{ "type": "bundle", "id": "bundle--5b191ead-fac0-4f21-aaef-b9700acd0835", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "name": "Synovus Financial", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5b191ead-fac0-4f21-aaef-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "name": "New Phishing Attacks Abuse Excel Internet Query Files", "published": "2018-06-07T12:18:02Z", "object_refs": [ "indicator--5b191ead-1204-434b-975c-b9700acd0835", "indicator--5b191ead-0c64-4e9e-8f04-b9700acd0835", "indicator--5b191ead-3238-4a16-8029-b9700acd0835", "indicator--5b191ead-500c-42f1-bea4-b9700acd0835", "indicator--5b191ead-c060-48f7-8455-b9700acd0835", "indicator--5b191ead-e354-4b19-ba79-b9700acd0835", "indicator--5b191ead-7e98-49b6-ae1c-b9700acd0835", "indicator--5b191ead-8dfc-4b2c-b6cc-b9700acd0835", "indicator--5b191ead-90d0-429b-b96c-b9700acd0835", "indicator--5b191ead-ca94-45d9-8517-b9700acd0835", "indicator--5b191ead-1230-4020-809a-b9700acd0835", "indicator--5b191ead-dfe4-4d54-8427-b9700acd0835", "observed-data--5b191fd4-8598-4cf5-a279-b9700acd0835", "url--5b191fd4-8598-4cf5-a279-b9700acd0835" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "veris:action:social:variety=\"Phishing\"", "osint:source-type=\"blog-post\"", "misp-galaxy:tool=\"Necurs\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-1204-434b-975c-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "pattern": "[file:hashes.MD5 = '08bb85f5bff52d2605ddd8a19a5465fd']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-0c64-4e9e-8f04-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "description": "clodflarechk", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '85.119.150.29']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-3238-4a16-8029-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "description": "DomainTools Risk Score 100", "pattern": "[domain-name:value = 'clodflarechk.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-500c-42f1-bea4-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "pattern": "[file:hashes.MD5 = '418aa2d43b1e4a841d4769463b12fa3b']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "ms-caro-malware-full:malware-type=\"Trojan\"", "misp-galaxy:tool=\"Necurs\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-c060-48f7-8455-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "pattern": "[file:hashes.MD5 = 'd2a63814440f8d054d78b03b48f7a3df']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "veris:action:malware:variety=\"Downloader\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-e354-4b19-ba79-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "pattern": "[file:hashes.MD5 = '3a86ffce06d029730ad89cb233079d64']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-7e98-49b6-ae1c-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "description": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.", "pattern": "[url:value = 'http://clodflarechk.com/1.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-8dfc-4b2c-b6cc-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "description": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.", "pattern": "[url:value = 'http://clodflarechk.com/cloud.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-90d0-429b-b96c-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "description": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.", "pattern": "[url:value = 'http://clodflarechk.com/2.dat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-ca94-45d9-8517-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "description": "Once the victim double-clicks the attachment, it downloads a file named \"2.dat\" from clodflarechk[.]com. 2.dat is a Powershell script that downloads a file named \"1.dat\" from the same network resource.\n\n1.dat is another script file that downloads a file named \"data.xls\" from the same network resource. Although the extension is \".xls,\" it is not an Excel file but rather an executable file that functions as a malware downloader.\n\nOnce executed on the system, data.xls downloads a file named \"cloud.png\" from the same network resource. Cloud.png is not a graphic file as the extension suggests, but rather it is the main malware installed on the system. The main malware functions as a remote access Trojan (RAT) that gives attackers control of the compromised system.", "pattern": "[url:value = 'http://clodflarechk.com/data.xls']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-1230-4020-809a-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "description": "clodflarechk", "pattern": "[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '103.208.86.69']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-src\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b191ead-dfe4-4d54-8427-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "pattern": "[file:hashes.MD5 = '172bc98dbe0f6c4ac59857c071cd8673']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-07T12:17:43Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"", "ms-caro-malware-full:malware-type=\"Trojan\"", "misp-galaxy:tool=\"Necurs\"" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b191fd4-8598-4cf5-a279-b9700acd0835", "created_by_ref": "identity--5a68c02d-959c-4c8a-a571-0dcac0a8060a", "created": "2018-06-07T12:17:43.000Z", "modified": "2018-06-07T12:17:43.000Z", "first_observed": "2018-06-07T12:17:43Z", "last_observed": "2018-06-07T12:17:43Z", "number_observed": 1, "object_refs": [ "url--5b191fd4-8598-4cf5-a279-b9700acd0835" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b191fd4-8598-4cf5-a279-b9700acd0835", "value": "https://myonlinesecurity.co.uk/necurs-delivering-flawed-ammy-rat-via-iqy-excel-web-query-files/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }