{ "type": "bundle", "id": "bundle--58e73aab-3530-44d8-94b7-4cbf950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:39.000Z", "modified": "2017-04-07T10:13:39.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--58e73aab-3530-44d8-94b7-4cbf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:39.000Z", "modified": "2017-04-07T10:13:39.000Z", "name": "OSINT - High-Volume Dridex Campaigns Return, First to Hit Millions Since June 2016", "published": "2017-04-07T10:15:39Z", "object_refs": [ "indicator--58e73b5f-bd3c-4749-b338-4683950d210f", "indicator--58e73b60-9508-41a5-b5d4-4076950d210f", "indicator--58e73b61-5820-4259-bf31-47ad950d210f", "observed-data--58e73b73-775c-4c97-a655-4120950d210f", "url--58e73b73-775c-4c97-a655-4120950d210f", "indicator--58e73cbd-d934-4c4f-9673-4aed950d210f", "indicator--58e73cbe-0a68-4d90-9596-450a950d210f", "indicator--58e73cbf-c770-4e6d-97b8-4004950d210f", "indicator--58e73cc0-08cc-4ade-84b3-44fa950d210f", "indicator--58e73cc1-ce74-4efe-b509-483d950d210f", "indicator--58e73cc2-0044-43f2-8a9f-4cd3950d210f", "indicator--58e73cc3-5ad8-48e1-ae5e-4e5f950d210f", "indicator--58e73d58-13c4-4a30-8f9b-4072950d210f", "indicator--58e73d59-2f14-4f5d-8b44-4275950d210f", "indicator--58e73d5a-3b5c-4902-a0c9-4608950d210f", "indicator--58e73d5b-aab0-4ab1-85b4-4007950d210f", "indicator--58e73da3-cf44-49cc-9c82-4fd1950d210f", "indicator--58e73da4-a844-4319-851a-491c950d210f", "indicator--58e73de0-26d0-4e32-b380-47e4950d210f", "indicator--58e73de1-26f8-4352-862a-4204950d210f", "indicator--58e73de2-9c50-4fe6-99d3-431e950d210f", "indicator--58e73de3-cee8-4425-9217-43c2950d210f", "indicator--58e73de5-d9c8-48b4-91ce-40cf950d210f", "indicator--58e73de6-1c44-421f-b169-465c950d210f", "x-misp-attribute--58e73e57-0c84-41fe-a209-491d950d210f", "indicator--58e73fc0-6d00-4fcd-9200-4af8950d210f", "indicator--58e73fc2-fbf8-4eb2-b55e-47f9950d210f", "indicator--58e73fc4-5f60-4ad3-b30c-42bf950d210f", "indicator--58e73fc6-f0a0-4574-89c8-4dee950d210f", "indicator--58e73fc8-4d50-453a-af40-4238950d210f", "indicator--58e73fca-7608-49de-8ecf-4130950d210f", "indicator--58e73fcc-4910-4c8e-817e-4be1950d210f", "indicator--58e73fce-f480-4d25-be75-4505950d210f", "indicator--58e73ff3-8c9c-4cd0-b98b-4e5d950d210f", "indicator--58e73ff4-ecfc-48fd-9970-4075950d210f", "indicator--58e73ff5-1f6c-4567-bb07-4a94950d210f", "indicator--58e76654-0f90-4af3-9d77-499302de0b81", "indicator--58e76655-1eb0-46f4-b791-413602de0b81", "observed-data--58e76656-b394-4f3d-8498-40ac02de0b81", "url--58e76656-b394-4f3d-8498-40ac02de0b81", "indicator--58e76657-0cf8-48f2-9e77-45eb02de0b81", "indicator--58e76658-8684-4696-9e23-4c7402de0b81", "observed-data--58e76659-b41c-4a12-afdf-41af02de0b81", "url--58e76659-b41c-4a12-afdf-41af02de0b81", "indicator--58e7665a-89dc-48f5-a69e-4d3b02de0b81", "indicator--58e7665b-d364-4005-b2c2-406902de0b81", "observed-data--58e7665c-5394-4250-9d8c-49f302de0b81", "url--58e7665c-5394-4250-9d8c-49f302de0b81", "indicator--58e7665d-3844-4f1f-9fa8-40e202de0b81", "indicator--58e7665e-9778-483d-9712-4e2202de0b81", "observed-data--58e7665f-c77c-4b35-acd9-4f0302de0b81", "url--58e7665f-c77c-4b35-acd9-4f0302de0b81", "indicator--58e76660-f4ec-4ac7-96c6-4e9202de0b81", "indicator--58e76660-28a0-4837-b925-405202de0b81", "observed-data--58e76661-edf0-4e21-945d-4df102de0b81", "url--58e76661-edf0-4e21-945d-4df102de0b81", "indicator--58e76662-6f30-4eeb-987b-441602de0b81", "indicator--58e76663-b798-454f-887a-460502de0b81", "observed-data--58e76664-e204-4ed7-8ab0-439c02de0b81", "url--58e76664-e204-4ed7-8ab0-439c02de0b81", "indicator--58e76665-f120-4ccd-a42c-4e7502de0b81", "indicator--58e76666-87b4-420b-92f6-433c02de0b81", "observed-data--58e76667-b1b0-43d3-bacd-413102de0b81", "url--58e76667-b1b0-43d3-bacd-413102de0b81", "indicator--58e76668-dbac-41b1-84c0-41fc02de0b81", "indicator--58e76669-a3c0-454b-8635-43ea02de0b81", "observed-data--58e7666a-9bb8-40ac-a37a-4e9402de0b81", "url--58e7666a-9bb8-40ac-a37a-4e9402de0b81", "indicator--58e7666b-5a48-4cf6-a3f5-4cb502de0b81", "indicator--58e7666c-7810-4fa4-9361-4e4d02de0b81", "observed-data--58e7666d-4628-4053-a1a9-4bb602de0b81", "url--58e7666d-4628-4053-a1a9-4bb602de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:tool=\"Dridex\"", "osint:source-type=\"blog-post\"", "type:OSINT" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73b5f-bd3c-4749-b338-4683950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "VBS Downloader Example", "pattern": "[file:hashes.SHA256 = '84c9028a1d25e5f171c170179f2f1ea3e1eab9514812ab9e4b617de822b46e69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73b60-9508-41a5-b5d4-4076950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Macro Document", "pattern": "[file:hashes.SHA256 = '1ac8931791374c156c8e619b4ca66fdcbd31a56203fa3a429d981e20955099c8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73b61-5820-4259-bf31-47ad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Macro Document", "pattern": "[file:hashes.SHA256 = '743f6538c1dc1b224e443356f9bf3ae3954f2dea2c3b6e7986a5bc410b8dda20']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e73b73-775c-4c97-a655-4120950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:15.000Z", "modified": "2017-04-07T10:13:15.000Z", "first_observed": "2017-04-07T10:13:15Z", "last_observed": "2017-04-07T10:13:15Z", "number_observed": 1, "object_refs": [ "url--58e73b73-775c-4c97-a655-4120950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e73b73-775c-4c97-a655-4120950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73cbd-d934-4c4f-9673-4aed950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Document Payload", "pattern": "[url:value = 'http://meyermuehltal.de/0h656jk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73cbe-0a68-4d90-9596-450a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Document Payload", "pattern": "[url:value = 'http://technologyservice.eu/0h656jk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73cbf-c770-4e6d-97b8-4004950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Document Payload", "pattern": "[url:value = 'http://tspars.com/0h656jk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73cc0-08cc-4ade-84b3-44fa950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Document Payload", "pattern": "[url:value = 'http://thaipowertools.com/0h656jk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73cc1-ce74-4efe-b509-483d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Document Payload", "pattern": "[url:value = 'http://www.movimentodiesel.gr/0h656jk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73cc2-0044-43f2-8a9f-4cd3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Document Payload", "pattern": "[url:value = 'http://lhgarden.org/0h656jk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73cc3-5ad8-48e1-ae5e-4e5f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Document Payload", "pattern": "[url:value = 'http://www.soulcube.com/0h656jk']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73d58-13c4-4a30-8f9b-4072950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "VBS Payload", "pattern": "[url:value = 'http://roylgrafix.com/76gbce?']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73d59-2f14-4f5d-8b44-4275950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "VBS Payload", "pattern": "[url:value = 'http://signwaves.net/76gbce?']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73d5a-3b5c-4902-a0c9-4608950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "VBS Payload", "pattern": "[url:value = 'http://testsite.prosun.com/76gbce?']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73d5b-aab0-4ab1-85b4-4007950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "VBS Payload", "pattern": "[url:value = 'http://omurongen.com/76gbce?']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73da3-cf44-49cc-9c82-4fd1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Smoke Loader Payload", "pattern": "[url:value = 'http://pastasmolinero.es/76gf33']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73da4-a844-4319-851a-491c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Quant Loader Payload", "pattern": "[url:value = 'http://nzhat.net/9jgtyft6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73de0-26d0-4e32-b380-47e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Botnet 7500 Loader", "pattern": "[file:hashes.SHA256 = 'dfd99e050505ec41bc41fbaf51fee908fcda8c17a1bc92623748d34915c5bc0a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73de1-26f8-4352-862a-4204950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Botnet 7500 Loader", "pattern": "[file:hashes.SHA256 = '20b61b6ce821f8011f2cb1a409e6221b7bc1ae3a0cde56d66b025d12d640ee81']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73de2-9c50-4fe6-99d3-431e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Smoke Loader", "pattern": "[file:hashes.SHA256 = '4d76f25637f4193457b124290f878a47b5b9361ff486b79dc48a2d5c3648de02']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73de3-cee8-4425-9217-43c2950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Botnet 7200 Loader", "pattern": "[file:hashes.SHA256 = '379466fd81787399f7da3bfaab288c4b67ba3518c0225d1deabf9bc833dcaa22']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73de5-d9c8-48b4-91ce-40cf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Botnet 7200 Loader", "pattern": "[file:hashes.SHA256 = '6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73de6-1c44-421f-b169-465c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Quant Loader", "pattern": "[file:hashes.SHA256 = 'ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--58e73e57-0c84-41fe-a209-491d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "labels": [ "misp:type=\"other\"", "misp:category=\"Payload delivery\"" ], "x_misp_category": "Payload delivery", "x_misp_comment": "Dridex Botnet 7200 Loader", "x_misp_type": "other", "x_misp_value": "5054518c52e70f86a6e42641b094e9b64df96bd65C&C9ab0d21e810dcf14c87b5|SHA256|Dridex Botnet 7200 Loader" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73fc0-6d00-4fcd-9200-4af8950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Loader C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '8.8.247.36' AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73fc2-fbf8-4eb2-b55e-47f9950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Loader C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '81.12.229.190' AND network-traffic:dst_port = '8043']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73fc4-5f60-4ad3-b30c-42bf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Loader C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '107.170.0.14' AND network-traffic:dst_port = '8043']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73fc6-f0a0-4574-89c8-4dee950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Loader C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '37.120.172.171' AND network-traffic:dst_port = '4143']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73fc8-4d50-453a-af40-4238950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Loader C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '91.219.28.55' AND network-traffic:dst_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73fca-7608-49de-8ecf-4130950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Loader C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '178.32.255.130' AND network-traffic:dst_port = '44343']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73fcc-4910-4c8e-817e-4be1950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Loader C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.197.39.1' AND network-traffic:dst_port = '8443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73fce-f480-4d25-be75-4505950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Dridex Loader C&C", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.88.209.221' AND network-traffic:dst_port = '4413']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"ip-dst|port\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73ff3-8c9c-4cd0-b98b-4e5d950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Smoke Loader C&C", "pattern": "[url:value = 'http://justjohnwilhertthet.ws/m/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73ff4-ecfc-48fd-9970-4075950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Quant Loader C&C", "pattern": "[url:value = 'http://jusevengwassresbet.ws/q/index.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e73ff5-1f6c-4567-bb07-4a94950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:12:57.000Z", "modified": "2017-04-07T10:12:57.000Z", "description": "Quant Loader C&C", "pattern": "[url:value = 'http://sinmanarattot.ws/q/index.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:12:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76654-0f90-4af3-9d77-499302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:40.000Z", "modified": "2017-04-07T10:13:40.000Z", "description": "Quant Loader - Xchecked via VT: ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1", "pattern": "[file:hashes.SHA1 = '155863bcd4ea677986beb13b1e519f3f71cf2183']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:40Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76655-1eb0-46f4-b791-413602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:41.000Z", "modified": "2017-04-07T10:13:41.000Z", "description": "Quant Loader - Xchecked via VT: ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1", "pattern": "[file:hashes.MD5 = '3ede7214e1fe848aefd67e8d11beec00']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:41Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e76656-b394-4f3d-8498-40ac02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:42.000Z", "modified": "2017-04-07T10:13:42.000Z", "first_observed": "2017-04-07T10:13:42Z", "last_observed": "2017-04-07T10:13:42Z", "number_observed": 1, "object_refs": [ "url--58e76656-b394-4f3d-8498-40ac02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e76656-b394-4f3d-8498-40ac02de0b81", "value": "https://www.virustotal.com/file/ac4d02637e1e01b16062f368658275cb8400b21f6592819d3a09dbee31cb5cc1/analysis/1491538426/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76657-0cf8-48f2-9e77-45eb02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:43.000Z", "modified": "2017-04-07T10:13:43.000Z", "description": "Dridex Botnet 7200 Loader - Xchecked via VT: 6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd", "pattern": "[file:hashes.SHA1 = '694266450ffedf4008f0cf0e5573c63c56f2e5d0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76658-8684-4696-9e23-4c7402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:44.000Z", "modified": "2017-04-07T10:13:44.000Z", "description": "Dridex Botnet 7200 Loader - Xchecked via VT: 6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd", "pattern": "[file:hashes.MD5 = 'f4e11acef79702561dea6070d4dbba45']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:44Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e76659-b41c-4a12-afdf-41af02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:45.000Z", "modified": "2017-04-07T10:13:45.000Z", "first_observed": "2017-04-07T10:13:45Z", "last_observed": "2017-04-07T10:13:45Z", "number_observed": 1, "object_refs": [ "url--58e76659-b41c-4a12-afdf-41af02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e76659-b41c-4a12-afdf-41af02de0b81", "value": "https://www.virustotal.com/file/6adda664e3ab2936a8dbe8e95e10d33e34d13fbe375123c69abf3ac5fbf52fcd/analysis/1491294800/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e7665a-89dc-48f5-a69e-4d3b02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:46.000Z", "modified": "2017-04-07T10:13:46.000Z", "description": "Dridex Botnet 7200 Loader - Xchecked via VT: 379466fd81787399f7da3bfaab288c4b67ba3518c0225d1deabf9bc833dcaa22", "pattern": "[file:hashes.SHA1 = '44bbd62533c8b1257a02f11756b39ebca77eda78']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e7665b-d364-4005-b2c2-406902de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:47.000Z", "modified": "2017-04-07T10:13:47.000Z", "description": "Dridex Botnet 7200 Loader - Xchecked via VT: 379466fd81787399f7da3bfaab288c4b67ba3518c0225d1deabf9bc833dcaa22", "pattern": "[file:hashes.MD5 = '0243c9bb903d6f89d7eeadae882cf591']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:47Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e7665c-5394-4250-9d8c-49f302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:48.000Z", "modified": "2017-04-07T10:13:48.000Z", "first_observed": "2017-04-07T10:13:48Z", "last_observed": "2017-04-07T10:13:48Z", "number_observed": 1, "object_refs": [ "url--58e7665c-5394-4250-9d8c-49f302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e7665c-5394-4250-9d8c-49f302de0b81", "value": "https://www.virustotal.com/file/379466fd81787399f7da3bfaab288c4b67ba3518c0225d1deabf9bc833dcaa22/analysis/1491192423/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e7665d-3844-4f1f-9fa8-40e202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:49.000Z", "modified": "2017-04-07T10:13:49.000Z", "description": "Smoke Loader - Xchecked via VT: 4d76f25637f4193457b124290f878a47b5b9361ff486b79dc48a2d5c3648de02", "pattern": "[file:hashes.SHA1 = 'a6cc5c3aedf9eba6ff3f18b76430e3f8efb90f57']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:49Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e7665e-9778-483d-9712-4e2202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:50.000Z", "modified": "2017-04-07T10:13:50.000Z", "description": "Smoke Loader - Xchecked via VT: 4d76f25637f4193457b124290f878a47b5b9361ff486b79dc48a2d5c3648de02", "pattern": "[file:hashes.MD5 = 'c738746c751e3f4465cdf20959ed7115']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:50Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e7665f-c77c-4b35-acd9-4f0302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:51.000Z", "modified": "2017-04-07T10:13:51.000Z", "first_observed": "2017-04-07T10:13:51Z", "last_observed": "2017-04-07T10:13:51Z", "number_observed": 1, "object_refs": [ "url--58e7665f-c77c-4b35-acd9-4f0302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e7665f-c77c-4b35-acd9-4f0302de0b81", "value": "https://www.virustotal.com/file/4d76f25637f4193457b124290f878a47b5b9361ff486b79dc48a2d5c3648de02/analysis/1491540064/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76660-f4ec-4ac7-96c6-4e9202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:52.000Z", "modified": "2017-04-07T10:13:52.000Z", "description": "Dridex Botnet 7500 Loader - Xchecked via VT: 20b61b6ce821f8011f2cb1a409e6221b7bc1ae3a0cde56d66b025d12d640ee81", "pattern": "[file:hashes.SHA1 = '6812c5b94ea2452b794e8e735428eddd415e1bb6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76660-28a0-4837-b925-405202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:52.000Z", "modified": "2017-04-07T10:13:52.000Z", "description": "Dridex Botnet 7500 Loader - Xchecked via VT: 20b61b6ce821f8011f2cb1a409e6221b7bc1ae3a0cde56d66b025d12d640ee81", "pattern": "[file:hashes.MD5 = 'e50522bf1817a8f5698b740e5225c34f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:52Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e76661-edf0-4e21-945d-4df102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:53.000Z", "modified": "2017-04-07T10:13:53.000Z", "first_observed": "2017-04-07T10:13:53Z", "last_observed": "2017-04-07T10:13:53Z", "number_observed": 1, "object_refs": [ "url--58e76661-edf0-4e21-945d-4df102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e76661-edf0-4e21-945d-4df102de0b81", "value": "https://www.virustotal.com/file/20b61b6ce821f8011f2cb1a409e6221b7bc1ae3a0cde56d66b025d12d640ee81/analysis/1491282981/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76662-6f30-4eeb-987b-441602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:54.000Z", "modified": "2017-04-07T10:13:54.000Z", "description": "Dridex Botnet 7500 Loader - Xchecked via VT: dfd99e050505ec41bc41fbaf51fee908fcda8c17a1bc92623748d34915c5bc0a", "pattern": "[file:hashes.SHA1 = '7eb1ab6a19b3ab9fc8dd96f73e5a696571a72400']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:54Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76663-b798-454f-887a-460502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:55.000Z", "modified": "2017-04-07T10:13:55.000Z", "description": "Dridex Botnet 7500 Loader - Xchecked via VT: dfd99e050505ec41bc41fbaf51fee908fcda8c17a1bc92623748d34915c5bc0a", "pattern": "[file:hashes.MD5 = '41a5b1d50947452adb663abcb6ecb829']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:55Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e76664-e204-4ed7-8ab0-439c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:56.000Z", "modified": "2017-04-07T10:13:56.000Z", "first_observed": "2017-04-07T10:13:56Z", "last_observed": "2017-04-07T10:13:56Z", "number_observed": 1, "object_refs": [ "url--58e76664-e204-4ed7-8ab0-439c02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e76664-e204-4ed7-8ab0-439c02de0b81", "value": "https://www.virustotal.com/file/dfd99e050505ec41bc41fbaf51fee908fcda8c17a1bc92623748d34915c5bc0a/analysis/1491188391/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76665-f120-4ccd-a42c-4e7502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:57.000Z", "modified": "2017-04-07T10:13:57.000Z", "description": "Macro Document - Xchecked via VT: 743f6538c1dc1b224e443356f9bf3ae3954f2dea2c3b6e7986a5bc410b8dda20", "pattern": "[file:hashes.SHA1 = 'f40791fd456f4e9429cbcc231e5550bfe8fcb906']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:57Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76666-87b4-420b-92f6-433c02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:58.000Z", "modified": "2017-04-07T10:13:58.000Z", "description": "Macro Document - Xchecked via VT: 743f6538c1dc1b224e443356f9bf3ae3954f2dea2c3b6e7986a5bc410b8dda20", "pattern": "[file:hashes.MD5 = '130b76fcf04f44433fa075c3cc596d03']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:13:58Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e76667-b1b0-43d3-bacd-413102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:13:59.000Z", "modified": "2017-04-07T10:13:59.000Z", "first_observed": "2017-04-07T10:13:59Z", "last_observed": "2017-04-07T10:13:59Z", "number_observed": 1, "object_refs": [ "url--58e76667-b1b0-43d3-bacd-413102de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e76667-b1b0-43d3-bacd-413102de0b81", "value": "https://www.virustotal.com/file/743f6538c1dc1b224e443356f9bf3ae3954f2dea2c3b6e7986a5bc410b8dda20/analysis/1491287540/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76668-dbac-41b1-84c0-41fc02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:14:00.000Z", "modified": "2017-04-07T10:14:00.000Z", "description": "Macro Document - Xchecked via VT: 1ac8931791374c156c8e619b4ca66fdcbd31a56203fa3a429d981e20955099c8", "pattern": "[file:hashes.SHA1 = '49858617e73d5a56894140d90f0d75fe59496b1e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:14:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e76669-a3c0-454b-8635-43ea02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:14:01.000Z", "modified": "2017-04-07T10:14:01.000Z", "description": "Macro Document - Xchecked via VT: 1ac8931791374c156c8e619b4ca66fdcbd31a56203fa3a429d981e20955099c8", "pattern": "[file:hashes.MD5 = '6c8104146ba1bb6e1a4c3b8b6f6a1fa9']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:14:01Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e7666a-9bb8-40ac-a37a-4e9402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:14:02.000Z", "modified": "2017-04-07T10:14:02.000Z", "first_observed": "2017-04-07T10:14:02Z", "last_observed": "2017-04-07T10:14:02Z", "number_observed": 1, "object_refs": [ "url--58e7666a-9bb8-40ac-a37a-4e9402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e7666a-9bb8-40ac-a37a-4e9402de0b81", "value": "https://www.virustotal.com/file/1ac8931791374c156c8e619b4ca66fdcbd31a56203fa3a429d981e20955099c8/analysis/1491436931/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e7666b-5a48-4cf6-a3f5-4cb502de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:14:03.000Z", "modified": "2017-04-07T10:14:03.000Z", "description": "VBS Downloader Example - Xchecked via VT: 84c9028a1d25e5f171c170179f2f1ea3e1eab9514812ab9e4b617de822b46e69", "pattern": "[file:hashes.SHA1 = '71792564c59392c6f875c18bb62b7f501ba48a5d']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:14:03Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--58e7666c-7810-4fa4-9361-4e4d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:14:04.000Z", "modified": "2017-04-07T10:14:04.000Z", "description": "VBS Downloader Example - Xchecked via VT: 84c9028a1d25e5f171c170179f2f1ea3e1eab9514812ab9e4b617de822b46e69", "pattern": "[file:hashes.MD5 = '1cdecc032262cc06375296dd7d907968']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-04-07T10:14:04Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--58e7666d-4628-4053-a1a9-4bb602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-04-07T10:14:05.000Z", "modified": "2017-04-07T10:14:05.000Z", "first_observed": "2017-04-07T10:14:05Z", "last_observed": "2017-04-07T10:14:05Z", "number_observed": 1, "object_refs": [ "url--58e7666d-4628-4053-a1a9-4bb602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--58e7666d-4628-4053-a1a9-4bb602de0b81", "value": "https://www.virustotal.com/file/84c9028a1d25e5f171c170179f2f1ea3e1eab9514812ab9e4b617de822b46e69/analysis/1491200234/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }