769 lines
No EOL
33 KiB
JSON
769 lines
No EOL
33 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--57dff9a6-b4b0-4e79-9271-4a10950d210f",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:50.000Z",
|
|
"modified": "2016-09-19T14:48:50.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--57dff9a6-b4b0-4e79-9271-4a10950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:50.000Z",
|
|
"modified": "2016-09-19T14:48:50.000Z",
|
|
"name": "OSINT - Malicious Macros Add Sandbox Evasion Techniques to Distribute New Dridex",
|
|
"published": "2016-09-19T14:49:42Z",
|
|
"object_refs": [
|
|
"observed-data--57dff9f5-8e50-47cc-a804-4513950d210f",
|
|
"url--57dff9f5-8e50-47cc-a804-4513950d210f",
|
|
"x-misp-attribute--57dffa06-a2e0-4cf0-a86e-4f4e950d210f",
|
|
"indicator--57dffa2d-edc8-443d-8ca8-4bdd950d210f",
|
|
"indicator--57dffa2e-0ca0-4410-bbdd-448c950d210f",
|
|
"indicator--57dffa2f-b5e8-41b5-a6ff-41d9950d210f",
|
|
"indicator--57dffa87-f8a8-452f-babe-4de0950d210f",
|
|
"indicator--57dffa88-2170-436e-938e-484a950d210f",
|
|
"indicator--57dffa88-7840-4208-8208-476b950d210f",
|
|
"indicator--57dffaaf-ff20-46d6-bb8f-49a8950d210f",
|
|
"indicator--57dffab0-c890-4dbb-9467-4351950d210f",
|
|
"indicator--57dffab0-39b8-4880-bcc9-472c950d210f",
|
|
"indicator--57dffad3-d5a8-4a68-880e-4a5d02de0b81",
|
|
"indicator--57dffad3-efe4-4839-a28d-4b6b02de0b81",
|
|
"observed-data--57dffad4-d364-4f79-b4e9-453602de0b81",
|
|
"url--57dffad4-d364-4f79-b4e9-453602de0b81",
|
|
"indicator--57dffad5-63a4-45ab-a6e0-4af502de0b81",
|
|
"indicator--57dffad5-2378-4608-b880-457b02de0b81",
|
|
"observed-data--57dffad6-a830-41f2-adb9-480302de0b81",
|
|
"url--57dffad6-a830-41f2-adb9-480302de0b81",
|
|
"indicator--57dffad7-5278-4962-91b7-43a002de0b81",
|
|
"indicator--57dffad7-ddb8-4af6-846a-457f02de0b81",
|
|
"observed-data--57dffad8-dae4-4425-bf3b-410202de0b81",
|
|
"url--57dffad8-dae4-4425-bf3b-410202de0b81",
|
|
"indicator--57dffad9-de4c-44b7-a374-405102de0b81",
|
|
"indicator--57dffad9-6b2c-43de-883a-4dbe02de0b81",
|
|
"observed-data--57dffada-9154-4c95-b067-43ea02de0b81",
|
|
"url--57dffada-9154-4c95-b067-43ea02de0b81",
|
|
"indicator--57dffadb-7b64-4794-89dc-452502de0b81",
|
|
"indicator--57dffadb-5cf0-490d-8b2b-4b6402de0b81",
|
|
"observed-data--57dffadc-f574-41e3-8413-489f02de0b81",
|
|
"url--57dffadc-f574-41e3-8413-489f02de0b81",
|
|
"indicator--57dffadd-6bf0-4f60-957a-422102de0b81",
|
|
"indicator--57dffadd-5800-46d8-a22a-472c02de0b81",
|
|
"observed-data--57dffade-be88-4afb-a678-46f702de0b81",
|
|
"url--57dffade-be88-4afb-a678-46f702de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57dff9f5-8e50-47cc-a804-4513950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:45:09.000Z",
|
|
"modified": "2016-09-19T14:45:09.000Z",
|
|
"first_observed": "2016-09-19T14:45:09Z",
|
|
"last_observed": "2016-09-19T14:45:09Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57dff9f5-8e50-47cc-a804-4513950d210f"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57dff9f5-8e50-47cc-a804-4513950d210f",
|
|
"value": "https://www.proofpoint.com/us/threat-insight/post/malicious-macros-add-to-sandbox-evasion-techniques-to-distribute-new-dridex"
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--57dffa06-a2e0-4cf0-a86e-4f4e950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:45:26.000Z",
|
|
"modified": "2016-09-19T14:45:26.000Z",
|
|
"labels": [
|
|
"misp:type=\"comment\"",
|
|
"misp:category=\"External analysis\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "comment",
|
|
"x_misp_value": "This week Proofpoint researchers observed several noteworthy changes in the macros used by an actor we refer to as TA530, who we previously examined in relation to large-scale personalized phishing campaigns [1] [2]. This new campaign included evasive macros, which, while not unusual for this group (earlier versions were analyzed by Mcafee [3] and Checkpoint [4]), demonstrated continued evolution in their latest iteration. Most notably their new macro looks up the public IP address of the client and does not download the payload if it finds that the IP address is associated with a security vendor, certain cloud services, or a sandbox environment.\r\n\r\nThis week, we observed TA530 using their evasive macros to deliver Nymaim, Ursnif, and Dridex 124. The Dridex payload with botnet ID 124 is a previously unseen sub-botnet which is targeting Swiss banking sites, while the Nymaim and Ursnif payloads targeted North America and Australia, respectively."
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffa2d-edc8-443d-8ca8-4bdd950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:46:05.000Z",
|
|
"modified": "2016-09-19T14:46:05.000Z",
|
|
"description": "Nymaim Document",
|
|
"pattern": "[file:hashes.SHA256 = 'a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:46:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffa2e-0ca0-4410-bbdd-448c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:46:06.000Z",
|
|
"modified": "2016-09-19T14:46:06.000Z",
|
|
"description": "Ursnif Document",
|
|
"pattern": "[file:hashes.SHA256 = 'f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:46:06Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffa2f-b5e8-41b5-a6ff-41d9950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:46:07.000Z",
|
|
"modified": "2016-09-19T14:46:07.000Z",
|
|
"description": "Dridex Document",
|
|
"pattern": "[file:hashes.SHA256 = '72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:46:07Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffa87-f8a8-452f-babe-4de0950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:47:35.000Z",
|
|
"modified": "2016-09-19T14:47:35.000Z",
|
|
"description": "Example Ursnif Download",
|
|
"pattern": "[url:value = 'http://britcart.com/britstar/office12.data']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:47:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffa88-2170-436e-938e-484a950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:47:36.000Z",
|
|
"modified": "2016-09-19T14:47:36.000Z",
|
|
"description": "Example Nymaim Download",
|
|
"pattern": "[url:value = 'http://arabtradenet.com/info/content.dat']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:47:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffa88-7840-4208-8208-476b950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:47:36.000Z",
|
|
"modified": "2016-09-19T14:47:36.000Z",
|
|
"description": "Example Dridex Download",
|
|
"pattern": "[url:value = 'http://onehealthpublishing.com/image/office.gif']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:47:36Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffaaf-ff20-46d6-bb8f-49a8950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:15.000Z",
|
|
"modified": "2016-09-19T14:48:15.000Z",
|
|
"description": "Example Nymaim Payload",
|
|
"pattern": "[file:hashes.SHA256 = 'f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:15Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffab0-c890-4dbb-9467-4351950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:16.000Z",
|
|
"modified": "2016-09-19T14:48:16.000Z",
|
|
"description": "Example Ursnif Payload",
|
|
"pattern": "[file:hashes.SHA256 = '6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffab0-39b8-4880-bcc9-472c950d210f",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:16.000Z",
|
|
"modified": "2016-09-19T14:48:16.000Z",
|
|
"description": "Example Dridex Payload",
|
|
"pattern": "[file:hashes.SHA256 = '97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffad3-d5a8-4a68-880e-4a5d02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:51.000Z",
|
|
"modified": "2016-09-19T14:48:51.000Z",
|
|
"description": "Example Dridex Payload - Xchecked via VT: 97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629",
|
|
"pattern": "[file:hashes.SHA1 = '50d2d8cceb257b074e37265da537cf493c805210']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffad3-efe4-4839-a28d-4b6b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:51.000Z",
|
|
"modified": "2016-09-19T14:48:51.000Z",
|
|
"description": "Example Dridex Payload - Xchecked via VT: 97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629",
|
|
"pattern": "[file:hashes.MD5 = '59b569b8875fd3847ae0308af85e3440']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57dffad4-d364-4f79-b4e9-453602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:52.000Z",
|
|
"modified": "2016-09-19T14:48:52.000Z",
|
|
"first_observed": "2016-09-19T14:48:52Z",
|
|
"last_observed": "2016-09-19T14:48:52Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57dffad4-d364-4f79-b4e9-453602de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57dffad4-d364-4f79-b4e9-453602de0b81",
|
|
"value": "https://www.virustotal.com/file/97b1e8282d1ec8f82a83eb3d8a991f494e332e4059b1c9f0d53beda257e21629/analysis/1465971238/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffad5-63a4-45ab-a6e0-4af502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:53.000Z",
|
|
"modified": "2016-09-19T14:48:53.000Z",
|
|
"description": "Example Ursnif Payload - Xchecked via VT: 6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879",
|
|
"pattern": "[file:hashes.SHA1 = '61996a309d84daf441cd7a3e71ed45c8fe210824']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:53Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffad5-2378-4608-b880-457b02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:53.000Z",
|
|
"modified": "2016-09-19T14:48:53.000Z",
|
|
"description": "Example Ursnif Payload - Xchecked via VT: 6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879",
|
|
"pattern": "[file:hashes.MD5 = '86a50ac34b6e18b5bec0a24a1b4f12d3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:53Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57dffad6-a830-41f2-adb9-480302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:54.000Z",
|
|
"modified": "2016-09-19T14:48:54.000Z",
|
|
"first_observed": "2016-09-19T14:48:54Z",
|
|
"last_observed": "2016-09-19T14:48:54Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57dffad6-a830-41f2-adb9-480302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57dffad6-a830-41f2-adb9-480302de0b81",
|
|
"value": "https://www.virustotal.com/file/6b588ff17412c4a8221521ab70d7d0230c339ed4c5c96c181e4010ba0007e879/analysis/1473668183/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffad7-5278-4962-91b7-43a002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:55.000Z",
|
|
"modified": "2016-09-19T14:48:55.000Z",
|
|
"description": "Example Nymaim Payload - Xchecked via VT: f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9",
|
|
"pattern": "[file:hashes.SHA1 = 'c28bec7ce1d0bcfd1a007cefe086571d5d49b975']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffad7-ddb8-4af6-846a-457f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:55.000Z",
|
|
"modified": "2016-09-19T14:48:55.000Z",
|
|
"description": "Example Nymaim Payload - Xchecked via VT: f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9",
|
|
"pattern": "[file:hashes.MD5 = '12abc10d3c37841f4f4f7e193b045f6b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57dffad8-dae4-4425-bf3b-410202de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:56.000Z",
|
|
"modified": "2016-09-19T14:48:56.000Z",
|
|
"first_observed": "2016-09-19T14:48:56Z",
|
|
"last_observed": "2016-09-19T14:48:56Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57dffad8-dae4-4425-bf3b-410202de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57dffad8-dae4-4425-bf3b-410202de0b81",
|
|
"value": "https://www.virustotal.com/file/f34589058db1a8cdb31c79eec88bd851cf3e2157501760f1c0263523d614d8f9/analysis/1465970739/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffad9-de4c-44b7-a374-405102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:57.000Z",
|
|
"modified": "2016-09-19T14:48:57.000Z",
|
|
"description": "Dridex Document - Xchecked via VT: 72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06",
|
|
"pattern": "[file:hashes.SHA1 = '27c3ff564efbf5db343feba688236c180846b61b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffad9-6b2c-43de-883a-4dbe02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:57.000Z",
|
|
"modified": "2016-09-19T14:48:57.000Z",
|
|
"description": "Dridex Document - Xchecked via VT: 72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06",
|
|
"pattern": "[file:hashes.MD5 = '64d133b98ab00c9f5409e4ab29a70250']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57dffada-9154-4c95-b067-43ea02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:58.000Z",
|
|
"modified": "2016-09-19T14:48:58.000Z",
|
|
"first_observed": "2016-09-19T14:48:58Z",
|
|
"last_observed": "2016-09-19T14:48:58Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57dffada-9154-4c95-b067-43ea02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57dffada-9154-4c95-b067-43ea02de0b81",
|
|
"value": "https://www.virustotal.com/file/72acb7dd6bea232c623367a4d3417d0ee7d412d3df5a0287d621716f5a69ab06/analysis/1466780189/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffadb-7b64-4794-89dc-452502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:59.000Z",
|
|
"modified": "2016-09-19T14:48:59.000Z",
|
|
"description": "Ursnif Document - Xchecked via VT: f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70",
|
|
"pattern": "[file:hashes.SHA1 = 'cfb624f1b220b96e51214a58a29e596334cf975d']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffadb-5cf0-490d-8b2b-4b6402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:48:59.000Z",
|
|
"modified": "2016-09-19T14:48:59.000Z",
|
|
"description": "Ursnif Document - Xchecked via VT: f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70",
|
|
"pattern": "[file:hashes.MD5 = '89968ce9689ffcf42cd5e8b1702ad6a3']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:48:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57dffadc-f574-41e3-8413-489f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:49:00.000Z",
|
|
"modified": "2016-09-19T14:49:00.000Z",
|
|
"first_observed": "2016-09-19T14:49:00Z",
|
|
"last_observed": "2016-09-19T14:49:00Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57dffadc-f574-41e3-8413-489f02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57dffadc-f574-41e3-8413-489f02de0b81",
|
|
"value": "https://www.virustotal.com/file/f73fcbf4cf9a775d4d4abf53c13a0136a120d5a7e015942a7a43f686f266bf70/analysis/1465721182/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffadd-6bf0-4f60-957a-422102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:49:01.000Z",
|
|
"modified": "2016-09-19T14:49:01.000Z",
|
|
"description": "Nymaim Document - Xchecked via VT: a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369",
|
|
"pattern": "[file:hashes.SHA1 = 'f5249c827757e4ef4bc107e7ca0e8e5b3e361bdc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:49:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--57dffadd-5800-46d8-a22a-472c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:49:01.000Z",
|
|
"modified": "2016-09-19T14:49:01.000Z",
|
|
"description": "Nymaim Document - Xchecked via VT: a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369",
|
|
"pattern": "[file:hashes.MD5 = 'ad9c255868ab55652555e47d8985ea2f']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2016-09-19T14:49:01Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--57dffade-be88-4afb-a678-46f702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2016-09-19T14:49:02.000Z",
|
|
"modified": "2016-09-19T14:49:02.000Z",
|
|
"first_observed": "2016-09-19T14:49:02Z",
|
|
"last_observed": "2016-09-19T14:49:02Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--57dffade-be88-4afb-a678-46f702de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--57dffade-be88-4afb-a678-46f702de0b81",
|
|
"value": "https://www.virustotal.com/file/a8ae681463b75470be8dc911f0cf7ca01a2eaea87005564263a5bbe38d652369/analysis/1465720444/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |