adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5e2c4c13-1f64-4e4e-8165-4801950d210f.json

500 lines
No EOL
20 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--5e2c4c13-1f64-4e4e-8165-4801950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-31T07:35:51.000Z",
"modified": "2020-01-31T07:35:51.000Z",
"name": "wilbursecurity.com",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5e2c4c13-1f64-4e4e-8165-4801950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-31T07:35:51.000Z",
"modified": "2020-01-31T07:35:51.000Z",
"name": "Emotet/Trickbot",
"published": "2020-01-31T07:36:02Z",
"object_refs": [
"indicator--5e2c4de1-ac54-48d5-a37d-e9b4950d210f",
"indicator--5e2c4de1-d8f0-4c26-a183-e9b4950d210f",
"indicator--5e2c4dfa-7538-4f47-bdec-e9b4950d210f",
"indicator--5e2c5016-8b18-4d7a-9ec0-414b950d210f",
"indicator--5e2c5079-86ec-4f16-b647-75a9950d210f",
"indicator--5e2c536a-4134-427d-98d1-4eaf950d210f",
"indicator--5e2c5370-3918-40ec-8c2f-4a0a950d210f",
"indicator--5e2c5376-cd28-4e38-a0e7-48cc950d210f",
"indicator--5e2c5376-8478-43fc-8eac-42b2950d210f",
"indicator--5e2c5ac2-3588-439c-b693-43d8950d210f",
"indicator--5e2dac25-eda0-44f4-93d4-48af950d210f",
"indicator--5e2dac2a-0ae0-4120-a56e-4ea1950d210f",
"indicator--5e2dd390-a514-4790-8a1d-be6c950d210f",
"indicator--5e2dd532-a644-43e8-b03d-418c950d210f",
"indicator--5e2e3a1b-b21c-419a-a86e-4b42950d210f",
"observed-data--5e2e3a79-d648-4d6f-8375-83e8950d210f",
"network-traffic--5e2e3a79-d648-4d6f-8375-83e8950d210f",
"ipv4-addr--5e2e3a79-d648-4d6f-8375-83e8950d210f",
"x-misp-object--5e2c4ed1-e340-4765-a21f-75ba950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"Banker: TrickBot",
"malware:emotet"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2c4de1-ac54-48d5-a37d-e9b4950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T14:32:49.000Z",
"modified": "2020-01-25T14:32:49.000Z",
"description": "Trickbot download and IEX via powershell",
"pattern": "[url:value = 'https://jomamba.best:80/adgvredgdz']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-25T14:32:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2c4de1-d8f0-4c26-a183-e9b4950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T14:32:42.000Z",
"modified": "2020-01-25T14:32:42.000Z",
"description": "Trickbot download and IEX via powershell",
"pattern": "[url:value = 'http://144.202.114.147:80/aascx']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-25T14:32:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2c4dfa-7538-4f47-bdec-e9b4950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T14:32:14.000Z",
"modified": "2020-01-25T14:32:14.000Z",
"description": "Trickbot download and IEX via powershell",
"pattern": "[url:value = 'http://149.28.106.230/adsfjasktmsttyoatopoyamfkytasrdltoiqrttmcvbmltpatp']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-25T14:32:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2c5016-8b18-4d7a-9ec0-414b950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T14:26:30.000Z",
"modified": "2020-01-25T14:26:30.000Z",
"description": "C2 via powershell",
"pattern": "[url:value = '149.28.106.230.vultr.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-25T14:26:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2c5079-86ec-4f16-b647-75a9950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T14:28:09.000Z",
"modified": "2020-01-25T14:28:09.000Z",
"description": "C2 via Emotet",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '68.183.170.114']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-25T14:28:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2c536a-4134-427d-98d1-4eaf950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T14:40:42.000Z",
"modified": "2020-01-25T14:40:42.000Z",
"description": "Trickbot connected to this domain",
"pattern": "[domain-name:value = '2cdajlnnwxfylth4.onion']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-25T14:40:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2c5370-3918-40ec-8c2f-4a0a950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T14:40:48.000Z",
"modified": "2020-01-25T14:40:48.000Z",
"description": "Trickbot connected to this domain",
"pattern": "[domain-name:value = 'myexternalip.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-25T14:40:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2c5376-cd28-4e38-a0e7-48cc950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T14:40:54.000Z",
"modified": "2020-01-25T14:40:54.000Z",
"description": "Trickbot connected to this domain",
"pattern": "[domain-name:value = 'chekfast.zennolab.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-25T14:40:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2c5376-8478-43fc-8eac-42b2950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T14:40:54.000Z",
"modified": "2020-01-25T14:40:54.000Z",
"description": "Trickbot connected to this domain",
"pattern": "[domain-name:value = 'api.ipify.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-25T14:40:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2c5ac2-3588-439c-b693-43d8950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T15:12:02.000Z",
"modified": "2020-01-25T15:12:02.000Z",
"description": "PowerView.ps1",
"pattern": "[url:value = 'https://qwe4dse4.com/hcxUr9dg.ps1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-25T15:12:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2dac25-eda0-44f4-93d4-48af950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-26T15:11:33.000Z",
"modified": "2020-01-26T15:11:33.000Z",
"description": "Trickbot download and IEX via powershell",
"pattern": "[url:value = 'http://207.148.30.186:80/asdkjbaskjnvscjshxhgbsxsanxrvsars']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-26T15:11:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2dac2a-0ae0-4120-a56e-4ea1950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-26T15:11:38.000Z",
"modified": "2020-01-26T15:11:38.000Z",
"description": "Trickbot download and IEX via powershell",
"pattern": "[url:value = 'http://155.138.202.17:80/aieutireuoitreuJHJksfhkjhewkkkqowJLKjswwoieuoepo']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-26T15:11:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2dd390-a514-4790-8a1d-be6c950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-26T17:59:44.000Z",
"modified": "2020-01-26T17:59:44.000Z",
"description": "Trickbot potential c2",
"pattern": "[url:value = 'https://updatewinlsass.com:80/afdgszfsbgrg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-26T17:59:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2dd532-a644-43e8-b03d-418c950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-26T18:06:42.000Z",
"modified": "2020-01-26T18:06:42.000Z",
"description": "Trickbot PowerTrick",
"pattern": "[domain-name:value = 'updatewinlsass.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-26T18:06:42Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5e2e3a1b-b21c-419a-a86e-4b42950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-27T01:17:15.000Z",
"modified": "2020-01-27T01:17:15.000Z",
"description": "Trickbot download and IEX via powershell",
"pattern": "[url:value = 'https://koretycbeeb.com:80/lmjnbvgftyujkiu765678']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2020-01-27T01:17:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5e2e3a79-d648-4d6f-8375-83e8950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-27T01:18:49.000Z",
"modified": "2020-01-27T01:18:49.000Z",
"first_observed": "2020-01-27T01:18:49Z",
"last_observed": "2020-01-27T01:18:49Z",
"number_observed": 1,
"object_refs": [
"network-traffic--5e2e3a79-d648-4d6f-8375-83e8950d210f",
"ipv4-addr--5e2e3a79-d648-4d6f-8375-83e8950d210f"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--5e2e3a79-d648-4d6f-8375-83e8950d210f",
"dst_ref": "ipv4-addr--5e2e3a79-d648-4d6f-8375-83e8950d210f",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--5e2e3a79-d648-4d6f-8375-83e8950d210f",
"value": "155.138.142.157"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--5e2c4ed1-e340-4765-a21f-75ba950d210f",
"created_by_ref": "identity--5e16d2bc-5c68-4ef1-bc80-47f5950d210f",
"created": "2020-01-25T14:34:48.000Z",
"modified": "2020-01-25T14:34:48.000Z",
"labels": [
"misp:name=\"shell-commands\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "text",
"object_relation": "shell-command",
"value": "nltest /domain_trusts /all_trusts",
"category": "Other",
"comment": "Trickbot",
"uuid": "5e2c4ed1-17f8-4e56-8dbb-75ba950d210f"
},
{
"type": "text",
"object_relation": "shell-command",
"value": "net view /all /domain",
"category": "Other",
"comment": "Trickbot",
"uuid": "5e2c4ed8-3fec-42f4-99b8-75ba950d210f"
},
{
"type": "text",
"object_relation": "shell-command",
"value": "net config workstation",
"category": "Other",
"comment": "Trickbot",
"uuid": "5e2c4ede-6fc8-48fa-a7f7-75ba950d210f"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "shell-commands"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink