{ "type": "bundle", "id": "bundle--596f7d10-18f4-44d9-ae66-48d3950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--596f7d10-18f4-44d9-ae66-48d3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "name": "OSINT - Unravelling .NET with the Help of WinDBG", "published": "2017-07-19T15:41:41Z", "object_refs": [ "indicator--596f7d56-5c0c-413f-8958-1ab5950d210f", "indicator--596f7d56-08f0-412f-9788-1ab5950d210f", "indicator--596f7d56-7c10-41fc-a418-1ab5950d210f", "indicator--596f7d56-a90c-432e-a36a-1ab5950d210f", "indicator--596f7d56-0600-4335-9d3f-1ab5950d210f", "indicator--596f7d56-4b20-4277-a0b1-1ab5950d210f", "indicator--596f7d56-c7d4-40a6-b2cb-1ab5950d210f", "indicator--596f7d6c-a324-4766-acf1-4cef950d210f", "indicator--596f7d6c-a9a8-4ebc-87d8-4c26950d210f", "indicator--596f7d6c-e270-4fde-a868-4e26950d210f", "indicator--596f7d6c-debc-4e8b-80e6-4a86950d210f", "x-misp-attribute--596f7d8c-f2cc-49e4-a58c-4a71950d210f", "observed-data--596f7d9c-b988-4564-be72-4a94950d210f", "url--596f7d9c-b988-4564-be72-4a94950d210f", "indicator--596f7da5-6420-4837-a04a-408302de0b81", "indicator--596f7da5-2974-499b-a794-4c4802de0b81", "observed-data--596f7da5-3070-40f2-923b-429f02de0b81", "url--596f7da5-3070-40f2-923b-429f02de0b81", "indicator--596f7da5-0884-4f33-b7a1-47e102de0b81", "indicator--596f7da5-2838-4086-8f90-4ff202de0b81", "observed-data--596f7da5-8ba4-4f72-ae5f-425402de0b81", "url--596f7da5-8ba4-4f72-ae5f-425402de0b81", "indicator--596f7da5-3f64-44a5-8f9f-435602de0b81", "indicator--596f7da5-8ad8-4107-8023-4dc102de0b81", "observed-data--596f7da5-a064-4660-a94e-4e4402de0b81", "url--596f7da5-a064-4660-a94e-4e4402de0b81", "indicator--596f7da5-7170-4554-bc97-4dd202de0b81", "indicator--596f7da5-b960-43a9-866a-4f9e02de0b81", "observed-data--596f7da5-05a4-4ad1-b112-454602de0b81", "url--596f7da5-05a4-4ad1-b112-454602de0b81", "indicator--596f7da5-70fc-4bbf-8736-419f02de0b81", "indicator--596f7da5-67c0-4b36-bd23-4c2702de0b81", "observed-data--596f7da5-8df4-4fef-b6cb-4a0402de0b81", "url--596f7da5-8df4-4fef-b6cb-4a0402de0b81", "indicator--596f7da5-9850-4e16-87be-434d02de0b81", "indicator--596f7da5-e298-4951-8ba0-408702de0b81", "observed-data--596f7da5-3f20-423b-98c8-403302de0b81", "url--596f7da5-3f20-423b-98c8-403302de0b81", "indicator--596f7da5-34a4-40c4-92e6-421202de0b81", "indicator--596f7da5-6074-46b0-a001-401002de0b81", "observed-data--596f7da5-0f84-4357-94cc-424a02de0b81", "url--596f7da5-0f84-4357-94cc-424a02de0b81" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d56-5c0c-413f-8958-1ab5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES", "pattern": "[file:hashes.SHA256 = '21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d56-08f0-412f-9788-1ab5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES", "pattern": "[file:hashes.SHA256 = '344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d56-7c10-41fc-a418-1ab5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES", "pattern": "[file:hashes.SHA256 = '45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d56-a90c-432e-a36a-1ab5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES", "pattern": "[file:hashes.SHA256 = '61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d56-0600-4335-9d3f-1ab5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES", "pattern": "[file:hashes.SHA256 = 'ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d56-4b20-4277-a0b1-1ab5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES", "pattern": "[file:hashes.SHA256 = 'b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d56-c7d4-40a6-b2cb-1ab5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES", "pattern": "[file:hashes.SHA256 = 'e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d6c-a324-4766-acf1-4cef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "UNPACKED SAMPLES", "pattern": "[file:hashes.SHA256 = '35dee9106e4521e5adf295cc945355d72eb359d610230142e5dd4adda9678dee']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d6c-a9a8-4ebc-87d8-4c26950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "UNPACKED SAMPLES", "pattern": "[file:hashes.SHA256 = 'b5ce02ee3dfccf28e86f737a6dde85e9d30ff0549ec611d115a1d575b5291c2e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d6c-e270-4fde-a868-4e26950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "UNPACKED SAMPLES", "pattern": "[file:hashes.SHA256 = 'd9a732dcf87764a87f17c95466f557fac33f041ac6f244dba006ba155d8e9aea']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7d6c-debc-4e8b-80e6-4a86950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "UNPACKED SAMPLES", "pattern": "[file:hashes.SHA256 = 'fe068ce56b258762c10cc66525c309e79026c0e44103ca9b223c51382722cb09']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--596f7d8c-f2cc-49e4-a58c-4a71950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": ".NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other administrative functions rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform.\r\n\r\nAnalysis tools such as ILSpy help researchers decompile code from applications, but cannot be used to automate the analysis of many samples. In this article we will examine how to use WinDBG to analyse .NET applications using the SOS extension provided by Microsoft.\r\n\r\nThis article describes:\r\nHow to analyse PowerShell scripts by inserting a breakpoint in the .NET API.\r\nHow to easily create a script to automatically unpack .NET samples following analysis of the packer logic." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--596f7d9c-b988-4564-be72-4a94950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "first_observed": "2017-07-19T15:41:25Z", "last_observed": "2017-07-19T15:41:25Z", "number_observed": 1, "object_refs": [ "url--596f7d9c-b988-4564-be72-4a94950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--596f7d9c-b988-4564-be72-4a94950d210f", "value": "http://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-6420-4837-a04a-408302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504", "pattern": "[file:hashes.SHA1 = '23b1f6dda828dc50963ea841414eab633bfc7dde']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-2974-499b-a794-4c4802de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504", "pattern": "[file:hashes.MD5 = 'd8c5268ff36bec6ef67522e407c99847']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--596f7da5-3070-40f2-923b-429f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "first_observed": "2017-07-19T15:41:25Z", "last_observed": "2017-07-19T15:41:25Z", "number_observed": 1, "object_refs": [ "url--596f7da5-3070-40f2-923b-429f02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--596f7da5-3070-40f2-923b-429f02de0b81", "value": "https://www.virustotal.com/file/e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504/analysis/1493454070/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-0884-4f33-b7a1-47e102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320", "pattern": "[file:hashes.SHA1 = 'a0e1c6c4c0469d28e889e15cb4fd1698d580c8b8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-2838-4086-8f90-4ff202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320", "pattern": "[file:hashes.MD5 = 'aeefcc7e278e54fc6ee71fa6075fdc48']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--596f7da5-8ba4-4f72-ae5f-425402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "first_observed": "2017-07-19T15:41:25Z", "last_observed": "2017-07-19T15:41:25Z", "number_observed": 1, "object_refs": [ "url--596f7da5-8ba4-4f72-ae5f-425402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--596f7da5-8ba4-4f72-ae5f-425402de0b81", "value": "https://www.virustotal.com/file/b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320/analysis/1491852495/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-3f64-44a5-8f9f-435602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6", "pattern": "[file:hashes.SHA1 = 'e79e302f43bfe18fe777e06d321a369a6fbebcb4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-8ad8-4107-8023-4dc102de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6", "pattern": "[file:hashes.MD5 = 'c61f4b7fab51bb78a635518cd1dd6bb5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--596f7da5-a064-4660-a94e-4e4402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "first_observed": "2017-07-19T15:41:25Z", "last_observed": "2017-07-19T15:41:25Z", "number_observed": 1, "object_refs": [ "url--596f7da5-a064-4660-a94e-4e4402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--596f7da5-a064-4660-a94e-4e4402de0b81", "value": "https://www.virustotal.com/file/ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6/analysis/1498156633/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-7170-4554-bc97-4dd202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: 61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773", "pattern": "[file:hashes.SHA1 = '36fce94a8feb925becdb6708ed01e3b6fa1c32a4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-b960-43a9-866a-4f9e02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: 61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773", "pattern": "[file:hashes.MD5 = '8a8c90f2f65bdab3fc1ada60d0767d3f']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--596f7da5-05a4-4ad1-b112-454602de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "first_observed": "2017-07-19T15:41:25Z", "last_observed": "2017-07-19T15:41:25Z", "number_observed": 1, "object_refs": [ "url--596f7da5-05a4-4ad1-b112-454602de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--596f7da5-05a4-4ad1-b112-454602de0b81", "value": "https://www.virustotal.com/file/61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773/analysis/1497280580/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-70fc-4bbf-8736-419f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: 45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f", "pattern": "[file:hashes.SHA1 = '6bb562395254d750e418357e59b57061e32022cb']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-67c0-4b36-bd23-4c2702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: 45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f", "pattern": "[file:hashes.MD5 = '0c814ae689b229063ee7f0045cd36bae']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--596f7da5-8df4-4fef-b6cb-4a0402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "first_observed": "2017-07-19T15:41:25Z", "last_observed": "2017-07-19T15:41:25Z", "number_observed": 1, "object_refs": [ "url--596f7da5-8df4-4fef-b6cb-4a0402de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--596f7da5-8df4-4fef-b6cb-4a0402de0b81", "value": "https://www.virustotal.com/file/45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f/analysis/1493177175/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-9850-4e16-87be-434d02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: 344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051", "pattern": "[file:hashes.SHA1 = '8ac7418803efac76bf5d64cbad35332f0ddc8982']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-e298-4951-8ba0-408702de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: 344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051", "pattern": "[file:hashes.MD5 = '5480488e9f961e1cb1020fa48db5d038']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--596f7da5-3f20-423b-98c8-403302de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "first_observed": "2017-07-19T15:41:25Z", "last_observed": "2017-07-19T15:41:25Z", "number_observed": 1, "object_refs": [ "url--596f7da5-3f20-423b-98c8-403302de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--596f7da5-3f20-423b-98c8-403302de0b81", "value": "https://www.virustotal.com/file/344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051/analysis/1492133502/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-34a4-40c4-92e6-421202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: 21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe", "pattern": "[file:hashes.SHA1 = 'ca460d04d93e535441bcc4ea3de313645eb7b817']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--596f7da5-6074-46b0-a001-401002de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "description": "PACKED SAMPLES - Xchecked via VT: 21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe", "pattern": "[file:hashes.MD5 = 'bed8aca8dc2ea2e8fafa2f56db06ba69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-07-19T15:41:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--596f7da5-0f84-4357-94cc-424a02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-07-19T15:41:25.000Z", "modified": "2017-07-19T15:41:25.000Z", "first_observed": "2017-07-19T15:41:25Z", "last_observed": "2017-07-19T15:41:25Z", "number_observed": 1, "object_refs": [ "url--596f7da5-0f84-4357-94cc-424a02de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--596f7da5-0f84-4357-94cc-424a02de0b81", "value": "https://www.virustotal.com/file/21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe/analysis/1490674431/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }