misp-circl-feed/feeds/circl/stix-2.1/58975d16-ec0c-4d21-88bd-41eb02de0b81.json

1159 lines
No EOL
50 KiB
JSON

{
"type": "bundle",
"id": "bundle--58975d16-ec0c-4d21-88bd-41eb02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:47.000Z",
"modified": "2017-02-05T17:23:47.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--58975d16-ec0c-4d21-88bd-41eb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:47.000Z",
"modified": "2017-02-05T17:23:47.000Z",
"name": "OSINT - From RTF to Cobalt Strike passing via Flash",
"published": "2017-02-05T17:25:04Z",
"object_refs": [
"observed-data--58975d3c-caf0-4a77-9002-4b8002de0b81",
"url--58975d3c-caf0-4a77-9002-4b8002de0b81",
"x-misp-attribute--58975d51-c544-4264-afff-04a402de0b81",
"indicator--58975d66-bef0-44f2-9073-444502de0b81",
"indicator--58975da5-2764-4039-8d46-408302de0b81",
"indicator--58975dc4-52e4-489b-bf43-409202de0b81",
"indicator--58975dc5-8268-450b-850d-461c02de0b81",
"indicator--58975ddc-d404-4a6f-8e95-4b6c02de0b81",
"indicator--58975e36-6cb0-4f7d-ad7a-4a0b02de0b81",
"indicator--58975e36-b704-437c-9c38-4ca302de0b81",
"indicator--58975e37-51e8-49c6-a2b1-403302de0b81",
"indicator--58975e38-9bd0-4bf4-9a87-415b02de0b81",
"indicator--58975e39-5fa4-4cfd-abff-4c0702de0b81",
"indicator--58975e3a-5940-400e-9815-43e202de0b81",
"indicator--58975e3a-06c4-451d-b8db-475e02de0b81",
"indicator--58975fa3-9c0c-437f-997b-402902de0b81",
"indicator--58975fa4-1374-4b9b-baee-459f02de0b81",
"observed-data--58975fa5-87dc-4cce-a592-48bf02de0b81",
"url--58975fa5-87dc-4cce-a592-48bf02de0b81",
"indicator--58975fa6-5168-4935-9c13-4ea002de0b81",
"indicator--58975fa6-b790-4925-b617-423002de0b81",
"observed-data--58975fa7-004c-4268-a8d3-41de02de0b81",
"url--58975fa7-004c-4268-a8d3-41de02de0b81",
"indicator--58975fa8-f164-4057-a063-413f02de0b81",
"indicator--58975fa8-2e30-4a60-b6b8-411102de0b81",
"observed-data--58975fa9-aea4-4c97-9fa7-481702de0b81",
"url--58975fa9-aea4-4c97-9fa7-481702de0b81",
"indicator--58975faa-65d0-4034-bbee-440c02de0b81",
"indicator--58975fab-0564-4123-879b-491902de0b81",
"observed-data--58975fab-1eb0-49aa-88b8-46f802de0b81",
"url--58975fab-1eb0-49aa-88b8-46f802de0b81",
"indicator--58975fac-a404-4333-be15-410102de0b81",
"indicator--58975fad-d3d4-4eac-aaab-4c0602de0b81",
"observed-data--58975fad-3aa8-4fd0-af23-4cb502de0b81",
"url--58975fad-3aa8-4fd0-af23-4cb502de0b81",
"indicator--58975fae-d838-4f3e-871c-4e8602de0b81",
"indicator--58975faf-f7cc-470f-82fd-42dc02de0b81",
"observed-data--58975fb0-40e8-4db7-88e6-45d302de0b81",
"url--58975fb0-40e8-4db7-88e6-45d302de0b81",
"indicator--58975fb1-fb64-4fb9-a961-4ef202de0b81",
"indicator--58975fb1-7c74-45ff-a4b8-4f6d02de0b81",
"observed-data--58975fb2-e3f4-4538-93cf-41e402de0b81",
"url--58975fb2-e3f4-4538-93cf-41e402de0b81",
"indicator--58975fb3-05dc-4249-a5d7-44b802de0b81",
"indicator--58975fb4-8fac-4a73-b782-495502de0b81",
"observed-data--58975fb5-2fb4-47cc-bc58-45c802de0b81",
"url--58975fb5-2fb4-47cc-bc58-45c802de0b81",
"indicator--58975fb5-da7c-413a-bf5b-4c9c02de0b81",
"indicator--58975fb6-508c-4404-b75b-463d02de0b81",
"observed-data--58975fb7-7838-40f2-a5e6-457002de0b81",
"url--58975fb7-7838-40f2-a5e6-457002de0b81",
"indicator--58975fb8-adc4-4972-a42a-4de302de0b81",
"indicator--58975fb8-2444-468b-916a-4e7702de0b81",
"observed-data--58975fb9-63ac-4da5-a0b2-4fc702de0b81",
"url--58975fb9-63ac-4da5-a0b2-4fc702de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975d3c-caf0-4a77-9002-4b8002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:16:55.000Z",
"modified": "2017-02-05T17:16:55.000Z",
"first_observed": "2017-02-05T17:16:55Z",
"last_observed": "2017-02-05T17:16:55Z",
"number_observed": 1,
"object_refs": [
"url--58975d3c-caf0-4a77-9002-4b8002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\"",
"admiralty-scale:source-reliability=\"f\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975d3c-caf0-4a77-9002-4b8002de0b81",
"value": "https://zairon.wordpress.com/2017/02/05/from-rtf-to-cobalt-strike-passing-via-flash/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--58975d51-c544-4264-afff-04a402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:13:53.000Z",
"modified": "2017-02-05T17:13:53.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Quick Sunday morning blog post, analysis of an unknown rtf file. This article is a result of an initial investigation, no attribution is done but you\u00e2\u20ac\u2122ll have all the necessary info for a deeper investigation.\r\nThe malicious document has SHA256: 5D9E1F4DAB6929BC699BA7E5C4FD09F2BBFD6B59D04CEFD8F4BF06710E684A5E.\r\n\r\nAfter a first glance I thought to know what\u00e2\u20ac\u2122s behind the rft, but running a specific script I got disappointed by the result. For a quick response, a submission to a sandbox could be the best option you have, but you\u00e2\u20ac\u2122ll miss all the fun! I decided to manually check using an hex editor because it\u00e2\u20ac\u2122s incredible how you can extract objects in a fast way."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975d66-bef0-44f2-9073-444502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:22:31.000Z",
"modified": "2017-02-05T17:22:31.000Z",
"description": "malicious document - RTF file",
"pattern": "[file:hashes.SHA256 = '5d9e1f4dab6929bc699ba7e5c4fd09f2bbfd6b59d04cefd8f4bf06710e684a5e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:22:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"veris:action:social:vector=\"Documents\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975da5-2764-4039-8d46-408302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:22:32.000Z",
"modified": "2017-02-05T17:22:32.000Z",
"description": "Extracted payload from RTF",
"pattern": "[file:hashes.SHA256 = '4c72df74a1e8039c94b188f1c5c59f30ddcc7107647689e4d908e55d04ff8b52']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:22:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"veris:action:social:vector=\"Documents\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975dc4-52e4-489b-bf43-409202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:23.000Z",
"modified": "2017-02-05T17:23:23.000Z",
"description": "Cobalt Strike artifact url",
"pattern": "[url:value = 'https://193.238.152.198/OeeC']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-type=\"unknown\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975dc5-8268-450b-850d-461c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:15:49.000Z",
"modified": "2017-02-05T17:15:49.000Z",
"description": "Cobalt Strike",
"pattern": "[file:hashes.SHA256 = '2fa6ec644b0a05c0cbe7ebaf4cc4905281e65764e91ed299d5cb3f54ab4943bf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:15:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975ddc-d404-4a6f-8e95-4b6c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:16:35.000Z",
"modified": "2017-02-05T17:16:35.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '193.238.152.198']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:16:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\"",
"adversary:infrastructure-state=\"active\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975e36-6cb0-4f7d-ad7a-4a0b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:22:32.000Z",
"modified": "2017-02-05T17:22:32.000Z",
"description": "Possible related rtf file",
"pattern": "[file:hashes.SHA256 = '7a63fc5253deb672036e018750fd40dc3e8502f3b07ef225e7e6bc1144d1d7ee']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:22:32Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"veris:action:social:vector=\"Documents\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975e36-b704-437c-9c38-4ca302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:22:33.000Z",
"modified": "2017-02-05T17:22:33.000Z",
"description": "Possible related rtf file",
"pattern": "[file:hashes.SHA256 = '08c9bd7b7b8361c5d217570019ff012773407337c9083910f2ae3a09b5401345']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:22:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"veris:action:social:vector=\"Documents\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975e37-51e8-49c6-a2b1-403302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:22:34.000Z",
"modified": "2017-02-05T17:22:34.000Z",
"description": "Possible related rtf file",
"pattern": "[file:hashes.SHA256 = '8e27a641684da744a0882d3664cf84d5a88b8e82ac0070d3602af0b7c103eeeb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:22:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"veris:action:social:vector=\"Documents\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975e38-9bd0-4bf4-9a87-415b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:22:35.000Z",
"modified": "2017-02-05T17:22:35.000Z",
"description": "Possible related rtf file",
"pattern": "[file:hashes.SHA256 = '9c7208c5c0d431738c8682cf6a2bd81df66977cbabffa0570f9d70518bece912']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:22:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"veris:action:social:vector=\"Documents\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975e39-5fa4-4cfd-abff-4c0702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:22:35.000Z",
"modified": "2017-02-05T17:22:35.000Z",
"description": "Possible related rtf file",
"pattern": "[file:hashes.SHA256 = '21dda5c82e5aa5c8545b96dc2d6d63e6786fea73453f5acaa571fd5c0466363d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:22:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"veris:action:social:vector=\"Documents\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975e3a-5940-400e-9815-43e202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:22:36.000Z",
"modified": "2017-02-05T17:22:36.000Z",
"description": "Possible related rtf file",
"pattern": "[file:hashes.SHA256 = 'af178ff11088ff59640f74191785adf134aee296652080f397cf282db36fad46']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:22:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"veris:action:social:vector=\"Documents\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975e3a-06c4-451d-b8db-475e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:22:37.000Z",
"modified": "2017-02-05T17:22:37.000Z",
"description": "Possible related rtf file",
"pattern": "[file:hashes.SHA256 = 'cb743f5057c77069a10ecd9e6b4fd48be096b1502e9fb3548e8a742e284eeae2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:22:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\"",
"veris:action:social:vector=\"Documents\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fa3-9c0c-437f-997b-402902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:47.000Z",
"modified": "2017-02-05T17:23:47.000Z",
"description": "Possible related rtf file - Xchecked via VT: cb743f5057c77069a10ecd9e6b4fd48be096b1502e9fb3548e8a742e284eeae2",
"pattern": "[file:hashes.SHA1 = '862b1f9115c757e27d8c68f4a50341dbab1b15b1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fa4-1374-4b9b-baee-459f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:48.000Z",
"modified": "2017-02-05T17:23:48.000Z",
"description": "Possible related rtf file - Xchecked via VT: cb743f5057c77069a10ecd9e6b4fd48be096b1502e9fb3548e8a742e284eeae2",
"pattern": "[file:hashes.MD5 = '6fdcb2847df6939f1e73c68d5cbd573f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975fa5-87dc-4cce-a592-48bf02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:49.000Z",
"modified": "2017-02-05T17:23:49.000Z",
"first_observed": "2017-02-05T17:23:49Z",
"last_observed": "2017-02-05T17:23:49Z",
"number_observed": 1,
"object_refs": [
"url--58975fa5-87dc-4cce-a592-48bf02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975fa5-87dc-4cce-a592-48bf02de0b81",
"value": "https://www.virustotal.com/file/cb743f5057c77069a10ecd9e6b4fd48be096b1502e9fb3548e8a742e284eeae2/analysis/1486307052/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fa6-5168-4935-9c13-4ea002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:50.000Z",
"modified": "2017-02-05T17:23:50.000Z",
"description": "Possible related rtf file - Xchecked via VT: af178ff11088ff59640f74191785adf134aee296652080f397cf282db36fad46",
"pattern": "[file:hashes.SHA1 = 'e46e43116e35581eaeb26eee22d36bbb6bde032d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fa6-b790-4925-b617-423002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:50.000Z",
"modified": "2017-02-05T17:23:50.000Z",
"description": "Possible related rtf file - Xchecked via VT: af178ff11088ff59640f74191785adf134aee296652080f397cf282db36fad46",
"pattern": "[file:hashes.MD5 = 'bc68d2a2b56789cf399e7530f1352fdc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:50Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975fa7-004c-4268-a8d3-41de02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:51.000Z",
"modified": "2017-02-05T17:23:51.000Z",
"first_observed": "2017-02-05T17:23:51Z",
"last_observed": "2017-02-05T17:23:51Z",
"number_observed": 1,
"object_refs": [
"url--58975fa7-004c-4268-a8d3-41de02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975fa7-004c-4268-a8d3-41de02de0b81",
"value": "https://www.virustotal.com/file/af178ff11088ff59640f74191785adf134aee296652080f397cf282db36fad46/analysis/1485937101/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fa8-f164-4057-a063-413f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:52.000Z",
"modified": "2017-02-05T17:23:52.000Z",
"description": "Possible related rtf file - Xchecked via VT: 21dda5c82e5aa5c8545b96dc2d6d63e6786fea73453f5acaa571fd5c0466363d",
"pattern": "[file:hashes.SHA1 = 'f8bf4c87ec8eabad4dbf916328f50b02a5898c00']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fa8-2e30-4a60-b6b8-411102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:52.000Z",
"modified": "2017-02-05T17:23:52.000Z",
"description": "Possible related rtf file - Xchecked via VT: 21dda5c82e5aa5c8545b96dc2d6d63e6786fea73453f5acaa571fd5c0466363d",
"pattern": "[file:hashes.MD5 = '3d4f5b714a19b7545e57743ee0003337']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975fa9-aea4-4c97-9fa7-481702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:53.000Z",
"modified": "2017-02-05T17:23:53.000Z",
"first_observed": "2017-02-05T17:23:53Z",
"last_observed": "2017-02-05T17:23:53Z",
"number_observed": 1,
"object_refs": [
"url--58975fa9-aea4-4c97-9fa7-481702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975fa9-aea4-4c97-9fa7-481702de0b81",
"value": "https://www.virustotal.com/file/21dda5c82e5aa5c8545b96dc2d6d63e6786fea73453f5acaa571fd5c0466363d/analysis/1485331419/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975faa-65d0-4034-bbee-440c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:54.000Z",
"modified": "2017-02-05T17:23:54.000Z",
"description": "Possible related rtf file - Xchecked via VT: 9c7208c5c0d431738c8682cf6a2bd81df66977cbabffa0570f9d70518bece912",
"pattern": "[file:hashes.SHA1 = 'c51a1ef7e599150437fc8947d94e6d9edea18be6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fab-0564-4123-879b-491902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:55.000Z",
"modified": "2017-02-05T17:23:55.000Z",
"description": "Possible related rtf file - Xchecked via VT: 9c7208c5c0d431738c8682cf6a2bd81df66977cbabffa0570f9d70518bece912",
"pattern": "[file:hashes.MD5 = 'fd3f5a495a8d573f9b6add69a6af9b7d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975fab-1eb0-49aa-88b8-46f802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:55.000Z",
"modified": "2017-02-05T17:23:55.000Z",
"first_observed": "2017-02-05T17:23:55Z",
"last_observed": "2017-02-05T17:23:55Z",
"number_observed": 1,
"object_refs": [
"url--58975fab-1eb0-49aa-88b8-46f802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975fab-1eb0-49aa-88b8-46f802de0b81",
"value": "https://www.virustotal.com/file/9c7208c5c0d431738c8682cf6a2bd81df66977cbabffa0570f9d70518bece912/analysis/1485841113/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fac-a404-4333-be15-410102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:56.000Z",
"modified": "2017-02-05T17:23:56.000Z",
"description": "Possible related rtf file - Xchecked via VT: 8e27a641684da744a0882d3664cf84d5a88b8e82ac0070d3602af0b7c103eeeb",
"pattern": "[file:hashes.SHA1 = 'a963103fb9802a59c99f0ced333586a33f1f5d5d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fad-d3d4-4eac-aaab-4c0602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:57.000Z",
"modified": "2017-02-05T17:23:57.000Z",
"description": "Possible related rtf file - Xchecked via VT: 8e27a641684da744a0882d3664cf84d5a88b8e82ac0070d3602af0b7c103eeeb",
"pattern": "[file:hashes.MD5 = 'a5a507f41a217097d6394256ee401977']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975fad-3aa8-4fd0-af23-4cb502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:57.000Z",
"modified": "2017-02-05T17:23:57.000Z",
"first_observed": "2017-02-05T17:23:57Z",
"last_observed": "2017-02-05T17:23:57Z",
"number_observed": 1,
"object_refs": [
"url--58975fad-3aa8-4fd0-af23-4cb502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975fad-3aa8-4fd0-af23-4cb502de0b81",
"value": "https://www.virustotal.com/file/8e27a641684da744a0882d3664cf84d5a88b8e82ac0070d3602af0b7c103eeeb/analysis/1485962308/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fae-d838-4f3e-871c-4e8602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:58.000Z",
"modified": "2017-02-05T17:23:58.000Z",
"description": "Possible related rtf file - Xchecked via VT: 08c9bd7b7b8361c5d217570019ff012773407337c9083910f2ae3a09b5401345",
"pattern": "[file:hashes.SHA1 = '463344f0ad46323fa191237db21e8e46a019fbfc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975faf-f7cc-470f-82fd-42dc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:23:59.000Z",
"modified": "2017-02-05T17:23:59.000Z",
"description": "Possible related rtf file - Xchecked via VT: 08c9bd7b7b8361c5d217570019ff012773407337c9083910f2ae3a09b5401345",
"pattern": "[file:hashes.MD5 = '60cab9d4211216b82e6430a7c51157fa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:23:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975fb0-40e8-4db7-88e6-45d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:00.000Z",
"modified": "2017-02-05T17:24:00.000Z",
"first_observed": "2017-02-05T17:24:00Z",
"last_observed": "2017-02-05T17:24:00Z",
"number_observed": 1,
"object_refs": [
"url--58975fb0-40e8-4db7-88e6-45d302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975fb0-40e8-4db7-88e6-45d302de0b81",
"value": "https://www.virustotal.com/file/08c9bd7b7b8361c5d217570019ff012773407337c9083910f2ae3a09b5401345/analysis/1485865450/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fb1-fb64-4fb9-a961-4ef202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:01.000Z",
"modified": "2017-02-05T17:24:01.000Z",
"description": "Possible related rtf file - Xchecked via VT: 7a63fc5253deb672036e018750fd40dc3e8502f3b07ef225e7e6bc1144d1d7ee",
"pattern": "[file:hashes.SHA1 = 'c90fdf1e20aa39cd84479543101d2b4f299b3485']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:24:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fb1-7c74-45ff-a4b8-4f6d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:01.000Z",
"modified": "2017-02-05T17:24:01.000Z",
"description": "Possible related rtf file - Xchecked via VT: 7a63fc5253deb672036e018750fd40dc3e8502f3b07ef225e7e6bc1144d1d7ee",
"pattern": "[file:hashes.MD5 = 'b254fe605efdcc2aa235d431b1a30fa9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:24:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975fb2-e3f4-4538-93cf-41e402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:02.000Z",
"modified": "2017-02-05T17:24:02.000Z",
"first_observed": "2017-02-05T17:24:02Z",
"last_observed": "2017-02-05T17:24:02Z",
"number_observed": 1,
"object_refs": [
"url--58975fb2-e3f4-4538-93cf-41e402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975fb2-e3f4-4538-93cf-41e402de0b81",
"value": "https://www.virustotal.com/file/7a63fc5253deb672036e018750fd40dc3e8502f3b07ef225e7e6bc1144d1d7ee/analysis/1485428950/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fb3-05dc-4249-a5d7-44b802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:03.000Z",
"modified": "2017-02-05T17:24:03.000Z",
"description": "Cobalt Strike - Xchecked via VT: 2fa6ec644b0a05c0cbe7ebaf4cc4905281e65764e91ed299d5cb3f54ab4943bf",
"pattern": "[file:hashes.SHA1 = '2ee7db02a2a0a7b0666fe544d803384cbbdfba9c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:24:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fb4-8fac-4a73-b782-495502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:04.000Z",
"modified": "2017-02-05T17:24:04.000Z",
"description": "Cobalt Strike - Xchecked via VT: 2fa6ec644b0a05c0cbe7ebaf4cc4905281e65764e91ed299d5cb3f54ab4943bf",
"pattern": "[file:hashes.MD5 = '992722358935ce18c759333fee0588e0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:24:04Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975fb5-2fb4-47cc-bc58-45c802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:05.000Z",
"modified": "2017-02-05T17:24:05.000Z",
"first_observed": "2017-02-05T17:24:05Z",
"last_observed": "2017-02-05T17:24:05Z",
"number_observed": 1,
"object_refs": [
"url--58975fb5-2fb4-47cc-bc58-45c802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975fb5-2fb4-47cc-bc58-45c802de0b81",
"value": "https://www.virustotal.com/file/2fa6ec644b0a05c0cbe7ebaf4cc4905281e65764e91ed299d5cb3f54ab4943bf/analysis/1486218685/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fb5-da7c-413a-bf5b-4c9c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:05.000Z",
"modified": "2017-02-05T17:24:05.000Z",
"description": "Extracted payload from RTF - Xchecked via VT: 4c72df74a1e8039c94b188f1c5c59f30ddcc7107647689e4d908e55d04ff8b52",
"pattern": "[file:hashes.SHA1 = 'b7b53be3e38408ca9c0269cace71ae23994f168b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:24:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fb6-508c-4404-b75b-463d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:06.000Z",
"modified": "2017-02-05T17:24:06.000Z",
"description": "Extracted payload from RTF - Xchecked via VT: 4c72df74a1e8039c94b188f1c5c59f30ddcc7107647689e4d908e55d04ff8b52",
"pattern": "[file:hashes.MD5 = '6faf7bf340105e5a119520761149c13f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:24:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975fb7-7838-40f2-a5e6-457002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:07.000Z",
"modified": "2017-02-05T17:24:07.000Z",
"first_observed": "2017-02-05T17:24:07Z",
"last_observed": "2017-02-05T17:24:07Z",
"number_observed": 1,
"object_refs": [
"url--58975fb7-7838-40f2-a5e6-457002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975fb7-7838-40f2-a5e6-457002de0b81",
"value": "https://www.virustotal.com/file/4c72df74a1e8039c94b188f1c5c59f30ddcc7107647689e4d908e55d04ff8b52/analysis/1486194786/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fb8-adc4-4972-a42a-4de302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:08.000Z",
"modified": "2017-02-05T17:24:08.000Z",
"description": "malicious document - RTF file - Xchecked via VT: 5d9e1f4dab6929bc699ba7e5c4fd09f2bbfd6b59d04cefd8f4bf06710e684a5e",
"pattern": "[file:hashes.SHA1 = '7fe6cc2412b97fd27ca1bfb42ac811933c948f61']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:24:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--58975fb8-2444-468b-916a-4e7702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:08.000Z",
"modified": "2017-02-05T17:24:08.000Z",
"description": "malicious document - RTF file - Xchecked via VT: 5d9e1f4dab6929bc699ba7e5c4fd09f2bbfd6b59d04cefd8f4bf06710e684a5e",
"pattern": "[file:hashes.MD5 = '81f829be44598ccf33382920f2597104']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-02-05T17:24:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--58975fb9-63ac-4da5-a0b2-4fc702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-02-05T17:24:09.000Z",
"modified": "2017-02-05T17:24:09.000Z",
"first_observed": "2017-02-05T17:24:09Z",
"last_observed": "2017-02-05T17:24:09Z",
"number_observed": 1,
"object_refs": [
"url--58975fb9-63ac-4da5-a0b2-4fc702de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--58975fb9-63ac-4da5-a0b2-4fc702de0b81",
"value": "https://www.virustotal.com/file/5d9e1f4dab6929bc699ba7e5c4fd09f2bbfd6b59d04cefd8f4bf06710e684a5e/analysis/1485944570/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}