misp-circl-feed/feeds/circl/stix-2.1/572efbbc-ba08-4a82-b879-400d02de0b81.json

543 lines
No EOL
22 KiB
JSON

{
"type": "bundle",
"id": "bundle--572efbbc-ba08-4a82-b879-400d02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:48:44.000Z",
"modified": "2016-05-08T08:48:44.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--572efbbc-ba08-4a82-b879-400d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:48:44.000Z",
"modified": "2016-05-08T08:48:44.000Z",
"name": "Fake scan campaings (20160505 - 20160507) using docm - Dridex",
"published": "2016-05-08T08:52:06Z",
"object_refs": [
"indicator--572efbef-6894-4dd0-a438-480602de0b81",
"indicator--572efbef-28e4-487d-835b-4ecc02de0b81",
"indicator--572efbef-6b4c-485a-96b8-4c2402de0b81",
"indicator--572efbf0-65fc-41dc-9dd6-48d102de0b81",
"indicator--572efc0d-33dc-4c5a-86b2-424602de0b81",
"indicator--572efc0d-c538-47f4-9f65-477c02de0b81",
"indicator--572efc0e-66ec-433d-a8aa-408d02de0b81",
"indicator--572efc4e-cc64-4b0f-9b5f-427f02de0b81",
"indicator--572efc66-9ccc-4e82-8172-41a202de0b81",
"indicator--572efc67-9714-4709-8f5f-49d302de0b81",
"observed-data--572efc67-a9ac-4e71-91f3-482302de0b81",
"url--572efc67-a9ac-4e71-91f3-482302de0b81",
"indicator--572efc9d-79a4-4199-bde2-46cc02de0b81",
"indicator--572efd0b-677c-4f67-a705-4cb302de0b81",
"indicator--572efd13-8974-4e7a-947f-465102de0b81",
"indicator--572efd14-e58c-42aa-865b-4e5d02de0b81",
"observed-data--572efd14-f9e8-4c6b-8e9c-4bb802de0b81",
"url--572efd14-f9e8-4c6b-8e9c-4bb802de0b81",
"indicator--572efd55-bef4-4d63-9929-46d002de0b81",
"indicator--572efd6c-7f24-4459-9832-43d202de0b81",
"indicator--572efd6c-e894-4c0f-be22-4f2902de0b81",
"observed-data--572efd6c-e2b4-44ed-9962-470b02de0b81",
"url--572efd6c-e2b4-44ed-9962-470b02de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efbef-6894-4dd0-a438-480602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:42:23.000Z",
"modified": "2016-05-08T08:42:23.000Z",
"pattern": "[url:value = 'fm1.ntlweb.org/87hcnrewe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:42:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efbef-28e4-487d-835b-4ecc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:42:23.000Z",
"modified": "2016-05-08T08:42:23.000Z",
"pattern": "[url:value = 'iconigram.com/87hcnrewe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:42:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efbef-6b4c-485a-96b8-4c2402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:42:23.000Z",
"modified": "2016-05-08T08:42:23.000Z",
"pattern": "[url:value = 'www.sammelarmband.de/87hcnrewe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:42:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efbf0-65fc-41dc-9dd6-48d102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:42:24.000Z",
"modified": "2016-05-08T08:42:24.000Z",
"pattern": "[url:value = 'hospice.psy.free.fr/87hcnrewe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:42:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efc0d-33dc-4c5a-86b2-424602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:42:53.000Z",
"modified": "2016-05-08T08:42:53.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '192.241.252.152']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:42:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efc0d-c538-47f4-9f65-477c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:42:53.000Z",
"modified": "2016-05-08T08:42:53.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '195.169.147.26']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:42:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efc0e-66ec-433d-a8aa-408d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:42:54.000Z",
"modified": "2016-05-08T08:42:54.000Z",
"description": "C&C",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '70.164.127.132']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:42:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efc4e-cc64-4b0f-9b5f-427f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:43:58.000Z",
"modified": "2016-05-08T08:43:58.000Z",
"description": "Dropped binary",
"pattern": "[file:hashes.SHA256 = '84997e293dd1707b95c5ade8cc241742dd697f04f8f592545f8d140c801b6b3e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:43:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efc66-9ccc-4e82-8172-41a202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:44:22.000Z",
"modified": "2016-05-08T08:44:22.000Z",
"description": "Dropped binary - Xchecked via VT: 84997e293dd1707b95c5ade8cc241742dd697f04f8f592545f8d140c801b6b3e",
"pattern": "[file:hashes.SHA1 = 'a835542d280eb8a3cc508cd57bcd94fd2393fc31']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:44:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efc67-9714-4709-8f5f-49d302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:44:23.000Z",
"modified": "2016-05-08T08:44:23.000Z",
"description": "Dropped binary - Xchecked via VT: 84997e293dd1707b95c5ade8cc241742dd697f04f8f592545f8d140c801b6b3e",
"pattern": "[file:hashes.MD5 = '803358c128aae4faed24e194d6388e68']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:44:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572efc67-a9ac-4e71-91f3-482302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:44:23.000Z",
"modified": "2016-05-08T08:44:23.000Z",
"first_observed": "2016-05-08T08:44:23Z",
"last_observed": "2016-05-08T08:44:23Z",
"number_observed": 1,
"object_refs": [
"url--572efc67-a9ac-4e71-91f3-482302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572efc67-a9ac-4e71-91f3-482302de0b81",
"value": "https://www.virustotal.com/file/84997e293dd1707b95c5ade8cc241742dd697f04f8f592545f8d140c801b6b3e/analysis/1462526126/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efc9d-79a4-4199-bde2-46cc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:45:17.000Z",
"modified": "2016-05-08T08:45:17.000Z",
"pattern": "[url:value = 'http://meregivo.com.ua/87hcnrewe']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:45:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efd0b-677c-4f67-a705-4cb302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:47:07.000Z",
"modified": "2016-05-08T08:47:07.000Z",
"description": "malicious docm",
"pattern": "[file:hashes.SHA256 = 'af69220c029de7fa6f180f98c176263d24d187d1be7321e866b9d96e5c314fab']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:47:07Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efd13-8974-4e7a-947f-465102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:47:15.000Z",
"modified": "2016-05-08T08:47:15.000Z",
"description": "malicious docm - Xchecked via VT: af69220c029de7fa6f180f98c176263d24d187d1be7321e866b9d96e5c314fab",
"pattern": "[file:hashes.SHA1 = 'f9cb0984f6fcc3e76070bd8f71c193f58000c1a7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:47:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efd14-e58c-42aa-865b-4e5d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:47:16.000Z",
"modified": "2016-05-08T08:47:16.000Z",
"description": "malicious docm - Xchecked via VT: af69220c029de7fa6f180f98c176263d24d187d1be7321e866b9d96e5c314fab",
"pattern": "[file:hashes.MD5 = 'a52fc2b17771577ee1e72a08f99fa432']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:47:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572efd14-f9e8-4c6b-8e9c-4bb802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:47:16.000Z",
"modified": "2016-05-08T08:47:16.000Z",
"first_observed": "2016-05-08T08:47:16Z",
"last_observed": "2016-05-08T08:47:16Z",
"number_observed": 1,
"object_refs": [
"url--572efd14-f9e8-4c6b-8e9c-4bb802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572efd14-f9e8-4c6b-8e9c-4bb802de0b81",
"value": "https://www.virustotal.com/file/af69220c029de7fa6f180f98c176263d24d187d1be7321e866b9d96e5c314fab/analysis/1462544836/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efd55-bef4-4d63-9929-46d002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:48:37.000Z",
"modified": "2016-05-08T08:48:37.000Z",
"description": "malicious docm",
"pattern": "[file:hashes.SHA256 = '0ec823c91274f3fad610d5ac8a89cfcac0dfdf506c214384320d864c163b2d25']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:48:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efd6c-7f24-4459-9832-43d202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:48:44.000Z",
"modified": "2016-05-08T08:48:44.000Z",
"description": "malicious docm - Xchecked via VT: 0ec823c91274f3fad610d5ac8a89cfcac0dfdf506c214384320d864c163b2d25",
"pattern": "[file:hashes.SHA1 = '892d09d04fa087df98fb0c2941b7a39c4c938822']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:48:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--572efd6c-e894-4c0f-be22-4f2902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:48:44.000Z",
"modified": "2016-05-08T08:48:44.000Z",
"description": "malicious docm - Xchecked via VT: 0ec823c91274f3fad610d5ac8a89cfcac0dfdf506c214384320d864c163b2d25",
"pattern": "[file:hashes.MD5 = '22feec8b1b12603a6efc8d098817b99a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-05-08T08:48:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--572efd6c-e2b4-44ed-9962-470b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-05-08T08:48:44.000Z",
"modified": "2016-05-08T08:48:44.000Z",
"first_observed": "2016-05-08T08:48:44Z",
"last_observed": "2016-05-08T08:48:44Z",
"number_observed": 1,
"object_refs": [
"url--572efd6c-e2b4-44ed-9962-470b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--572efd6c-e2b4-44ed-9962-470b02de0b81",
"value": "https://www.virustotal.com/file/0ec823c91274f3fad610d5ac8a89cfcac0dfdf506c214384320d864c163b2d25/analysis/1462544863/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}