{ "type": "bundle", "id": "bundle--57dff9a6-b4b0-4e79-9271-4a10950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:50.000Z", "modified": "2016-09-19T14:48:50.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--57dff9a6-b4b0-4e79-9271-4a10950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:50.000Z", "modified": "2016-09-19T14:48:50.000Z", "name": "OSINT - Malicious Macros Add Sandbox Evasion Techniques to Distribute New Dridex", "published": "2016-09-19T14:49:42Z", "object_refs": [ "observed-data--57dff9f5-8e50-47cc-a804-4513950d210f", "url--57dff9f5-8e50-47cc-a804-4513950d210f", "x-misp-attribute--57dffa06-a2e0-4cf0-a86e-4f4e950d210f", "indicator--57dffa2d-edc8-443d-8ca8-4bdd950d210f", "indicator--57dffa2e-0ca0-4410-bbdd-448c950d210f", "indicator--57dffa2f-b5e8-41b5-a6ff-41d9950d210f", "indicator--57dffa87-f8a8-452f-babe-4de0950d210f", "indicator--57dffa88-2170-436e-938e-484a950d210f", "indicator--57dffa88-7840-4208-8208-476b950d210f", "indicator--57dffaaf-ff20-46d6-bb8f-49a8950d210f", "indicator--57dffab0-c890-4dbb-9467-4351950d210f", "indicator--57dffab0-39b8-4880-bcc9-472c950d210f", "indicator--57dffad3-d5a8-4a68-880e-4a5d02de0b81", "indicator--57dffad3-efe4-4839-a28d-4b6b02de0b81", "observed-data--57dffad4-d364-4f79-b4e9-453602de0b81", "url--57dffad4-d364-4f79-b4e9-453602de0b81", "indicator--57dffad5-63a4-45ab-a6e0-4af502de0b81", "indicator--57dffad5-2378-4608-b880-457b02de0b81", "observed-data--57dffad6-a830-41f2-adb9-480302de0b81", "url--57dffad6-a830-41f2-adb9-480302de0b81", "indicator--57dffad7-5278-4962-91b7-43a002de0b81", "indicator--57dffad7-ddb8-4af6-846a-457f02de0b81", "observed-data--57dffad8-dae4-4425-bf3b-410202de0b81", "url--57dffad8-dae4-4425-bf3b-410202de0b81", "indicator--57dffad9-de4c-44b7-a374-405102de0b81", "indicator--57dffad9-6b2c-43de-883a-4dbe02de0b81", "observed-data--57dffada-9154-4c95-b067-43ea02de0b81", "url--57dffada-9154-4c95-b067-43ea02de0b81", "indicator--57dffadb-7b64-4794-89dc-452502de0b81", "indicator--57dffadb-5cf0-490d-8b2b-4b6402de0b81", "observed-data--57dffadc-f574-41e3-8413-489f02de0b81", "url--57dffadc-f574-41e3-8413-489f02de0b81", "indicator--57dffadd-6bf0-4f60-957a-422102de0b81", "indicator--57dffadd-5800-46d8-a22a-472c02de0b81", "observed-data--57dffade-be88-4afb-a678-46f702de0b81", "url--57dffade-be88-4afb-a678-46f702de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57dff9f5-8e50-47cc-a804-4513950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:45:09.000Z", "modified": "2016-09-19T14:45:09.000Z", "first_observed": "2016-09-19T14:45:09Z", "last_observed": "2016-09-19T14:45:09Z", "number_observed": 1, "object_refs": [ "url--57dff9f5-8e50-47cc-a804-4513950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57dff9f5-8e50-47cc-a804-4513950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/malicious-macros-add-to-sandbox-evasion-techniques-to-distribute-new-dridex" }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--57dffa06-a2e0-4cf0-a86e-4f4e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:45:26.000Z", "modified": "2016-09-19T14:45:26.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "This week Proofpoint researchers observed several noteworthy changes in the macros used by an actor we refer to as TA530, who we previously examined in relation to large-scale personalized phishing campaigns [1] [2]. This new campaign included evasive macros, which, while not unusual for this group (earlier versions were analyzed by Mcafee [3] and Checkpoint [4]), demonstrated continued evolution in their latest iteration. Most notably their new macro looks up the public IP address of the client and does not download the payload if it finds that the IP address is associated with a security vendor, certain cloud services, or a sandbox environment.\r\n\r\nThis week, we observed TA530 using their evasive macros to deliver Nymaim, Ursnif, and Dridex 124. The Dridex payload with botnet ID 124 is a previously unseen sub-botnet which is targeting Swiss banking sites, while the Nymaim and Ursnif payloads targeted North America and Australia, respectively." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffa2d-edc8-443d-8ca8-4bdd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:46:05.000Z", "modified": "2016-09-19T14:46:05.000Z", "description": "Nymaim Document", "pattern": "[file:hashes.SHA256 = 'a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:46:05Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffa2e-0ca0-4410-bbdd-448c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:46:06.000Z", "modified": "2016-09-19T14:46:06.000Z", "description": "Ursnif Document", "pattern": "[file:hashes.SHA256 = 'f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:46:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffa2f-b5e8-41b5-a6ff-41d9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:46:07.000Z", "modified": "2016-09-19T14:46:07.000Z", "description": "Dridex Document", "pattern": "[file:hashes.SHA256 = '72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:46:07Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffa87-f8a8-452f-babe-4de0950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:47:35.000Z", "modified": "2016-09-19T14:47:35.000Z", "description": "Example Ursnif Download", "pattern": "[url:value = 'http://britcart.com/britstar/office12.data']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:47:35Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffa88-2170-436e-938e-484a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:47:36.000Z", "modified": "2016-09-19T14:47:36.000Z", "description": "Example Nymaim Download", "pattern": "[url:value = 'http://arabtradenet.com/info/content.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:47:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffa88-7840-4208-8208-476b950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:47:36.000Z", "modified": "2016-09-19T14:47:36.000Z", "description": "Example Dridex Download", "pattern": "[url:value = 'http://onehealthpublishing.com/image/office.gif']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:47:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffaaf-ff20-46d6-bb8f-49a8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:15.000Z", "modified": "2016-09-19T14:48:15.000Z", "description": "Example Nymaim Payload", "pattern": "[file:hashes.SHA256 = 'f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffab0-c890-4dbb-9467-4351950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:16.000Z", "modified": "2016-09-19T14:48:16.000Z", "description": "Example Ursnif Payload", "pattern": "[file:hashes.SHA256 = '6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffab0-39b8-4880-bcc9-472c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:16.000Z", "modified": "2016-09-19T14:48:16.000Z", "description": "Example Dridex Payload", "pattern": "[file:hashes.SHA256 = '97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffad3-d5a8-4a68-880e-4a5d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:51.000Z", "modified": "2016-09-19T14:48:51.000Z", "description": "Example Dridex Payload - Xchecked via VT: 97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629", "pattern": "[file:hashes.SHA1 = '50d2d8cceb257b074e37265da537cf493c805210']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffad3-efe4-4839-a28d-4b6b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:51.000Z", "modified": "2016-09-19T14:48:51.000Z", "description": "Example Dridex Payload - Xchecked via VT: 97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629", "pattern": "[file:hashes.MD5 = '59b569b8875fd3847ae0308af85e3440']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:51Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57dffad4-d364-4f79-b4e9-453602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:52.000Z", "modified": "2016-09-19T14:48:52.000Z", "first_observed": "2016-09-19T14:48:52Z", "last_observed": "2016-09-19T14:48:52Z", "number_observed": 1, "object_refs": [ "url--57dffad4-d364-4f79-b4e9-453602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57dffad4-d364-4f79-b4e9-453602de0b81", "value": "https://www.virustotal.com/file/97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629/analysis/1465971238/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffad5-63a4-45ab-a6e0-4af502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:53.000Z", "modified": "2016-09-19T14:48:53.000Z", "description": "Example Ursnif Payload - Xchecked via VT: 6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879", "pattern": "[file:hashes.SHA1 = '61996a309d84daf441cd7a3e71ed45c8fe210824']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffad5-2378-4608-b880-457b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:53.000Z", "modified": "2016-09-19T14:48:53.000Z", "description": "Example Ursnif Payload - Xchecked via VT: 6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879", "pattern": "[file:hashes.MD5 = '86a50ac34b6e18b5bec0a24a1b4f12d3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:53Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57dffad6-a830-41f2-adb9-480302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:54.000Z", "modified": "2016-09-19T14:48:54.000Z", "first_observed": "2016-09-19T14:48:54Z", "last_observed": "2016-09-19T14:48:54Z", "number_observed": 1, "object_refs": [ "url--57dffad6-a830-41f2-adb9-480302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57dffad6-a830-41f2-adb9-480302de0b81", "value": "https://www.virustotal.com/file/6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879/analysis/1473668183/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffad7-5278-4962-91b7-43a002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:55.000Z", "modified": "2016-09-19T14:48:55.000Z", "description": "Example Nymaim Payload - Xchecked via VT: f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9", "pattern": "[file:hashes.SHA1 = 'c28bec7ce1d0bcfd1a007cefe086571d5d49b975']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffad7-ddb8-4af6-846a-457f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:55.000Z", "modified": "2016-09-19T14:48:55.000Z", "description": "Example Nymaim Payload - Xchecked via VT: f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9", "pattern": "[file:hashes.MD5 = '12abc10d3c37841f4f4f7e193b045f6b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57dffad8-dae4-4425-bf3b-410202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:56.000Z", "modified": "2016-09-19T14:48:56.000Z", "first_observed": "2016-09-19T14:48:56Z", "last_observed": "2016-09-19T14:48:56Z", "number_observed": 1, "object_refs": [ "url--57dffad8-dae4-4425-bf3b-410202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57dffad8-dae4-4425-bf3b-410202de0b81", "value": "https://www.virustotal.com/file/f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9/analysis/1465970739/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffad9-de4c-44b7-a374-405102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:57.000Z", "modified": "2016-09-19T14:48:57.000Z", "description": "Dridex Document - Xchecked via VT: 72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06", "pattern": "[file:hashes.SHA1 = '27c3ff564efbf5db343feba688236c180846b61b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffad9-6b2c-43de-883a-4dbe02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:57.000Z", "modified": "2016-09-19T14:48:57.000Z", "description": "Dridex Document - Xchecked via VT: 72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06", "pattern": "[file:hashes.MD5 = '64d133b98ab00c9f5409e4ab29a70250']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57dffada-9154-4c95-b067-43ea02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:58.000Z", "modified": "2016-09-19T14:48:58.000Z", "first_observed": "2016-09-19T14:48:58Z", "last_observed": "2016-09-19T14:48:58Z", "number_observed": 1, "object_refs": [ "url--57dffada-9154-4c95-b067-43ea02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57dffada-9154-4c95-b067-43ea02de0b81", "value": "https://www.virustotal.com/file/72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06/analysis/1466780189/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffadb-7b64-4794-89dc-452502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:59.000Z", "modified": "2016-09-19T14:48:59.000Z", "description": "Ursnif Document - Xchecked via VT: f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70", "pattern": "[file:hashes.SHA1 = 'cfb624f1b220b96e51214a58a29e596334cf975d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffadb-5cf0-490d-8b2b-4b6402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:48:59.000Z", "modified": "2016-09-19T14:48:59.000Z", "description": "Ursnif Document - Xchecked via VT: f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70", "pattern": "[file:hashes.MD5 = '89968ce9689ffcf42cd5e8b1702ad6a3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:48:59Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57dffadc-f574-41e3-8413-489f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:49:00.000Z", "modified": "2016-09-19T14:49:00.000Z", "first_observed": "2016-09-19T14:49:00Z", "last_observed": "2016-09-19T14:49:00Z", "number_observed": 1, "object_refs": [ "url--57dffadc-f574-41e3-8413-489f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57dffadc-f574-41e3-8413-489f02de0b81", "value": "https://www.virustotal.com/file/f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70/analysis/1465721182/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffadd-6bf0-4f60-957a-422102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:49:01.000Z", "modified": "2016-09-19T14:49:01.000Z", "description": "Nymaim Document - Xchecked via VT: a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369", "pattern": "[file:hashes.SHA1 = 'f5249c827757e4ef4bc107e7ca0e8e5b3e361bdc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:49:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--57dffadd-5800-46d8-a22a-472c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:49:01.000Z", "modified": "2016-09-19T14:49:01.000Z", "description": "Nymaim Document - Xchecked via VT: a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369", "pattern": "[file:hashes.MD5 = 'ad9c255868ab55652555e47d8985ea2f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2016-09-19T14:49:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--57dffade-be88-4afb-a678-46f702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2016-09-19T14:49:02.000Z", "modified": "2016-09-19T14:49:02.000Z", "first_observed": "2016-09-19T14:49:02Z", "last_observed": "2016-09-19T14:49:02Z", "number_observed": 1, "object_refs": [ "url--57dffade-be88-4afb-a678-46f702de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--57dffade-be88-4afb-a678-46f702de0b81", "value": "https://www.virustotal.com/file/a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369/analysis/1465720444/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }