{ "type": "bundle", "id": "bundle--57c405cd-ab54-47b8-9eff-7a52950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-16T21:13:55.000Z", "modified": "2017-06-16T21:13:55.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57c405cd-ab54-47b8-9eff-7a52950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-06-16T21:13:55.000Z", "modified": "2017-06-16T21:13:55.000Z", "name": "OSINT - Dridex Returns To Action For Smaller, More Targeted Attacks", "published": "2017-06-16T21:14:04Z", "object_refs": [ "observed-data--57c405f9-fe0c-40ed-9b92-800f950d210f", "url--57c405f9-fe0c-40ed-9b92-800f950d210f", "x-misp-attribute--57c4060f-fbec-432b-8d84-800e950d210f", "indicator--57c406c0-cb60-4bc4-aacb-800e950d210f", "indicator--57c406c0-5820-4b47-b716-800e950d210f", "indicator--57c406c0-fd78-438a-9502-800e950d210f", "indicator--57c406c0-3898-46c6-abfd-800e950d210f", "indicator--57c406c1-c66c-4933-b0f0-800e950d210f", "indicator--57c406c2-8ad4-4ae5-95d1-800e950d210f", "indicator--57c406c2-d160-4c6c-a9ff-800e950d210f", "indicator--57c406c2-fcb4-4a0f-8a18-800e950d210f", "indicator--57c406c3-d550-4216-a10c-800e950d210f", "indicator--57c406c3-7aac-4786-8508-800e950d210f", "indicator--57c406c3-0004-4083-ab33-800e950d210f", "x-misp-attribute--57c406f4-914c-4f8a-bf4b-7a58950d210f", "x-misp-attribute--57c40714-8904-4705-8609-8ac9950d210f", "observed-data--57c40730-30cc-42d6-809e-8aca950d210f", "url--57c40730-30cc-42d6-809e-8aca950d210f", "indicator--57c4076e-0bb4-45d7-89d4-7a5102de0b81", "indicator--57c4076e-0bcc-458c-b1ec-7a5102de0b81", "observed-data--57c4076e-dc1c-4fb6-8cb0-7a5102de0b81", "url--57c4076e-dc1c-4fb6-8cb0-7a5102de0b81", "indicator--57c4076f-05e4-4b12-9725-7a5102de0b81", "indicator--57c4076f-1da4-4c89-ac85-7a5102de0b81", "observed-data--57c4076f-43f4-4dba-8473-7a5102de0b81", "url--57c4076f-43f4-4dba-8473-7a5102de0b81", "indicator--57c4076f-c114-4aee-86b6-7a5102de0b81", "indicator--57c40770-51e4-4454-9097-7a5102de0b81", "observed-data--57c40770-ca40-4836-bea3-7a5102de0b81", "url--57c40770-ca40-4836-bea3-7a5102de0b81", "indicator--57c40771-2eac-4b02-849f-7a5102de0b81", "indicator--57c40771-731c-4fa8-a4f2-7a5102de0b81", "observed-data--57c40771-38a8-4b85-ba46-7a5102de0b81", "url--57c40771-38a8-4b85-ba46-7a5102de0b81", "indicator--57c40771-9430-4687-bddd-7a5102de0b81", "indicator--57c40772-a618-4472-8d3e-7a5102de0b81", "observed-data--57c40772-ea1c-4941-a9eb-7a5102de0b81", "url--57c40772-ea1c-4941-a9eb-7a5102de0b81", "indicator--57c40772-e9b0-4f2a-ae55-7a5102de0b81", "indicator--57c40772-48e0-4f43-bf9f-7a5102de0b81", "observed-data--57c40773-bc68-460c-aff9-7a5102de0b81", "url--57c40773-bc68-460c-aff9-7a5102de0b81", "indicator--57c40773-62d0-47a3-80dc-7a5102de0b81", "indicator--57c40774-2914-4485-8441-7a5102de0b81", "observed-data--57c40774-8b28-49e0-9519-7a5102de0b81", "url--57c40774-8b28-49e0-9519-7a5102de0b81", "indicator--57c40775-c9e4-42d9-b7da-7a5102de0b81", "indicator--57c40775-da1c-470f-9cf8-7a5102de0b81", "observed-data--57c40775-ed24-4616-b20f-7a5102de0b81", "url--57c40775-ed24-4616-b20f-7a5102de0b81", "indicator--57c40776-4d88-4efb-9eb3-7a5102de0b81", "indicator--57c40776-3c6c-4746-9439-7a5102de0b81", "observed-data--57c40777-54f8-4870-b385-7a5102de0b81", "url--57c40777-54f8-4870-b385-7a5102de0b81", "indicator--57c40777-45a0-4150-b8e4-7a5102de0b81", "indicator--57c40778-09ec-4e47-9c47-7a5102de0b81", "observed-data--57c40779-fd00-407c-8951-7a5102de0b81", "url--57c40779-fd00-407c-8951-7a5102de0b81", "indicator--57c40779-48e0-4c1a-9091-7a5102de0b81", "indicator--57c4077a-c778-43bc-a0ba-7a5102de0b81", "observed-data--57c4077a-7bbc-4d8a-83fa-7a5102de0b81", "url--57c4077a-7bbc-4d8a-83fa-7a5102de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "circl:topic=\"finance\"", "circl:incident-classification=\"malware\"", "type:OSINT", "misp-galaxy:tool=\"Dridex\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c405f9-fe0c-40ed-9b92-800f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:52:57.000Z", "modified": "2016-08-29T09:52:57.000Z", "first_observed": "2016-08-29T09:52:57Z", "last_observed": "2016-08-29T09:52:57Z", "number_observed": 1, "object_refs": [ "url--57c405f9-fe0c-40ed-9b92-800f950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c405f9-fe0c-40ed-9b92-800f950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/Dridex-returns-to-action-for-smaller-more-targeted-attacks" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57c4060f-fbec-432b-8d84-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:53:19.000Z", "modified": "2016-08-29T09:53:19.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Since it was first detected in November 2014, Dridex has been one of the most prolific pieces of malware worldwide. Even when the actors behind distribution of Dridex began distributing Locky ransomware in February, 2016, they would often switch between the two payloads or distribute them simultaneously. More recently, though, Dridex email message volumes have dropped to a relative trickle, and a new geography of interest, Switzerland, has emerged. The much lower volume suggests a higher degree of targeting, freeing the actors to pursue more lucrative attacks and leverage stolen information more effectively.\r\n\r\nIn this post we\u00e2\u20ac\u2122ll investigate the recent Dridex campaigns, including their message volumes and targeting, and provide possible reasons for changes in the mode of operation." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c0-cb60-4bc4-aacb-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:16.000Z", "modified": "2016-08-29T09:56:16.000Z", "description": "June 29 Dridex 38923 document \u00e2\u20ac\u0153[name].doc\u00e2\u20ac\u009d", "pattern": "[file:hashes.SHA256 = '313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c0-5820-4b47-b716-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:16.000Z", "modified": "2016-08-29T09:56:16.000Z", "description": "July 15 Dridex 124 document \u00e2\u20ac\u01531666.docm\u00e2\u20ac\u009d", "pattern": "[file:hashes.SHA256 = '1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c0-fd78-438a-9502-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:16.000Z", "modified": "2016-08-29T09:56:16.000Z", "description": "August 11 Dridex 144 document \u00e2\u20ac\u0153rechnung11aug.docm\u00e2\u20ac\u009d", "pattern": "[file:hashes.SHA256 = '1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c0-3898-46c6-abfd-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:16.000Z", "modified": "2016-08-29T09:56:16.000Z", "description": "August 15/16 Dridex 228 document \u00e2\u20ac\u0153Ord191878.docm\u00e2\u20ac\u009d", "pattern": "[file:hashes.SHA256 = '026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c1-c66c-4933-b0f0-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:17.000Z", "modified": "2016-08-29T09:56:17.000Z", "description": "Dridex 38923 Loader", "pattern": "[file:hashes.SHA256 = '10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c2-8ad4-4ae5-95d1-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:18.000Z", "modified": "2016-08-29T09:56:18.000Z", "description": "Dridex 124 Loader", "pattern": "[file:hashes.SHA256 = '207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c2-d160-4c6c-a9ff-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:18.000Z", "modified": "2016-08-29T09:56:18.000Z", "description": "Dridex 144 Loader", "pattern": "[file:hashes.SHA256 = '75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c2-fcb4-4a0f-8a18-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:18.000Z", "modified": "2016-08-29T09:56:18.000Z", "description": "Dridex 228 Loader", "pattern": "[file:hashes.SHA256 = '160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c3-d550-4216-a10c-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:19.000Z", "modified": "2016-08-29T09:56:19.000Z", "description": "Dridex 1124 Loader", "pattern": "[file:hashes.SHA256 = 'bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c3-7aac-4786-8508-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:19.000Z", "modified": "2016-08-29T09:56:19.000Z", "description": "Dridex 302 Loader", "pattern": "[file:hashes.SHA256 = '2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c406c3-0004-4083-ab33-800e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:56:19.000Z", "modified": "2016-08-29T09:56:19.000Z", "description": "Dridex 1024 dropped by Neutrino", "pattern": "[file:hashes.SHA256 = 'fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:56:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57c406f4-914c-4f8a-bf4b-7a58950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:57:08.000Z", "modified": "2016-08-29T09:57:08.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Targeting data\"" ], "x_misp_category": "Targeting data", "x_misp_comment": "Appendix A: Applications Targeted by Dridex 228 on August 16, 2016", "x_misp_type": "comment", "x_misp_value": "crealogix | multiversa | abacus | ebics | agro-office | cashcomm | softcrew | coconet | macrogram | mammut | omikron | multicash | quatersoft | alphasys | wineur | epsitec | myaccessweb | bellin | financesuite | moneta | softcash | trinity | financesuite | abrantix | starmoney | sfirm | migrosbank | migros bank | online banking | star money | multibit | bitgo | bither | blockchain | copay | msigna | armory | electrum | coinbase | magnr | keepkey | coinsbank | coolwallet | bitoex | xapo | changetip | coinapult | blocktrail | breadwallet | luxstack | airbitz | schildbach | ledger nano | mycelium | trezor | coinomi | bitcore | WinBacs | albacs | Albany.EFT.Corporate.Client | wpc | eSigner | StartStarMoney | StarMoney | acsagent | accrdsub | acevents | acCOMpkcs | jp2launcher | sllauncher | cspregtool | RegisterTool | OEBMCC32 | sfirm | Bbm24win | wip | paypen | mammut_tb | telelink | translink | deltaworks | dfsvc | bitcoin-qt | multibit | BacscomIP2 | runclient | paycentre | accesspay | PaymentStudio | DiasClient | SynIntegrationClient | QuestLauncher | RemoteAdminServer | SymForm2App | plink | launch | PaygateWpfClient | terminal | Telelink | EBsec | ftrskr | Suite Entreprise | rbpmain2 | rbpmain | tkc | ecbl-nxbp | sagedirect | turbo_teletransmission | cedripack | cedrisend | QikDesktop | QikDesktopCitrix | ConfigurationEditor | InteractFastConfig | otscm-client | ecb-sg | crs1 | GbpSV | pstw32 | MopaMaes | ldcptv10 | gslshmsrvc | launcher | tokensharesrv | universe | ifrun60 | roiwin31 | guawin32 | intwin31 | kb_pcb | spawin31 | cziwin31 | czawin31 | sta2gpc | etsr | tellerlauncher | prowin32 | dirclt32 | PLT1751 | PLT1151 | cegidebics | CCS3 | CCMPS3 | ComSX | keepass | c_agent | transac | relaisbtp | telebanking | ewallet | mstsc | cardentry | TPComplianceManager | TPWorkstation | BancLine 2.0 | MS000000 | BancLine 3.0 | BancLine 4.0 | BancLine 5.0 | SFW | ptw1151 | fedcomp | sfmain | VRNetWorld | KDS | Kasir | ICS | mpkds | pspooler | ipspool | POS-CFG | callerIdserver | EftTray | dpseftxc | EFTSERV | QBPOS | APRINT6 | POSCONFG | jRestaurant | AFR38 | rmpos | roi | AxUpdatePortal | Firefly | InitEpp | SM22 | xfsExplorer | XFSSimulator | WosaXFSTest | kiosk | CRE2004 | aspnet_wp | javav | XChrgSrv | rpccEngine | PTService | Rpro8 | UTG2Svc | Active-Charge | javaw | DDCDSRV1 | alohaedc | dbstpssvc | XPS | Transnet | posw | NCRLoader | PSTTransfer | TSTSolutions | wndaudit | TSTAdmin | TellerDR | merapplauncher | contact manager | goldtllr32 | goldtrakpc | farm42phyton | fx4cash | bpcssm | vp-ebanking | LLB Online Banking | efix | iberclear | AMBCN | SGO | SQLpnr | vmware-view | banktelapk | SynJhaIntService | uniservice | client32 | CanaraCustMaintenance | legaclt | pcsfe | pcscmenu | cwbtf | srvview | pcsmc2vb | cwb3uic | trcgui | cwbsvstr | rtopcb | cwbujcnv | cwbujbld | cwbuisxe | pcsws | cwbsvd | cwblog | cwbdsk | securID | jhaintexec | appupdate | SGNavigatorApp | dbr | WINTRV | bsaadmin | encompass | eautomate | link | adminconsole | commandclientplugin | commandclientplugin_gui | mfmanager | verex director-server manager | verex director-communication manager | notes | nlnotes | notes2 | sacmonitor | netterm | fspnet | bridgerinside | cardserver | si | dais.ebank.client.offlineclient | BGFWIN31 | BGDWIN31 | BGXWIN31 | bocusertool | CLXReader | UBSPay | Migros_Bank_E-Banking | Bank linth Online Banking | java | abastart | abamenu | abajvm | sage200.finanz.gui | vpxclient | htmlshell | mmc | e3K.Main | QOPT | cresus | wineur | abaeb | efinance | GestionPE | BCN-Netkey | Sage 30 | ISL_light_client | msaccess | proffix.v4 | pxShowThread" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57c40714-8904-4705-8609-8ac9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:57:40.000Z", "modified": "2016-08-29T09:57:40.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"Targeting data\"" ], "x_misp_category": "Targeting data", "x_misp_comment": "Appendix B: Applications Targeted by Dridex 120 in July 2015", "x_misp_type": "comment", "x_misp_value": "Uniface | bankline | Aptos | Hyposwiss | episys quest | bancline | tellerplus | ACE Software Solutions | ACI Worldwide | Alliance Enterprise | Bottomline Technologies | Broadridge | China Systems | CMA Small Systems | Clear2Pay | Adaptor Payments | Decillion Group | EastNets | Infosys | Flexcube | ECS Financials | FircoSoft | Fiserv | Kyriba | Premium Technology | Smartstream Technologies | Sopra Banking | Surecomp | Tieto Payment | TONBELLER | Wall Street Systems | Western Union | MoneyGram | Unistream | Direct Link | Abacus | agro-twin | coconet | crealogix | macrogram | mammut soft | omikron | quatersoft | experian payment gateway | softcrew | WinBacs | albacs | Albany.EFT.Corporate.Client | wpc | eSigner | StartStarMoney | StarMoney | acsagent | accrdsub | acevents | acCOMpkcs | ac.sharedstore | jp2launcher+ | sllauncher | cspregtool | RegisterTool | OEBMCC32 | sfirm | Bbm24win | wip | paypen | mammut_tb | telelink | translink | deltaworks | dfsvc | bitcoin-qt | multibit | BacscomIP2 | runclient | paycentre | accesspay | PaymentStudio | DiasClient | SynIntegrationClient | QuestLauncher | RemoteAdminServer | SymForm2App | plink | launch | PaygateWpfClient | terminal | Telelink | EBsec | ftrskr | Suite | Entreprise | rbpmain2 | rbpmain | tkc | ecbl-nxbp | sagedirect | turbo_teletransmission | cedripack | cedrisend | QikDesktop | QikDesktopCitrix | ConfigurationEditor | InteractFastConfig | javaw | otscm-client+ | ecb-sg | crs1 | GbpSV | pstw32 | MopaMaes | ldcptv10 | gslshmsrvc | launcher | tokensharesrv | sage" }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c40730-30cc-42d6-809e-8aca950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:58:08.000Z", "modified": "2016-08-29T09:58:08.000Z", "first_observed": "2016-08-29T09:58:08Z", "last_observed": "2016-08-29T09:58:08Z", "number_observed": 1, "object_refs": [ "url--57c40730-30cc-42d6-809e-8aca950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c40730-30cc-42d6-809e-8aca950d210f", "value": "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/offline-payment-software.html" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c4076e-0bb4-45d7-89d4-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:10.000Z", "modified": "2016-08-29T09:59:10.000Z", "description": "Dridex 1024 dropped by Neutrino - Xchecked via VT: fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb", "pattern": "[file:hashes.SHA1 = '6207bb1f208867a3b357c64e635993cc4ee01c7b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c4076e-0bcc-458c-b1ec-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:10.000Z", "modified": "2016-08-29T09:59:10.000Z", "description": "Dridex 1024 dropped by Neutrino - Xchecked via VT: fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb", "pattern": "[file:hashes.MD5 = '87f8402f0e46fcb929e175f3a722a202']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:10Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c4076e-dc1c-4fb6-8cb0-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:10.000Z", "modified": "2016-08-29T09:59:10.000Z", "first_observed": "2016-08-29T09:59:10Z", "last_observed": "2016-08-29T09:59:10Z", "number_observed": 1, "object_refs": [ "url--57c4076e-dc1c-4fb6-8cb0-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c4076e-dc1c-4fb6-8cb0-7a5102de0b81", "value": "https://www.virustotal.com/file/fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb/analysis/1471591636/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c4076f-05e4-4b12-9725-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:11.000Z", "modified": "2016-08-29T09:59:11.000Z", "description": "Dridex 302 Loader - Xchecked via VT: 2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44", "pattern": "[file:hashes.SHA1 = '39b2aa526c79e263b77daf93c2426e96b61427ac']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c4076f-1da4-4c89-ac85-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:11.000Z", "modified": "2016-08-29T09:59:11.000Z", "description": "Dridex 302 Loader - Xchecked via VT: 2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44", "pattern": "[file:hashes.MD5 = 'd4c3e289e5c2240b4bc06e344be6e5b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c4076f-43f4-4dba-8473-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:11.000Z", "modified": "2016-08-29T09:59:11.000Z", "first_observed": "2016-08-29T09:59:11Z", "last_observed": "2016-08-29T09:59:11Z", "number_observed": 1, "object_refs": [ "url--57c4076f-43f4-4dba-8473-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c4076f-43f4-4dba-8473-7a5102de0b81", "value": "https://www.virustotal.com/file/2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44/analysis/1471129011/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c4076f-c114-4aee-86b6-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:11.000Z", "modified": "2016-08-29T09:59:11.000Z", "description": "Dridex 1124 Loader - Xchecked via VT: bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f", "pattern": "[file:hashes.SHA1 = 'f16fb1512e40ab115fb26ad5e516cd3660d903d7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:11Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40770-51e4-4454-9097-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:12.000Z", "modified": "2016-08-29T09:59:12.000Z", "description": "Dridex 1124 Loader - Xchecked via VT: bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f", "pattern": "[file:hashes.MD5 = '5a5dfe4ec70529af9f937f58399410cf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:12Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c40770-ca40-4836-bea3-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:12.000Z", "modified": "2016-08-29T09:59:12.000Z", "first_observed": "2016-08-29T09:59:12Z", "last_observed": "2016-08-29T09:59:12Z", "number_observed": 1, "object_refs": [ "url--57c40770-ca40-4836-bea3-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c40770-ca40-4836-bea3-7a5102de0b81", "value": "https://www.virustotal.com/file/bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f/analysis/1472443888/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40771-2eac-4b02-849f-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:13.000Z", "modified": "2016-08-29T09:59:13.000Z", "description": "Dridex 228 Loader - Xchecked via VT: 160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8", "pattern": "[file:hashes.SHA1 = 'e682a268c7807fa3d4a5c7b0244a2f44663aadfc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40771-731c-4fa8-a4f2-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:13.000Z", "modified": "2016-08-29T09:59:13.000Z", "description": "Dridex 228 Loader - Xchecked via VT: 160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8", "pattern": "[file:hashes.MD5 = '08f44a4d709f1a16a1a99598e6038960']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c40771-38a8-4b85-ba46-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:13.000Z", "modified": "2016-08-29T09:59:13.000Z", "first_observed": "2016-08-29T09:59:13Z", "last_observed": "2016-08-29T09:59:13Z", "number_observed": 1, "object_refs": [ "url--57c40771-38a8-4b85-ba46-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c40771-38a8-4b85-ba46-7a5102de0b81", "value": "https://www.virustotal.com/file/160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8/analysis/1472283781/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40771-9430-4687-bddd-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:13.000Z", "modified": "2016-08-29T09:59:13.000Z", "description": "Dridex 144 Loader - Xchecked via VT: 75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782", "pattern": "[file:hashes.SHA1 = 'ae99800e25d331403995c08fbbeef47a659ab804']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:13Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40772-a618-4472-8d3e-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:14.000Z", "modified": "2016-08-29T09:59:14.000Z", "description": "Dridex 144 Loader - Xchecked via VT: 75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782", "pattern": "[file:hashes.MD5 = 'd58ec78a177b82da975f2a42edfcdbad']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c40772-ea1c-4941-a9eb-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:14.000Z", "modified": "2016-08-29T09:59:14.000Z", "first_observed": "2016-08-29T09:59:14Z", "last_observed": "2016-08-29T09:59:14Z", "number_observed": 1, "object_refs": [ "url--57c40772-ea1c-4941-a9eb-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c40772-ea1c-4941-a9eb-7a5102de0b81", "value": "https://www.virustotal.com/file/75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782/analysis/1471678904/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40772-e9b0-4f2a-ae55-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:14.000Z", "modified": "2016-08-29T09:59:14.000Z", "description": "Dridex 124 Loader - Xchecked via VT: 207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8", "pattern": "[file:hashes.SHA1 = '4af210a9c7c7c5d62dfac90de213c559bd04295c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40772-48e0-4f43-bf9f-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:14.000Z", "modified": "2016-08-29T09:59:14.000Z", "description": "Dridex 124 Loader - Xchecked via VT: 207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8", "pattern": "[file:hashes.MD5 = '52faad132ecc0a103d368640db9274b7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:14Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c40773-bc68-460c-aff9-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:15.000Z", "modified": "2016-08-29T09:59:15.000Z", "first_observed": "2016-08-29T09:59:15Z", "last_observed": "2016-08-29T09:59:15Z", "number_observed": 1, "object_refs": [ "url--57c40773-bc68-460c-aff9-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c40773-bc68-460c-aff9-7a5102de0b81", "value": "https://www.virustotal.com/file/207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8/analysis/1470206023/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40773-62d0-47a3-80dc-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:15.000Z", "modified": "2016-08-29T09:59:15.000Z", "description": "Dridex 38923 Loader - Xchecked via VT: 10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4", "pattern": "[file:hashes.SHA1 = '8dda6643074fc4c08e621b06a4b9ba2b02307462']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40774-2914-4485-8441-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:16.000Z", "modified": "2016-08-29T09:59:16.000Z", "description": "Dridex 38923 Loader - Xchecked via VT: 10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4", "pattern": "[file:hashes.MD5 = 'b8946d3329e56a3f3e52547aac913e8e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c40774-8b28-49e0-9519-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:16.000Z", "modified": "2016-08-29T09:59:16.000Z", "first_observed": "2016-08-29T09:59:16Z", "last_observed": "2016-08-29T09:59:16Z", "number_observed": 1, "object_refs": [ "url--57c40774-8b28-49e0-9519-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c40774-8b28-49e0-9519-7a5102de0b81", "value": "https://www.virustotal.com/file/10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4/analysis/1469142637/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40775-c9e4-42d9-b7da-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:17.000Z", "modified": "2016-08-29T09:59:17.000Z", "description": "August 15/16 Dridex 228 document \u00e2\u20ac\u0153Ord191878.docm\u00e2\u20ac\u009d - Xchecked via VT: 026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99", "pattern": "[file:hashes.SHA1 = '880d6e1db2928dacf3977595507a0b8441e18778']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40775-da1c-470f-9cf8-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:17.000Z", "modified": "2016-08-29T09:59:17.000Z", "description": "August 15/16 Dridex 228 document \u00e2\u20ac\u0153Ord191878.docm\u00e2\u20ac\u009d - Xchecked via VT: 026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99", "pattern": "[file:hashes.MD5 = 'd0f9189af92bf014d2c3d1384806079b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:17Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c40775-ed24-4616-b20f-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:17.000Z", "modified": "2016-08-29T09:59:17.000Z", "first_observed": "2016-08-29T09:59:17Z", "last_observed": "2016-08-29T09:59:17Z", "number_observed": 1, "object_refs": [ "url--57c40775-ed24-4616-b20f-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c40775-ed24-4616-b20f-7a5102de0b81", "value": "https://www.virustotal.com/file/026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99/analysis/1471302720/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40776-4d88-4efb-9eb3-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:18.000Z", "modified": "2016-08-29T09:59:18.000Z", "description": "August 11 Dridex 144 document \u00e2\u20ac\u0153rechnung11aug.docm\u00e2\u20ac\u009d - Xchecked via VT: 1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639", "pattern": "[file:hashes.SHA1 = '05e3a7ee1df443b75ec8106a7ef857ddeb299ac5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40776-3c6c-4746-9439-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:18.000Z", "modified": "2016-08-29T09:59:18.000Z", "description": "August 11 Dridex 144 document \u00e2\u20ac\u0153rechnung11aug.docm\u00e2\u20ac\u009d - Xchecked via VT: 1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639", "pattern": "[file:hashes.MD5 = '5e89753e6a7e1cb8f18004aaa4c47374']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:18Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c40777-54f8-4870-b385-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:19.000Z", "modified": "2016-08-29T09:59:19.000Z", "first_observed": "2016-08-29T09:59:19Z", "last_observed": "2016-08-29T09:59:19Z", "number_observed": 1, "object_refs": [ "url--57c40777-54f8-4870-b385-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c40777-54f8-4870-b385-7a5102de0b81", "value": "https://www.virustotal.com/file/1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639/analysis/1471932146/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40777-45a0-4150-b8e4-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:19.000Z", "modified": "2016-08-29T09:59:19.000Z", "description": "July 15 Dridex 124 document \u00e2\u20ac\u01531666.docm\u00e2\u20ac\u009d - Xchecked via VT: 1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5", "pattern": "[file:hashes.SHA1 = 'fcec303b9de6eb89f621ca3d469471a011e84b2f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40778-09ec-4e47-9c47-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:20.000Z", "modified": "2016-08-29T09:59:20.000Z", "description": "July 15 Dridex 124 document \u00e2\u20ac\u01531666.docm\u00e2\u20ac\u009d - Xchecked via VT: 1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5", "pattern": "[file:hashes.MD5 = 'bc4b5dbf114c3ad5ba93d966781257fa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c40779-fd00-407c-8951-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:21.000Z", "modified": "2016-08-29T09:59:21.000Z", "first_observed": "2016-08-29T09:59:21Z", "last_observed": "2016-08-29T09:59:21Z", "number_observed": 1, "object_refs": [ "url--57c40779-fd00-407c-8951-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c40779-fd00-407c-8951-7a5102de0b81", "value": "https://www.virustotal.com/file/1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5/analysis/1469347569/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c40779-48e0-4c1a-9091-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:21.000Z", "modified": "2016-08-29T09:59:21.000Z", "description": "June 29 Dridex 38923 document \u00e2\u20ac\u0153[name].doc\u00e2\u20ac\u009d - Xchecked via VT: 313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6", "pattern": "[file:hashes.SHA1 = 'eb78f441a57ffeec110a1cc3d6255043e612e5dd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:21Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57c4077a-c778-43bc-a0ba-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:22.000Z", "modified": "2016-08-29T09:59:22.000Z", "description": "June 29 Dridex 38923 document \u00e2\u20ac\u0153[name].doc\u00e2\u20ac\u009d - Xchecked via VT: 313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6", "pattern": "[file:hashes.MD5 = '6369e4e4ddd8312b52a1c1b4818e463c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-08-29T09:59:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57c4077a-7bbc-4d8a-83fa-7a5102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-08-29T09:59:22.000Z", "modified": "2016-08-29T09:59:22.000Z", "first_observed": "2016-08-29T09:59:22Z", "last_observed": "2016-08-29T09:59:22Z", "number_observed": 1, "object_refs": [ "url--57c4077a-7bbc-4d8a-83fa-7a5102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57c4077a-7bbc-4d8a-83fa-7a5102de0b81", "value": "https://www.virustotal.com/file/313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6/analysis/1470643493/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }