misp-circl-feed/feeds/circl/misp/58a883f4-a2f8-4901-9d5f-a16602de0b81.json

{
    "type": "bundle",
    "id": "bundle--58a883f4-a2f8-4901-9d5f-a16602de0b81",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--58a883f4-a2f8-4901-9d5f-a16602de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "name": "OSINT - Demystifying targeted malware used against Polish banks",
            "published": "2017-02-18T17:34:08Z",
            "object_refs": [
                "observed-data--58a8842b-bf7c-40d9-97af-a16e02de0b81",
                "url--58a8842b-bf7c-40d9-97af-a16e02de0b81",
                "x-misp-attribute--58a8843f-e9b0-48c4-8081-a16302de0b81",
                "indicator--58a884cb-05ac-4ab1-9637-568a02de0b81",
                "indicator--58a884cc-b7ec-422b-bc5d-568a02de0b81",
                "indicator--58a884cd-41d0-4a0d-8e45-568a02de0b81",
                "indicator--58a884ce-8f30-41ec-8f85-568a02de0b81",
                "indicator--58a884fe-28e0-4cdc-b437-569502de0b81",
                "indicator--58a884ff-2798-4d65-a9dd-569502de0b81",
                "indicator--58a884ff-76f4-4eae-8513-569502de0b81",
                "indicator--58a88500-3b1c-4c05-97b1-569502de0b81",
                "indicator--58a88560-396c-4bde-a174-a16a02de0b81",
                "indicator--58a88561-131c-42f2-b22f-a16a02de0b81",
                "observed-data--58a88562-0938-43d4-a375-a16a02de0b81",
                "url--58a88562-0938-43d4-a375-a16a02de0b81",
                "indicator--58a88563-fe54-45ef-b63e-a16a02de0b81",
                "indicator--58a88564-1760-4f31-b86f-a16a02de0b81",
                "observed-data--58a88565-c3ac-4f2a-9897-a16a02de0b81",
                "url--58a88565-c3ac-4f2a-9897-a16a02de0b81",
                "indicator--58a88565-e914-49da-88cd-a16a02de0b81",
                "indicator--58a88566-647c-4069-8021-a16a02de0b81",
                "observed-data--58a88567-7d2c-4f4a-be49-a16a02de0b81",
                "url--58a88567-7d2c-4f4a-be49-a16a02de0b81",
                "indicator--58a88568-4f10-4a12-9d26-a16a02de0b81",
                "indicator--58a88569-b83c-4426-83c3-a16a02de0b81",
                "observed-data--58a88569-82dc-4c8e-8ea9-a16a02de0b81",
                "url--58a88569-82dc-4c8e-8ea9-a16a02de0b81"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "circl:topic=\"finance\"",
                "misp-galaxy:threat-actor=\"Lazarus Group\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--58a8842b-bf7c-40d9-97af-a16e02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "first_observed": "2017-02-18T17:33:12Z",
            "last_observed": "2017-02-18T17:33:12Z",
            "number_observed": 1,
            "object_refs": [
                "url--58a8842b-bf7c-40d9-97af-a16e02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\"",
                "admiralty-scale:source-reliability=\"b\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--58a8842b-bf7c-40d9-97af-a16e02de0b81",
            "value": "http://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/"
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--58a8843f-e9b0-48c4-8081-a16302de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "labels": [
                "misp:type=\"text\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\"",
                "admiralty-scale:source-reliability=\"b\""
            ],
            "x_misp_category": "External analysis",
            "x_misp_type": "text",
            "x_misp_value": "Hot news about successful attacks on Polish banks appeared recently on the Polish security portal ZaufanaTrzeciaStrona.pl (translated in English here). The impact of the attacks was described dramatically with adjectives like \u00e2\u20ac\u0153the most serious\u00e2\u20ac\u009d. The initial reports were very recently supported by two blogposts by Symantec and BAE Systems. The nationalities of affected institutions were extended also to Mexico and Uruguay, with even more high-profile targets in the attackers\u00e2\u20ac\u2122 viewfinder that are located worldwide. There are many interesting aspects to these attacks starting from the targets, moving on to the vector of compromise, right up to the specific features of the malicious executables used. While the first two aspects have been quite thoroughly examined so far, the malicious binaries involved haven\u00e2\u20ac\u2122t received much attention so far. The purpose of this blog post is to deliver technical details of this as-yet minimally documented malware."
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a884cb-05ac-4ab1-9637-568a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "description": "Win64/Spy.Banker.AX\tDropper;gpsvc.exe",
            "pattern": "[file:hashes.SHA1 = 'bedceafa2109139c793cb158cec9fa48f980ff2b']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a884cc-b7ec-422b-bc5d-568a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "description": "Win64/Spy.Banker.AX\tEnigma-protected loader",
            "pattern": "[file:hashes.SHA1 = 'aa115e6587a535146b7493d6c02896a7d322879e']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a884cd-41d0-4a0d-8e45-568a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "description": "Win64/Spy.Banker.AX\tEnigma-protected module; RAT; libcurl v. 7.47.",
            "pattern": "[file:hashes.SHA1 = 'a107f1046f5224fdb3a5826fa6f940a981fe65a1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a884ce-8f30-41ec-8f85-568a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "description": "Win32/Spy.Banker.ADQH\t32-bit Enigma-protected dropper;gpsvc.exe",
            "pattern": "[file:hashes.SHA1 = '4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a884fe-28e0-4cdc-b437-569502de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "description": "Win64/Spy.Banker.AX\tDropper;fdsvc.exe",
            "pattern": "[file:hashes.SHA1 = 'fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a884ff-2798-4d65-a9dd-569502de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "description": "Win64/Spy.Banker.AX\tEncrypted module;fdsvc.dll",
            "pattern": "[file:hashes.SHA1 = '11568dffd6325ade217fbe49ce56a3ee5001cbcc']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a884ff-76f4-4eae-8513-569502de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "description": "Win64/Spy.Banker.AX\tDecrypted module; RAT;libcurl v. 7.49.1 (*)",
            "pattern": "[file:hashes.SHA1 = 'e45ca027635f904101683413dd58fbd64d602ebe']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a88500-3b1c-4c05-97b1-569502de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:12.000Z",
            "modified": "2017-02-18T17:33:12.000Z",
            "description": "Win32/Spy.Banker.ADRO\t32-bit module; RAT;libcurl v. 7.49.1",
            "pattern": "[file:hashes.SHA1 = '50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:12Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a88560-396c-4bde-a174-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:20.000Z",
            "modified": "2017-02-18T17:33:20.000Z",
            "description": "Win32/Spy.Banker.ADRO\t32-bit module; RAT;libcurl v. 7.49.1 - Xchecked via VT: 50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c",
            "pattern": "[file:hashes.SHA256 = 'a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:20Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a88561-131c-42f2-b22f-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:21.000Z",
            "modified": "2017-02-18T17:33:21.000Z",
            "description": "Win32/Spy.Banker.ADRO\t32-bit module; RAT;libcurl v. 7.49.1 - Xchecked via VT: 50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c",
            "pattern": "[file:hashes.MD5 = '40e698f961eb796728a57ddf81f52b9a']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:21Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--58a88562-0938-43d4-a375-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:22.000Z",
            "modified": "2017-02-18T17:33:22.000Z",
            "first_observed": "2017-02-18T17:33:22Z",
            "last_observed": "2017-02-18T17:33:22Z",
            "number_observed": 1,
            "object_refs": [
                "url--58a88562-0938-43d4-a375-a16a02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--58a88562-0938-43d4-a375-a16a02de0b81",
            "value": "https://www.virustotal.com/file/a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118/analysis/1487306631/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a88563-fe54-45ef-b63e-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:23.000Z",
            "modified": "2017-02-18T17:33:23.000Z",
            "description": "Win64/Spy.Banker.AX\tEncrypted module;fdsvc.dll - Xchecked via VT: 11568dffd6325ade217fbe49ce56a3ee5001cbcc",
            "pattern": "[file:hashes.SHA256 = '752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9f']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:23Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a88564-1760-4f31-b86f-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:24.000Z",
            "modified": "2017-02-18T17:33:24.000Z",
            "description": "Win64/Spy.Banker.AX\tEncrypted module;fdsvc.dll - Xchecked via VT: 11568dffd6325ade217fbe49ce56a3ee5001cbcc",
            "pattern": "[file:hashes.MD5 = '9cc6854bc5e217104734043c89dc4ff8']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:24Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--58a88565-c3ac-4f2a-9897-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:25.000Z",
            "modified": "2017-02-18T17:33:25.000Z",
            "first_observed": "2017-02-18T17:33:25Z",
            "last_observed": "2017-02-18T17:33:25Z",
            "number_observed": 1,
            "object_refs": [
                "url--58a88565-c3ac-4f2a-9897-a16a02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--58a88565-c3ac-4f2a-9897-a16a02de0b81",
            "value": "https://www.virustotal.com/file/752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9f/analysis/1487229167/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a88565-e914-49da-88cd-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:25.000Z",
            "modified": "2017-02-18T17:33:25.000Z",
            "description": "Win64/Spy.Banker.AX\tDropper;fdsvc.exe - Xchecked via VT: fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b",
            "pattern": "[file:hashes.SHA256 = 'cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:25Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a88566-647c-4069-8021-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:26.000Z",
            "modified": "2017-02-18T17:33:26.000Z",
            "description": "Win64/Spy.Banker.AX\tDropper;fdsvc.exe - Xchecked via VT: fa4f2e3f7c56210d1e380ec6d74a0b6dd776994b",
            "pattern": "[file:hashes.MD5 = '9914075cc687bdc352ee136ac6579707']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:26Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--58a88567-7d2c-4f4a-be49-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:27.000Z",
            "modified": "2017-02-18T17:33:27.000Z",
            "first_observed": "2017-02-18T17:33:27Z",
            "last_observed": "2017-02-18T17:33:27Z",
            "number_observed": 1,
            "object_refs": [
                "url--58a88567-7d2c-4f4a-be49-a16a02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--58a88567-7d2c-4f4a-be49-a16a02de0b81",
            "value": "https://www.virustotal.com/file/cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6/analysis/1487398403/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a88568-4f10-4a12-9d26-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:28.000Z",
            "modified": "2017-02-18T17:33:28.000Z",
            "description": "Win32/Spy.Banker.ADQH\t32-bit Enigma-protected dropper;gpsvc.exe - Xchecked via VT: 4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2",
            "pattern": "[file:hashes.SHA256 = 'd4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:28Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58a88569-b83c-4426-83c3-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:29.000Z",
            "modified": "2017-02-18T17:33:29.000Z",
            "description": "Win32/Spy.Banker.ADQH\t32-bit Enigma-protected dropper;gpsvc.exe - Xchecked via VT: 4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2",
            "pattern": "[file:hashes.MD5 = '85d316590edfb4212049c4490db08c4b']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-02-18T17:33:29Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--58a88569-82dc-4c8e-8ea9-a16a02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-02-18T17:33:29.000Z",
            "modified": "2017-02-18T17:33:29.000Z",
            "first_observed": "2017-02-18T17:33:29Z",
            "last_observed": "2017-02-18T17:33:29Z",
            "number_observed": 1,
            "object_refs": [
                "url--58a88569-82dc-4c8e-8ea9-a16a02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--58a88569-82dc-4c8e-8ea9-a16a02de0b81",
            "value": "https://www.virustotal.com/file/d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2/analysis/1487344075/"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}