672 lines
No EOL
35 KiB
JSON
672 lines
No EOL
35 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--dfd47825-5536-4360-833f-b72868ce8a2a",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T11:08:49.000Z",
|
|
"modified": "2023-03-22T11:08:49.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--dfd47825-5536-4360-833f-b72868ce8a2a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-22T11:08:49.000Z",
|
|
"modified": "2023-03-22T11:08:49.000Z",
|
|
"name": "NOBELIUM Uses Poland's Ambassador\u2019s Visit to the U.S. to Target EU Governments Assisting Ukraine",
|
|
"published": "2023-03-22T11:08:56Z",
|
|
"object_refs": [
|
|
"indicator--e563d09d-6058-4104-99e9-e79723ee0238",
|
|
"indicator--6c97fefc-4cd9-4a96-89fc-68b18fc1d104",
|
|
"indicator--fddafd79-ff8d-44ff-8c2b-2a73950f7df8",
|
|
"indicator--0942be9b-847c-438a-b613-696ce960552b",
|
|
"indicator--b483874d-d917-4315-b960-bc932acc677b",
|
|
"indicator--957e0b85-7fb3-473a-8ea1-4895db8c9b50",
|
|
"indicator--e367a53d-2f54-436c-8c47-8c1f964297ad",
|
|
"indicator--ca8258af-8ec9-4a8f-a36f-56af1226821e",
|
|
"indicator--d762968b-4a3a-47da-9109-9a6c5cec9af5",
|
|
"indicator--8941a758-861b-41f6-99f9-0ef933392612",
|
|
"indicator--39ff865c-9197-4998-9273-ef6012cf5eac",
|
|
"indicator--064b05a1-b399-4477-bc4e-c9ff8d9d5412",
|
|
"indicator--c86a92bb-7e81-4cbd-b3c7-16b11b4f52b6",
|
|
"indicator--7241bc16-7eec-437b-94c8-f214e7674a7a",
|
|
"indicator--0f14d6ca-512e-419f-b466-e7248729b475",
|
|
"indicator--aca03861-2dcc-4531-8ca7-6268f040ab42",
|
|
"indicator--847e4cdd-584d-4ee8-bf00-0d9a6b555d93",
|
|
"indicator--3e561e01-96af-44a3-9fe7-09eb9bf30c75",
|
|
"indicator--bb2c4e70-6c8a-4874-9e33-1a540448f6aa",
|
|
"indicator--52043d37-ebab-44a1-8eec-a37894d70749",
|
|
"indicator--450cb8b4-9f57-4dee-ba53-0c31e59128e3",
|
|
"x-misp-object--a59cab1a-1100-4cc7-b625-33a7fa39425c",
|
|
"indicator--eb3f981d-b9ad-4986-bf24-b738729f05b3",
|
|
"indicator--e611ac1d-7c57-484b-9c47-40da2960dfdd"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"misp-galaxy:microsoft-activity-group=\"NOBELIUM\"",
|
|
"misp-galaxy:mitre-intrusion-set=\"APT29 - G0016\"",
|
|
"misp-galaxy:mitre-intrusion-set=\"UNC2452 - G0118\"",
|
|
"misp-galaxy:threat-actor=\"UNC2452\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Drive-by Compromise - T1189\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Trusted Relationship - T1199\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1406\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Web Services - T1584.006\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"tlp:clear",
|
|
"misp-galaxy:region=\"150 - Europe\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e563d09d-6058-4104-99e9-e79723ee0238",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:23:59.000Z",
|
|
"modified": "2023-03-20T14:23:59.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:23:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--6c97fefc-4cd9-4a96-89fc-68b18fc1d104",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:23:59.000Z",
|
|
"modified": "2023-03-20T14:23:59.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'dffaefaabbcf6da029f927e67e38c0d1e6271bf998040cfd6d8c50a4eff639df']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:23:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--fddafd79-ff8d-44ff-8c2b-2a73950f7df8",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:23:59.000Z",
|
|
"modified": "2023-03-20T14:23:59.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'dbb39c2f143265ad86946d1c016226b0e01614af35a2c666afa44ac43b76b276']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:23:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--0942be9b-847c-438a-b613-696ce960552b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:23:59.000Z",
|
|
"modified": "2023-03-20T14:23:59.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'c1ebaee855b5d9b67657f45d6d764f3c1e46c1fa6214329a3b51d14eba336256']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:23:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b483874d-d917-4315-b960-bc932acc677b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:23:59.000Z",
|
|
"modified": "2023-03-20T14:23:59.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '505f1e5aed542e8bfdb0052bbe8d3a2a9b08fc66ae49efbc9d9188a44c3870ed']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:23:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--957e0b85-7fb3-473a-8ea1-4895db8c9b50",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:23:59.000Z",
|
|
"modified": "2023-03-20T14:23:59.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:23:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e367a53d-2f54-436c-8c47-8c1f964297ad",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:23:59.000Z",
|
|
"modified": "2023-03-20T14:23:59.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '3a489ef91058620951cb185ec548b67f2b8d047e6fdb7638645ec092fc89a835']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:23:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--ca8258af-8ec9-4a8f-a36f-56af1226821e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:23:59.000Z",
|
|
"modified": "2023-03-20T14:23:59.000Z",
|
|
"pattern": "[file:hashes.SHA256 = '21a0b617431850a9ea2698515c277cbd95de4e59c493d0d8f194f3808eb16354']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:23:59Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--d762968b-4a3a-47da-9109-9a6c5cec9af5",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '8eb64670c10505322d45f6114bc9f7de0826e3a1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--8941a758-861b-41f6-99f9-0ef933392612",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '3fd43de3c9f7609c52da71c1fc4c01ce0b5ac74c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--39ff865c-9197-4998-9273-ef6012cf5eac",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.SHA1 = '2a0478a22d27f7af98786e873b6c85c4ae2e3b2e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--064b05a1-b399-4477-bc4e-c9ff8d9d5412",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'e693777a3a85583a1bbbd569415be09c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c86a92bb-7e81-4cbd-b3c7-16b11b4f52b6",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'e0cb8157e6791390463714b38158195a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--7241bc16-7eec-437b-94c8-f214e7674a7a",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'cf36bf564fbb7d5ec4cec9b0f185f6c9']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--0f14d6ca-512e-419f-b466-e7248729b475",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.MD5 = '8d5c0f69c1caa29f8990fbc440ab3388']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--aca03861-2dcc-4531-8ca7-6268f040ab42",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.MD5 = '89f716d32461880cd0359ffbb902f06e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--847e4cdd-584d-4ee8-bf00-0d9a6b555d93",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.MD5 = '82ecb8474efe5fedcb8f57b8aafa93d2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--3e561e01-96af-44a3-9fe7-09eb9bf30c75",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.MD5 = '67a6774fbc01eb838db364d4aa946a98']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--bb2c4e70-6c8a-4874-9e33-1a540448f6aa",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[file:hashes.MD5 = '38b05aa4b5ba651ba95f7173c5145270']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--52043d37-ebab-44a1-8eec-a37894d70749",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[url:value = 'https://literaturaelsalvador.com/Instructions.html']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--450cb8b4-9f57-4dee-ba53-0c31e59128e3",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T14:39:09.000Z",
|
|
"modified": "2023-03-20T14:39:09.000Z",
|
|
"pattern": "[url:value = 'https://literaturaelsalvador.com/Schedule.html']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T14:39:09Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--a59cab1a-1100-4cc7-b625-33a7fa39425c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T13:14:28.000Z",
|
|
"modified": "2023-03-20T13:14:28.000Z",
|
|
"labels": [
|
|
"misp:name=\"report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "link",
|
|
"value": "https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine",
|
|
"category": "External analysis",
|
|
"uuid": "f03d7256-7859-4e94-a678-3061871d8c99"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "link",
|
|
"value": "https://otx.alienvault.com/pulse/64160883fe275bce4bb6b07f",
|
|
"category": "External analysis",
|
|
"uuid": "f463855e-196b-46c8-bca6-e99e042a7898"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "summary",
|
|
"value": "NOBELIUM, aka APT29, is a sophisticated, Russian state-sponsored threat actor targeting Western countries. At the beginning of March, BlackBerry researchers observed a new campaign targeting European Union countries; specifically, its diplomatic entities and systems transmitting sensitive information about the region's politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.",
|
|
"category": "Other",
|
|
"uuid": "c3169ae3-c39e-4bbd-a3bc-5d65b913caff"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Blog",
|
|
"category": "Other",
|
|
"uuid": "956c20cb-4378-46f8-b86f-6101095caf51"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--eb3f981d-b9ad-4986-bf24-b738729f05b3",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T13:41:55.000Z",
|
|
"modified": "2023-03-20T13:41:55.000Z",
|
|
"name": "NOBELIUM_SpyDLL_March2023",
|
|
"description": "Yara rule based on code NOBELIUM_SpyDLL_March2023",
|
|
"pattern": "rule NOBELIUM_SpyDLL_March2023 \r\n { \r\n meta: \r\n copyright = \\\\\"BlackBerry\\\\\" \r\n description = \\\\\"Yara rule based on code NOBELIUM_SpyDLL_March2023\\\\\" \r\n author = \\\\\"BlackBerry Threat Intelligence Team\\\\\" \r\n date = \\\\\"2023-03-07\\\\\" \r\n sha256 = \\\\\"e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98\\\\\" \r\n sha256 = \\\\\"4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b\\\\\" \r\n sha256 = \\\\\"3a489ef91058620951cb185ec548b67f2b8d047e6fdb7638645ec092fc89a835\\\\\" \r\n strings: $1807379073_247 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? ?? F7 ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 10 ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? 49 ?? ?? 89 ?? 49 ?? ?? 49 ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? 4C ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 11 ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 9? 0F 10 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 5? 5? 5? 5? 41 ?? 41 ?? 41 ?? C3 } \r\n $1807233630_154 = { 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? 41 ?? ?? 4C ?? ?? 4D ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 4D ?? ?? 45 ?? ?? 4C ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? BA ?? ?? ?? ?? 31 ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 88 } \r\n $1807250632_125 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? 4D ?? ?? 48 ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 4D ?? ?? 4C ?? ?? 4C ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 } \r\n $1807244815_125 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? 49 ?? ?? 4C ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 4D ?? ?? 4C ?? ?? 4C ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 } \r\n $1807376832_81 = { 41 ?? 41 ?? 41 ?? 41 ?? 5? 5? 5? 5? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 0F 10 ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 10 ?? 49 ?? ?? 48 ?? ?? 4C ?? ?? 0F 11 ?? ?? ?? ?? ?? ?? 0F 11 ?? ?? ?? 83 ?? ?? ?? ?? 0F 11 ?? ?? ?? ?? ?? ?? 7D } \r\n $1807378924_80 = { 48 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? E8 ?? ?? ?? ?? 0F 10 ?? ?? ?? ?? ?? ?? 0F 10 ?? ?? ?? ?? ?? ?? 0F 10 ?? ?? ?? ?? ?? ?? 0F 11 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 0F 11 ?? ?? ?? ?? ?? ?? 0F 11 ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 74 } \r\n $1807227484_78 = { 31 ?? 31 ?? 4C ?? ?? FF D? 49 ?? ?? ?? 31 ?? 4D ?? ?? 4C ?? ?? F2 ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 4C ?? ?? F2 ?? 89 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? 48 ?? ?? 44 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } \r\n $1807233543_78 = { 4C ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? 49 ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 41 ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 0F 85 } \r\n $1807231440_74 = { 4C ?? ?? 31 ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 8A ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 42 ?? ?? ?? 0F BE ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 75 } \r\n $1807236234_71 = { 41 ?? 41 ?? 41 ?? 41 ?? 5? 5? 5? 5? 48 ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? C6 ?? ?? 49 ?? ?? 44 ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? 4C ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 85 } \r\n $1807238694_70 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 84 } \r\n $1807227341_69 = { 31 ?? 31 ?? FF D? 4C ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } \r\n $1807227414_66 = { 4D ?? ?? 45 ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } \r\n $1807378203_62 = { 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 31 ?? 41 ?? ?? 41 ?? ?? ?? ?? ?? ?? 99 41 ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 0F 9F ?? 01 ?? 8D ?? ?? ?? ?? ?? 99 41 ?? ?? 48 ?? ?? 81 F? ?? ?? ?? ?? 7D } \r\n $1807378800_62 = { 41 ?? 41 ?? 41 ?? 5? 5? 5? 5? 48 ?? ?? ?? ?? ?? ?? 0F 11 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 49 ?? ?? 49 ?? ?? 4C ?? ?? 0F 54 ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 73 } \r\n $1807239523_59 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 49 ?? ?? 4C ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } \r\n $1807234558_49 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? FF D? 83 ?? ?? 0F 85 } \r\n $1807229643_48 = { 48 ?? ?? ?? ?? ?? 0F B7 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 8A ?? ?? ?? ?? ?? 84 ?? 75 } \r\n $1807251921_46 = { 44 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 4C ?? ?? 41 ?? ?? 89 ?? 0F B7 ?? 8B ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? 41 ?? ?? ?? ?? ?? ?? 74 } \r\n $1807234510_44 = { 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF D? 85 ?? 0F 85 } \r\n $1807248778_42 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? 4C ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } \r\n $1807227300_37 = { C7 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? 31 ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } \r\n $1807409201_33 = { 48 ?? ?? BD ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 31 ?? 48 ?? ?? 0F 92 ?? 48 ?? ?? 4D ?? ?? 48 ?? ?? 75 } \r\n $1807348925_27 = { 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 42 ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? 45 ?? ?? 74 } \r\n $1807351416_16 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 4C ?? ?? 0F 86 } condition: \r\n uint16(0) == 0x5a4d and filesize < 1MB and 18 of them \r\n }",
|
|
"pattern_type": "yara",
|
|
"valid_from": "2023-03-20T13:41:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
],
|
|
"x_misp_reference": "https://otx.alienvault.com/indicator/yara/f7959f465becdc25d20f452cbd5d5759ea4a702e"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e611ac1d-7c57-484b-9c47-40da2960dfdd",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-03-20T13:50:16.000Z",
|
|
"modified": "2023-03-20T13:50:16.000Z",
|
|
"description": "CC=US ASN=AS19871 NETWORK-SOLUTIONS-HOSTING",
|
|
"pattern": "[domain-name:resolves_to_refs[*].value = '108.167.180.186']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-03-20T13:50:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"domain-ip\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |