misp-circl-feed/feeds/circl/misp/5b58330e-b924-4828-b3a5-4986950d210f.json

1574 lines
No EOL
68 KiB
JSON

{
"type": "bundle",
"id": "bundle--5b58330e-b924-4828-b3a5-4986950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-26T07:17:17.000Z",
"modified": "2018-07-26T07:17:17.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--5b58330e-b924-4828-b3a5-4986950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-26T07:17:17.000Z",
"modified": "2018-07-26T07:17:17.000Z",
"name": "OSINT - Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware",
"context": "suspicious-activity",
"object_refs": [
"observed-data--5b58331e-7b14-4ec5-bf29-42e7950d210f",
"url--5b58331e-7b14-4ec5-bf29-42e7950d210f",
"indicator--5b583b7d-41d0-4051-8331-4746950d210f",
"indicator--5b583b7e-9420-4436-9201-4f93950d210f",
"indicator--5b583b7e-ac24-421f-83f7-48d7950d210f",
"indicator--5b583b7e-3b34-4162-970f-4b59950d210f",
"indicator--5b583b7f-80e8-4230-a77e-4453950d210f",
"indicator--5b583b7f-aba8-44df-bee9-4880950d210f",
"indicator--5b583b80-8898-45cc-a722-4932950d210f",
"indicator--5b583b80-50c4-483b-a57b-4b34950d210f",
"indicator--5b583b81-666c-47cc-82d7-418c950d210f",
"indicator--5b583b81-0354-4c37-9f23-4699950d210f",
"indicator--5b583b82-b2a0-4c3e-a7f6-4f40950d210f",
"indicator--5b583b82-7384-4bc0-ad26-4fa1950d210f",
"indicator--5b583b82-8e54-4390-b12a-42c1950d210f",
"indicator--5b583b83-a568-4200-8c7a-48c2950d210f",
"indicator--5b583b83-8390-470a-ae42-4e22950d210f",
"indicator--5b5842d8-8e0c-45c9-ae13-451b950d210f",
"x-misp-attribute--5b587469-3e60-43ba-91fb-9146950d210f",
"indicator--5b583628-807c-4168-843b-43eb950d210f",
"indicator--5b58365c-aa24-4e3d-a908-49e6950d210f",
"indicator--5b583698-e9f8-428f-8754-4eed950d210f",
"indicator--5b583727-3fe0-4c85-81b7-41a1950d210f",
"indicator--5b58374c-d1a8-4736-8cea-42e9950d210f",
"observed-data--5b58375c-ae60-4530-8186-425b950d210f",
"file--5b58375c-ae60-4530-8186-425b950d210f",
"indicator--5b58389b-2f00-49cc-b0ac-4454950d210f",
"indicator--5b5838b0-acf8-4d3e-8b64-4fa7950d210f",
"indicator--5b5838c7-ae6c-4367-903a-4975950d210f",
"indicator--5b5838da-60ac-4477-be0d-41d4950d210f",
"indicator--5b5838e9-b540-4e30-ad63-44aa950d210f",
"indicator--a9d88727-e3a0-4095-b1d0-2b156670a502",
"x-misp-object--edb2ae54-a660-4d51-ab66-8f27d9223543",
"indicator--98a247a0-d160-4eee-be67-362795be9206",
"x-misp-object--0d28ddad-c7aa-4a6b-a448-c253efd98a2f",
"indicator--b0fd87a7-f7be-4f96-8ebc-90044b6c09ab",
"x-misp-object--e548da40-21e0-44e7-8878-30051f1ffa04",
"indicator--ef42d127-90f8-425a-8866-83310e33e640",
"x-misp-object--6709cf8f-3627-407e-8485-e6218167d3c0",
"indicator--f734d0d6-468b-4c5d-8883-d137f6140100",
"x-misp-object--71d925d6-48ee-413d-bb73-c729eedd03f1",
"indicator--31d38205-0b87-4063-a326-2e4f1a2459db",
"x-misp-object--4ed5377e-7638-45ba-9377-a1aa31e4a4ae",
"indicator--b6d5fe7e-b69f-4e54-942e-360486c7bfcb",
"x-misp-object--776e2aba-176a-48be-895a-c6d665ffcd02",
"indicator--d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4",
"x-misp-object--3acaf083-3b2a-4b5f-9451-7c1ea9b39768",
"indicator--16984ff8-41a2-42d9-a859-87df65432e94",
"x-misp-object--8df7db4c-c0a1-495d-a400-6e134bf827a6",
"indicator--18574ddd-6a89-41b7-924b-d9a1388d4fc0",
"x-misp-object--77f014cd-c354-4167-86fa-78e315ba907b",
"indicator--0d95e126-39c8-4048-be62-5470568b0f0f",
"x-misp-object--11e88643-99a3-4053-b9bf-73f53056ebae",
"relationship--736b03dd-eec1-443d-8c29-150c224a8a4b",
"relationship--7121db55-c648-4658-b41f-c498da0cc314",
"relationship--9612ca2b-9ac4-42e2-9bc5-15daed0cc64b",
"relationship--064e7c6c-4fb7-4a6d-b2d5-708036c1e023",
"relationship--7835cacf-6643-4ae9-852a-e3aa49091f6f",
"relationship--1500ac51-e910-45fb-b39b-d6818faf28cf",
"relationship--e6ff039d-3ba4-46f6-964e-829ecd5d40e5",
"relationship--7c8eb544-fee2-45db-8256-18ba2bd218bc",
"relationship--5cbe67e0-57c5-4463-85a9-28f2a53562d4",
"relationship--7ab0e094-1d1c-4335-af39-c277a3b65202",
"relationship--de3baebf-c58b-46f2-81ee-13b21a2bc4f9"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"malware_classification:malware-category=\"Trojan\"",
"ms-caro-malware-full:malware-family=\"Banker\"",
"misp-galaxy:banker=\"Kronos\"",
"osint:source-type=\"blog-post\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b58331e-7b14-4ec5-bf29-42e7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-26T07:17:06.000Z",
"modified": "2018-07-26T07:17:06.000Z",
"first_observed": "2018-07-26T07:17:06Z",
"last_observed": "2018-07-26T07:17:06Z",
"number_observed": 1,
"object_refs": [
"url--5b58331e-7b14-4ec5-bf29-42e7950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b58331e-7b14-4ec5-bf29-42e7950d210f",
"value": "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b7d-41d0-4051-8331-4746950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T10:13:57.000Z",
"modified": "2018-07-25T10:13:57.000Z",
"description": "Phishing link on Nov 8",
"pattern": "[url:value = 'http://invoice.docs-sharepoint.com/profile/profile.php?id=[base64 e-mail address]']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T10:13:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b7e-9420-4436-9201-4f93950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:34.000Z",
"modified": "2018-07-25T08:57:34.000Z",
"description": "Redirect from phishing link on Nov 8",
"pattern": "[url:value = 'http://invoice.docs-sharepoint.com/profile/download.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b7e-ac24-421f-83f7-48d7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:34.000Z",
"modified": "2018-07-25T08:57:34.000Z",
"description": "ZeuS C&C on Nov 8",
"pattern": "[url:value = 'https://feed.networksupdates.com/feed/webfeed.xml']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b7e-3b34-4162-970f-4b59950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:34.000Z",
"modified": "2018-07-25T08:57:34.000Z",
"description": "EmployeeID-847267.doc downloading payload (Kronos) on Nov 10",
"pattern": "[url:value = 'http://info.docs-sharepoint.com/officeup.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b7f-80e8-4230-a77e-4453950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:35.000Z",
"modified": "2018-07-25T08:57:35.000Z",
"pattern": "[file:name = 'EmployeeID-847267.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b7f-aba8-44df-bee9-4880950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:35.000Z",
"modified": "2018-07-25T08:57:35.000Z",
"description": "Kronos C&C on Nov 10",
"pattern": "[url:value = 'http://www.networkupdate.club/kbps/connect.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:35Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b80-8898-45cc-a722-4932950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:36.000Z",
"modified": "2018-07-25T08:57:36.000Z",
"description": "Payload DL by Kronos on Nov 10",
"pattern": "[url:value = 'http://networkupdate.online/kbps/upload/c1c06f7d.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b80-50c4-483b-a57b-4b34950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:36.000Z",
"modified": "2018-07-25T08:57:36.000Z",
"description": "Payload DL by Kronos on Nov 10",
"pattern": "[url:value = 'http://networkupdate.online/kbps/upload/1f80ff71.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b81-666c-47cc-82d7-418c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:37.000Z",
"modified": "2018-07-25T08:57:37.000Z",
"description": "Payload DL by Kronos on Nov 10",
"pattern": "[url:value = 'http://networkupdate.online/kbps/upload/a8b05325.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b81-0354-4c37-9f23-4699950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T10:13:53.000Z",
"modified": "2018-07-25T10:13:53.000Z",
"description": "Phishing link on Nov 10",
"pattern": "[url:value = 'http://intranet.excelsharepoint.com/profile/Employee.php?id=[base64 e-mail address]']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T10:13:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b82-b2a0-4c3e-a7f6-4f40950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:38.000Z",
"modified": "2018-07-25T08:57:38.000Z",
"description": "SmokeLoader C&C",
"pattern": "[url:value = 'http://webfeed.updatesnetwork.com/feedweb/feed.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b82-7384-4bc0-ad26-4fa1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:38.000Z",
"modified": "2018-07-25T08:57:38.000Z",
"description": "ScanPOS C&C",
"pattern": "[url:value = 'http://invoicesharepoint.com/gateway.php']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b82-8e54-4390-b12a-42c1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T10:13:34.000Z",
"modified": "2018-07-25T10:13:34.000Z",
"description": "Phishing link on Nov 14",
"pattern": "[url:value = 'http://intranet.excel-sharepoint.com/doc/employee.php?id=[base64 e-mail address]']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T10:13:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b83-a568-4200-8c7a-48c2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:39.000Z",
"modified": "2018-07-25T08:57:39.000Z",
"description": "EmployeeID-6283.doc downloading payload (Kronos) on Nov 14",
"pattern": "[url:value = 'http://profile.excel-sharepoint.com/doc/office.exe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583b83-8390-470a-ae42-4e22950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:57:39.000Z",
"modified": "2018-07-25T08:57:39.000Z",
"pattern": "[file:name = 'EmployeeID-6283.doc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:57:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b5842d8-8e0c-45c9-ae13-451b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T09:28:56.000Z",
"modified": "2018-07-25T09:28:56.000Z",
"description": "RIG-v domain on Nov 8",
"pattern": "[domain-name:value = 'add.souloventure.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T09:28:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5b587469-3e60-43ba-91fb-9146950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-26T07:17:14.000Z",
"modified": "2018-07-26T07:17:14.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Banking Trojans continue to evolve and threat actors are using them in new ways, even as the massive Dridex campaigns of 2015 have given way to ransomware and other payloads. Most recently, we observed several relatively large email campaigns distributing the Kronos banking Trojan. In these campaigns, though, Kronos acted as a loader with a new Point-of-Sale (POS) malware dubbed ScanPOS as the secondary payload."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583628-807c-4168-843b-43eb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:34:48.000Z",
"modified": "2018-07-25T08:34:48.000Z",
"description": "containing SmokeLoader from /download.php on Nov 8",
"pattern": "[file:hashes.SHA256 = '4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5' AND file:name = 'EmployeeID-47267.zip' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:34:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b58365c-aa24-4e3d-a908-49e6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:35:40.000Z",
"modified": "2018-07-25T08:35:40.000Z",
"description": "containing ZeuS from /download.php on Nov 8",
"pattern": "[file:hashes.SHA256 = '711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c' AND file:name = 'EmployeeID-47267.zip' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:35:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583698-e9f8-428f-8754-4eed950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:36:40.000Z",
"modified": "2018-07-25T08:36:40.000Z",
"description": "SmokeLoader",
"pattern": "[file:hashes.SHA256 = '90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0' AND file:name = 'EmployeeID-47267.pif' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:36:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b583727-3fe0-4c85-81b7-41a1950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:39:03.000Z",
"modified": "2018-07-25T08:39:03.000Z",
"description": "ZeuS",
"pattern": "[file:hashes.SHA256 = '4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74' AND file:name = 'EmployeeID-47267.pif' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:39:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b58374c-d1a8-4736-8cea-42e9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:39:40.000Z",
"modified": "2018-07-25T08:39:40.000Z",
"description": "downloaded from phishing links on Nov 10",
"pattern": "[file:hashes.SHA256 = 'a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156' AND file:name = 'EmployeeID-847267.doc' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:39:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b58375c-ae60-4530-8186-425b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:40.000Z",
"modified": "2018-07-25T21:02:40.000Z",
"first_observed": "2018-07-25T21:02:40Z",
"last_observed": "2018-07-25T21:02:40Z",
"number_observed": 1,
"object_refs": [
"file--5b58375c-ae60-4530-8186-425b950d210f"
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"False\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5b58375c-ae60-4530-8186-425b950d210f",
"hashes": {
"SHA-256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
"x_misp_state": "Malicious"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b58389b-2f00-49cc-b0ac-4454950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:45:15.000Z",
"modified": "2018-07-25T08:45:15.000Z",
"description": "SmokeLoader",
"pattern": "[file:hashes.SHA256 = 'd0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984' AND file:name = 'c1c06f7d.exe' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:45:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b5838b0-acf8-4d3e-8b64-4fa7950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:45:36.000Z",
"modified": "2018-07-25T08:45:36.000Z",
"description": "SmokeLoader",
"pattern": "[file:hashes.SHA256 = 'd9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98' AND file:name = '1f80ff71.exe' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:45:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b5838c7-ae6c-4367-903a-4975950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:45:59.000Z",
"modified": "2018-07-25T08:45:59.000Z",
"description": "ScanPOS",
"pattern": "[file:hashes.SHA256 = '093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e' AND file:name = 'a8b05325.exe' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:45:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b5838da-60ac-4477-be0d-41d4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:46:18.000Z",
"modified": "2018-07-25T08:46:18.000Z",
"description": "downloaded from phishing links on Nov 14",
"pattern": "[file:hashes.SHA256 = 'fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:46:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5b5838e9-b540-4e30-ad63-44aa950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T08:46:33.000Z",
"modified": "2018-07-25T08:46:33.000Z",
"description": "Kronos on Nov 14 (same C&C as previous)",
"pattern": "[file:hashes.SHA256 = '269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T08:46:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a9d88727-e3a0-4095-b1d0-2b156670a502",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:24.000Z",
"modified": "2018-07-25T21:02:24.000Z",
"pattern": "[file:hashes.MD5 = 'f99d1571ce9be023cc897522f82ec6cc' AND file:hashes.SHA1 = '9b931700d85a5fb986575f89c7c29d03dc5f4c1e' AND file:hashes.SHA256 = 'd0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:02:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--edb2ae54-a660-4d51-ab66-8f27d9223543",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:25.000Z",
"modified": "2018-07-25T21:02:25.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-07-23 10:53:44",
"category": "Other",
"uuid": "87767aea-51ec-4953-993c-f4a3db01bf9a"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/d0caf097ea0350dc92277aed73b0f44986d7d85b06d1d17b424dc172ce35a984/analysis/1532343224/",
"category": "External analysis",
"uuid": "b5192082-ba75-490e-abe7-4244a424182a"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "51/68",
"category": "Other",
"uuid": "7fc96d39-bd29-47e8-be21-3bab9cd4738e"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--98a247a0-d160-4eee-be67-362795be9206",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:31.000Z",
"modified": "2018-07-25T21:02:31.000Z",
"pattern": "[file:hashes.MD5 = '73871970ccf1b551a29f255605d05f61' AND file:hashes.SHA1 = 'f74b2c624c6cffccec2680679a26fd863040828f' AND file:hashes.SHA256 = 'd9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:02:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--0d28ddad-c7aa-4a6b-a448-c253efd98a2f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:32.000Z",
"modified": "2018-07-25T21:02:32.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-07-23 10:55:04",
"category": "Other",
"uuid": "5e3f9c64-39c9-4b35-b4e4-a8435f37c780"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/d9d1f02c8c4beee49f81093ea8162ce6adf405640ccacd5f03ce6c45e700ee98/analysis/1532343304/",
"category": "External analysis",
"uuid": "a96cf4aa-68b4-4c69-b511-928a17309792"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "53/68",
"category": "Other",
"uuid": "ddfade3b-fda0-4c64-b533-d1c78daf7927"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b0fd87a7-f7be-4f96-8ebc-90044b6c09ab",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:38.000Z",
"modified": "2018-07-25T21:02:38.000Z",
"pattern": "[file:hashes.MD5 = '4a03b999b87cfe3c44e617ac911a2018' AND file:hashes.SHA1 = 'b1a62023dc97668ce5ad0ed78788c79f797753c3' AND file:hashes.SHA256 = '4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:02:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--e548da40-21e0-44e7-8878-30051f1ffa04",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:38.000Z",
"modified": "2018-07-25T21:02:38.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-09-27 17:35:43",
"category": "Other",
"uuid": "0d79d2bd-bd94-4ac7-983d-9d804def7917"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/4ba3913d945a16c099f5796fdeef2fda5c6c2e60cb53d46a1bfae82808075d74/analysis/1506533743/",
"category": "External analysis",
"uuid": "e76cf28d-af73-426f-bdfe-0d795cc4ac0b"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "43/65",
"category": "Other",
"uuid": "0e1d278b-6aa8-49d3-afe9-d32dd68d13cf"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ef42d127-90f8-425a-8866-83310e33e640",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:44.000Z",
"modified": "2018-07-25T21:02:44.000Z",
"pattern": "[file:hashes.MD5 = '5cac0a88767a301d7df64cfc84ccc951' AND file:hashes.SHA1 = '1e207f9cfadd92bf56a827cb6b7765abe0fa3bac' AND file:hashes.SHA256 = '4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:02:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6709cf8f-3627-407e-8485-e6218167d3c0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:46.000Z",
"modified": "2018-07-25T21:02:46.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2016-11-17 19:05:53",
"category": "Other",
"uuid": "58be0aad-494f-48dc-a412-02bd982d577a"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/4b5f4dbd93100bb7b87920f2f3066782a8449eb9e236efc02afe570c1ce70cf5/analysis/1479409553/",
"category": "External analysis",
"uuid": "8f5efb1a-9343-4079-a3fe-3d8d9994f4eb"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "31/57",
"category": "Other",
"uuid": "f93324bc-edc7-4330-9ec3-8c50d17168ab"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f734d0d6-468b-4c5d-8883-d137f6140100",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:51.000Z",
"modified": "2018-07-25T21:02:51.000Z",
"pattern": "[file:hashes.MD5 = 'dfef3c6bf91ddbc2784bda187670983b' AND file:hashes.SHA1 = 'd97139b60ec56ddf87d5a1798ca840fa872a580f' AND file:hashes.SHA256 = 'fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:02:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--71d925d6-48ee-413d-bb73-c729eedd03f1",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:52.000Z",
"modified": "2018-07-25T21:02:52.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-07-18 21:20:03",
"category": "Other",
"uuid": "31088d4b-45b8-4012-8414-4d6c62cf9959"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/fd5412a7c71958ecdffa7064bf03c5f1931e561a1e71bc939551d5afb8bf7462/analysis/1500412803/",
"category": "External analysis",
"uuid": "a7973cf8-6939-41d7-8745-ada586d7accc"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "17/58",
"category": "Other",
"uuid": "c7fa26cf-cf90-4317-95d6-e7cb733aae80"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--31d38205-0b87-4063-a326-2e4f1a2459db",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:58.000Z",
"modified": "2018-07-25T21:02:58.000Z",
"pattern": "[file:hashes.MD5 = '11180b265b010fbfa05c08681261ac57' AND file:hashes.SHA1 = '0eed43d63b6f3e5e696e7b99cfa538c12a13321d' AND file:hashes.SHA256 = '269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:02:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--4ed5377e-7638-45ba-9377-a1aa31e4a4ae",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:02:59.000Z",
"modified": "2018-07-25T21:02:59.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-03-15 10:30:38",
"category": "Other",
"uuid": "bb0f567b-3154-4c7a-9f5d-478efc6fa6b8"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/269f88cfa9e9e26f3761aedee5d0836b5b82f346128fe03da28a331f80a5fba3/analysis/1489573838/",
"category": "External analysis",
"uuid": "bff87e3b-7d19-4641-94ca-2d92f7683cde"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "52/60",
"category": "Other",
"uuid": "44855b6c-b687-4d04-8cd0-a297a0f47c32"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b6d5fe7e-b69f-4e54-942e-360486c7bfcb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:03:05.000Z",
"modified": "2018-07-25T21:03:05.000Z",
"pattern": "[file:hashes.MD5 = 'dc31516a473d8b9cb634bf1f48a7065f' AND file:hashes.SHA1 = '10301bf7f1202c57df484ebcc125b84d8d427014' AND file:hashes.SHA256 = '711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:03:05Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--776e2aba-176a-48be-895a-c6d665ffcd02",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:03:06.000Z",
"modified": "2018-07-25T21:03:06.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2016-11-10 15:50:58",
"category": "Other",
"uuid": "58e7f184-7092-463f-a342-2b475e53aec4"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/711431204071b1e6f5b5644e0f0b23464c6ef5c254d7a40c4e6fe7c8782cd55c/analysis/1478793058/",
"category": "External analysis",
"uuid": "e18d6539-c159-47bf-91be-068da68abe71"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "26/54",
"category": "Other",
"uuid": "884a8c07-14d5-4574-aaa4-7aac53dde5c8"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:03:12.000Z",
"modified": "2018-07-25T21:03:12.000Z",
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e' AND file:hashes.SHA1 = 'da39a3ee5e6b4b0d3255bfef95601890afd80709' AND file:hashes.SHA256 = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:03:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--3acaf083-3b2a-4b5f-9451-7c1ea9b39768",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:03:13.000Z",
"modified": "2018-07-25T21:03:13.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-07-25 20:49:30",
"category": "Other",
"uuid": "d5580362-b4ad-4ee2-9c38-7bb05878a591"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1532551770/",
"category": "External analysis",
"uuid": "887aea02-9162-47a8-9684-0cb42bda0520"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "0/61",
"category": "Other",
"uuid": "6d26efdf-e637-4a26-a036-b21a524e663a"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--16984ff8-41a2-42d9-a859-87df65432e94",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:03:19.000Z",
"modified": "2018-07-25T21:03:19.000Z",
"pattern": "[file:hashes.MD5 = '6fcc13563aad936c7d0f3165351cb453' AND file:hashes.SHA1 = '8b1757b95b7b7f9c4dfa09b52b0d3c6451b269fc' AND file:hashes.SHA256 = '093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:03:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--8df7db4c-c0a1-495d-a400-6e134bf827a6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:03:20.000Z",
"modified": "2018-07-25T21:03:20.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-12-19 00:26:19",
"category": "Other",
"uuid": "520c34d4-ed53-4cf2-be8d-0d6dbcc95604"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/093c81f0b234c2aa0363129fdaaaf57551f161915da3d23f43a792b5f3024c1e/analysis/1513643179/",
"category": "External analysis",
"uuid": "1c2745c4-6d74-407c-aef0-dc86e8edce38"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "44/67",
"category": "Other",
"uuid": "473e0959-9f52-4d7c-82d1-1540cb995bb3"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--18574ddd-6a89-41b7-924b-d9a1388d4fc0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:03:26.000Z",
"modified": "2018-07-25T21:03:26.000Z",
"pattern": "[file:hashes.MD5 = '83d21d808f7408ebcb3947cb88366172' AND file:hashes.SHA1 = 'ef12b3c274c02a68f678b618828ee4c92a297e59' AND file:hashes.SHA256 = 'a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:03:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--77f014cd-c354-4167-86fa-78e315ba907b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:03:27.000Z",
"modified": "2018-07-25T21:03:27.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2017-07-18 20:58:26",
"category": "Other",
"uuid": "e01b2c15-aa53-4020-82d3-0f1f7ce840e2"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/a78b93a11ce649be3ca91812769f95a40de9d78e97a627366917c4fcd747f156/analysis/1500411506/",
"category": "External analysis",
"uuid": "684f43f7-25ca-47f6-be6d-5739d4f57d72"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "36/58",
"category": "Other",
"uuid": "8a2f71fb-df0f-41c0-9950-db186f88f8f4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0d95e126-39c8-4048-be62-5470568b0f0f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:03:33.000Z",
"modified": "2018-07-25T21:03:33.000Z",
"pattern": "[file:hashes.MD5 = '8758b7984fa2f20ada64e95cf9d5d192' AND file:hashes.SHA1 = 'd35ee56d673fa44a72cf43e6c16f9270dea33f2d' AND file:hashes.SHA256 = '90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-07-25T21:03:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--11e88643-99a3-4053-b9bf-73f53056ebae",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-07-25T21:03:34.000Z",
"modified": "2018-07-25T21:03:34.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2016-12-13 19:02:03",
"category": "Other",
"uuid": "2aed675b-f09b-4b27-aa4e-d8cef860ee81"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/90063c40cb94277f39ca1b3818b36b4fa41b3a3091d42dfc21586ad1c461daa0/analysis/1481655723/",
"category": "External analysis",
"uuid": "57b62add-1e94-406b-9081-eac88b655b27"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "40/55",
"category": "Other",
"uuid": "3208bb65-c286-4c9b-958f-f1d7488b957c"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--736b03dd-eec1-443d-8c29-150c224a8a4b",
"created": "2018-07-25T21:03:36.000Z",
"modified": "2018-07-25T21:03:36.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--a9d88727-e3a0-4095-b1d0-2b156670a502",
"target_ref": "x-misp-object--edb2ae54-a660-4d51-ab66-8f27d9223543"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7121db55-c648-4658-b41f-c498da0cc314",
"created": "2018-07-25T21:03:37.000Z",
"modified": "2018-07-25T21:03:37.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--98a247a0-d160-4eee-be67-362795be9206",
"target_ref": "x-misp-object--0d28ddad-c7aa-4a6b-a448-c253efd98a2f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9612ca2b-9ac4-42e2-9bc5-15daed0cc64b",
"created": "2018-07-25T21:03:37.000Z",
"modified": "2018-07-25T21:03:37.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--b0fd87a7-f7be-4f96-8ebc-90044b6c09ab",
"target_ref": "x-misp-object--e548da40-21e0-44e7-8878-30051f1ffa04"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--064e7c6c-4fb7-4a6d-b2d5-708036c1e023",
"created": "2018-07-25T21:03:37.000Z",
"modified": "2018-07-25T21:03:37.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--ef42d127-90f8-425a-8866-83310e33e640",
"target_ref": "x-misp-object--6709cf8f-3627-407e-8485-e6218167d3c0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7835cacf-6643-4ae9-852a-e3aa49091f6f",
"created": "2018-07-25T21:03:37.000Z",
"modified": "2018-07-25T21:03:37.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--f734d0d6-468b-4c5d-8883-d137f6140100",
"target_ref": "x-misp-object--71d925d6-48ee-413d-bb73-c729eedd03f1"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1500ac51-e910-45fb-b39b-d6818faf28cf",
"created": "2018-07-25T21:03:37.000Z",
"modified": "2018-07-25T21:03:37.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--31d38205-0b87-4063-a326-2e4f1a2459db",
"target_ref": "x-misp-object--4ed5377e-7638-45ba-9377-a1aa31e4a4ae"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e6ff039d-3ba4-46f6-964e-829ecd5d40e5",
"created": "2018-07-25T21:03:37.000Z",
"modified": "2018-07-25T21:03:37.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--b6d5fe7e-b69f-4e54-942e-360486c7bfcb",
"target_ref": "x-misp-object--776e2aba-176a-48be-895a-c6d665ffcd02"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7c8eb544-fee2-45db-8256-18ba2bd218bc",
"created": "2018-07-25T21:03:37.000Z",
"modified": "2018-07-25T21:03:37.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--d7634bbe-3e21-4bcf-b1ae-8d7625dfeea4",
"target_ref": "x-misp-object--3acaf083-3b2a-4b5f-9451-7c1ea9b39768"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5cbe67e0-57c5-4463-85a9-28f2a53562d4",
"created": "2018-07-25T21:03:37.000Z",
"modified": "2018-07-25T21:03:37.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--16984ff8-41a2-42d9-a859-87df65432e94",
"target_ref": "x-misp-object--8df7db4c-c0a1-495d-a400-6e134bf827a6"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7ab0e094-1d1c-4335-af39-c277a3b65202",
"created": "2018-07-25T21:03:37.000Z",
"modified": "2018-07-25T21:03:37.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--18574ddd-6a89-41b7-924b-d9a1388d4fc0",
"target_ref": "x-misp-object--77f014cd-c354-4167-86fa-78e315ba907b"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--de3baebf-c58b-46f2-81ee-13b21a2bc4f9",
"created": "2018-07-25T21:03:37.000Z",
"modified": "2018-07-25T21:03:37.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--0d95e126-39c8-4048-be62-5470568b0f0f",
"target_ref": "x-misp-object--11e88643-99a3-4053-b9bf-73f53056ebae"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}