adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/59ad9e2d-f574-4d6f-94ac-45e102de0b81.json

365 lines
No EOL
15 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--59ad9e2d-f574-4d6f-94ac-45e102de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:19:17.000Z",
"modified": "2017-09-06T14:19:17.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--59ad9e2d-f574-4d6f-94ac-45e102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:19:17.000Z",
"modified": "2017-09-06T14:19:17.000Z",
"name": "OSINT - Cobian RAT \u2013 A backdoored RAT",
"context": "suspicious-activity",
"object_refs": [
"observed-data--59ad9e86-6050-40f3-b339-81f602de0b81",
"url--59ad9e86-6050-40f3-b339-81f602de0b81",
"x-misp-attribute--59ad9e9e-58d8-425d-978a-261f02de0b81",
"indicator--59ad9eee-b230-4355-9883-4eef02de0b81",
"indicator--59ad9eee-9c8c-4013-92b2-426002de0b81",
"indicator--59ad9eee-8ebc-45bc-a052-4dac02de0b81",
"indicator--59ad9eff-507c-4da9-9daa-467c02de0b81",
"indicator--59ad9f44-33bc-4df3-a06f-498002de0b81",
"indicator--59ad9f76-95b4-4e02-8e1b-46da02de0b81",
"indicator--59ad9f76-71c8-476c-a411-465502de0b81",
"observed-data--59ad9f76-02dc-4241-bee7-415402de0b81",
"url--59ad9f76-02dc-4241-bee7-415402de0b81",
"indicator--59ad9f76-537c-48ec-8e7a-4f1c02de0b81",
"indicator--59ad9f76-2a18-4606-a98f-48f002de0b81",
"observed-data--59ad9f76-da08-44f3-a3fa-44a002de0b81",
"url--59ad9f76-da08-44f3-a3fa-44a002de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"misp-galaxy:rat=\"Cobian RAT\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59ad9e86-6050-40f3-b339-81f602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"first_observed": "2017-09-04T18:46:14Z",
"last_observed": "2017-09-04T18:46:14Z",
"number_observed": 1,
"object_refs": [
"url--59ad9e86-6050-40f3-b339-81f602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59ad9e86-6050-40f3-b339-81f602de0b81",
"value": "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59ad9e9e-58d8-425d-978a-261f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family, which we analyzed in this report."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ad9eee-b230-4355-9883-4eef02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"pattern": "[file:hashes.MD5 = '94911666a61beb59d2988c4fc7003e5a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-04T18:46:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ad9eee-9c8c-4013-92b2-426002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"pattern": "[file:hashes.MD5 = '7eede7047d3d785db248df0870783637']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-04T18:46:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ad9eee-8ebc-45bc-a052-4dac02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"pattern": "[url:value = 'belkomsolutions.com/t/guangzhou\\\\%20sonicstar\\\\%20electronics\\\\%20co\\\\%20ltd.zip']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-04T18:46:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ad9eff-507c-4da9-9daa-467c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"description": "C&C: swez111.ddns[.]net:20000",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '173.254.223.81']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-04T18:46:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ad9f44-33bc-4df3-a06f-498002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"description": "On port 20000",
"pattern": "[domain-name:value = 'swez111.ddns.net']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-04T18:46:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ad9f76-95b4-4e02-8e1b-46da02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"description": "- Xchecked via VT: 7eede7047d3d785db248df0870783637",
"pattern": "[file:hashes.SHA256 = '020a17a3e3e932f4870152379863b0c19a6a07b04bcffcb65670300c69a5cc28']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-04T18:46:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ad9f76-71c8-476c-a411-465502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"description": "- Xchecked via VT: 7eede7047d3d785db248df0870783637",
"pattern": "[file:hashes.SHA1 = '48e44f342d6a89bf56776c8356ca9a7377fa8d4b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-04T18:46:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59ad9f76-02dc-4241-bee7-415402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"first_observed": "2017-09-04T18:46:14Z",
"last_observed": "2017-09-04T18:46:14Z",
"number_observed": 1,
"object_refs": [
"url--59ad9f76-02dc-4241-bee7-415402de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59ad9f76-02dc-4241-bee7-415402de0b81",
"value": "https://www.virustotal.com/file/020a17a3e3e932f4870152379863b0c19a6a07b04bcffcb65670300c69a5cc28/analysis/1504274179/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ad9f76-537c-48ec-8e7a-4f1c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"description": "- Xchecked via VT: 94911666a61beb59d2988c4fc7003e5a",
"pattern": "[file:hashes.SHA256 = 'cfc8324c59165b25b78c640ed77ebd7c867e042e09c95c218d84c5cd8e46910e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-04T18:46:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59ad9f76-2a18-4606-a98f-48f002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"description": "- Xchecked via VT: 94911666a61beb59d2988c4fc7003e5a",
"pattern": "[file:hashes.SHA1 = '78174ecc21b4ae638c2064f5c2460d3b06ad397b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-04T18:46:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59ad9f76-da08-44f3-a3fa-44a002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-04T18:46:14.000Z",
"modified": "2017-09-04T18:46:14.000Z",
"first_observed": "2017-09-04T18:46:14Z",
"last_observed": "2017-09-04T18:46:14Z",
"number_observed": 1,
"object_refs": [
"url--59ad9f76-da08-44f3-a3fa-44a002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59ad9f76-da08-44f3-a3fa-44a002de0b81",
"value": "https://www.virustotal.com/file/cfc8324c59165b25b78c640ed77ebd7c867e042e09c95c218d84c5cd8e46910e/analysis/1504274176/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink