac\u2122s persistence method and some updates on their latest malvertising campaigns.\r\n\r\nNew persistence method\r\nSince June 2016, Kovter has changed their persistence method to make remediation harder for antivirus software." }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5793210a-2368-429a-992f-431f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-07-23T07:47:22.000Z", "modified": "2016-07-23T07:47:22.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"Antivirus detection\"" ], "x_misp_category": "Antivirus detection", "x_misp_type": "text", "x_misp_value": "Trojan:Win32/Kovter" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }