misp-circl-feed/feeds/circl/stix-2.1/57c405cd-ab54-47b8-9eff-7a52950d210f.json

1262 lines
No EOL
60 KiB
JSON

{
"type": "bundle",
"id": "bundle--57c405cd-ab54-47b8-9eff-7a52950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-16T21:13:55.000Z",
"modified": "2017-06-16T21:13:55.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--57c405cd-ab54-47b8-9eff-7a52950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-06-16T21:13:55.000Z",
"modified": "2017-06-16T21:13:55.000Z",
"name": "OSINT - Dridex Returns To Action For Smaller, More Targeted Attacks",
"published": "2017-06-16T21:14:04Z",
"object_refs": [
"observed-data--57c405f9-fe0c-40ed-9b92-800f950d210f",
"url--57c405f9-fe0c-40ed-9b92-800f950d210f",
"x-misp-attribute--57c4060f-fbec-432b-8d84-800e950d210f",
"indicator--57c406c0-cb60-4bc4-aacb-800e950d210f",
"indicator--57c406c0-5820-4b47-b716-800e950d210f",
"indicator--57c406c0-fd78-438a-9502-800e950d210f",
"indicator--57c406c0-3898-46c6-abfd-800e950d210f",
"indicator--57c406c1-c66c-4933-b0f0-800e950d210f",
"indicator--57c406c2-8ad4-4ae5-95d1-800e950d210f",
"indicator--57c406c2-d160-4c6c-a9ff-800e950d210f",
"indicator--57c406c2-fcb4-4a0f-8a18-800e950d210f",
"indicator--57c406c3-d550-4216-a10c-800e950d210f",
"indicator--57c406c3-7aac-4786-8508-800e950d210f",
"indicator--57c406c3-0004-4083-ab33-800e950d210f",
"x-misp-attribute--57c406f4-914c-4f8a-bf4b-7a58950d210f",
"x-misp-attribute--57c40714-8904-4705-8609-8ac9950d210f",
"observed-data--57c40730-30cc-42d6-809e-8aca950d210f",
"url--57c40730-30cc-42d6-809e-8aca950d210f",
"indicator--57c4076e-0bb4-45d7-89d4-7a5102de0b81",
"indicator--57c4076e-0bcc-458c-b1ec-7a5102de0b81",
"observed-data--57c4076e-dc1c-4fb6-8cb0-7a5102de0b81",
"url--57c4076e-dc1c-4fb6-8cb0-7a5102de0b81",
"indicator--57c4076f-05e4-4b12-9725-7a5102de0b81",
"indicator--57c4076f-1da4-4c89-ac85-7a5102de0b81",
"observed-data--57c4076f-43f4-4dba-8473-7a5102de0b81",
"url--57c4076f-43f4-4dba-8473-7a5102de0b81",
"indicator--57c4076f-c114-4aee-86b6-7a5102de0b81",
"indicator--57c40770-51e4-4454-9097-7a5102de0b81",
"observed-data--57c40770-ca40-4836-bea3-7a5102de0b81",
"url--57c40770-ca40-4836-bea3-7a5102de0b81",
"indicator--57c40771-2eac-4b02-849f-7a5102de0b81",
"indicator--57c40771-731c-4fa8-a4f2-7a5102de0b81",
"observed-data--57c40771-38a8-4b85-ba46-7a5102de0b81",
"url--57c40771-38a8-4b85-ba46-7a5102de0b81",
"indicator--57c40771-9430-4687-bddd-7a5102de0b81",
"indicator--57c40772-a618-4472-8d3e-7a5102de0b81",
"observed-data--57c40772-ea1c-4941-a9eb-7a5102de0b81",
"url--57c40772-ea1c-4941-a9eb-7a5102de0b81",
"indicator--57c40772-e9b0-4f2a-ae55-7a5102de0b81",
"indicator--57c40772-48e0-4f43-bf9f-7a5102de0b81",
"observed-data--57c40773-bc68-460c-aff9-7a5102de0b81",
"url--57c40773-bc68-460c-aff9-7a5102de0b81",
"indicator--57c40773-62d0-47a3-80dc-7a5102de0b81",
"indicator--57c40774-2914-4485-8441-7a5102de0b81",
"observed-data--57c40774-8b28-49e0-9519-7a5102de0b81",
"url--57c40774-8b28-49e0-9519-7a5102de0b81",
"indicator--57c40775-c9e4-42d9-b7da-7a5102de0b81",
"indicator--57c40775-da1c-470f-9cf8-7a5102de0b81",
"observed-data--57c40775-ed24-4616-b20f-7a5102de0b81",
"url--57c40775-ed24-4616-b20f-7a5102de0b81",
"indicator--57c40776-4d88-4efb-9eb3-7a5102de0b81",
"indicator--57c40776-3c6c-4746-9439-7a5102de0b81",
"observed-data--57c40777-54f8-4870-b385-7a5102de0b81",
"url--57c40777-54f8-4870-b385-7a5102de0b81",
"indicator--57c40777-45a0-4150-b8e4-7a5102de0b81",
"indicator--57c40778-09ec-4e47-9c47-7a5102de0b81",
"observed-data--57c40779-fd00-407c-8951-7a5102de0b81",
"url--57c40779-fd00-407c-8951-7a5102de0b81",
"indicator--57c40779-48e0-4c1a-9091-7a5102de0b81",
"indicator--57c4077a-c778-43bc-a0ba-7a5102de0b81",
"observed-data--57c4077a-7bbc-4d8a-83fa-7a5102de0b81",
"url--57c4077a-7bbc-4d8a-83fa-7a5102de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"circl:topic=\"finance\"",
"circl:incident-classification=\"malware\"",
"type:OSINT",
"misp-galaxy:tool=\"Dridex\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c405f9-fe0c-40ed-9b92-800f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:52:57.000Z",
"modified": "2016-08-29T09:52:57.000Z",
"first_observed": "2016-08-29T09:52:57Z",
"last_observed": "2016-08-29T09:52:57Z",
"number_observed": 1,
"object_refs": [
"url--57c405f9-fe0c-40ed-9b92-800f950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c405f9-fe0c-40ed-9b92-800f950d210f",
"value": "https://www.proofpoint.com/us/threat-insight/post/Dridex-returns-to-action-for-smaller-more-targeted-attacks"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57c4060f-fbec-432b-8d84-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:53:19.000Z",
"modified": "2016-08-29T09:53:19.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Since it was first detected in November 2014, Dridex has been one of the most prolific pieces of malware worldwide. Even when the actors behind distribution of Dridex began distributing Locky ransomware in February, 2016, they would often switch between the two payloads or distribute them simultaneously. More recently, though, Dridex email message volumes have dropped to a relative trickle, and a new geography of interest, Switzerland, has emerged. The much lower volume suggests a higher degree of targeting, freeing the actors to pursue more lucrative attacks and leverage stolen information more effectively.\r\n\r\nIn this post we\u00e2\u20ac\u2122ll investigate the recent Dridex campaigns, including their message volumes and targeting, and provide possible reasons for changes in the mode of operation."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c0-cb60-4bc4-aacb-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:16.000Z",
"modified": "2016-08-29T09:56:16.000Z",
"description": "June 29 Dridex 38923 document \u00e2\u20ac\u0153[name].doc\u00e2\u20ac\u009d",
"pattern": "[file:hashes.SHA256 = '313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c0-5820-4b47-b716-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:16.000Z",
"modified": "2016-08-29T09:56:16.000Z",
"description": "July 15 Dridex 124 document \u00e2\u20ac\u01531666.docm\u00e2\u20ac\u009d",
"pattern": "[file:hashes.SHA256 = '1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c0-fd78-438a-9502-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:16.000Z",
"modified": "2016-08-29T09:56:16.000Z",
"description": "August 11 Dridex 144 document \u00e2\u20ac\u0153rechnung11aug.docm\u00e2\u20ac\u009d",
"pattern": "[file:hashes.SHA256 = '1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c0-3898-46c6-abfd-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:16.000Z",
"modified": "2016-08-29T09:56:16.000Z",
"description": "August 15/16 Dridex 228 document \u00e2\u20ac\u0153Ord191878.docm\u00e2\u20ac\u009d",
"pattern": "[file:hashes.SHA256 = '026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c1-c66c-4933-b0f0-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:17.000Z",
"modified": "2016-08-29T09:56:17.000Z",
"description": "Dridex 38923 Loader",
"pattern": "[file:hashes.SHA256 = '10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c2-8ad4-4ae5-95d1-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:18.000Z",
"modified": "2016-08-29T09:56:18.000Z",
"description": "Dridex 124 Loader",
"pattern": "[file:hashes.SHA256 = '207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c2-d160-4c6c-a9ff-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:18.000Z",
"modified": "2016-08-29T09:56:18.000Z",
"description": "Dridex 144 Loader",
"pattern": "[file:hashes.SHA256 = '75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c2-fcb4-4a0f-8a18-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:18.000Z",
"modified": "2016-08-29T09:56:18.000Z",
"description": "Dridex 228 Loader",
"pattern": "[file:hashes.SHA256 = '160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c3-d550-4216-a10c-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:19.000Z",
"modified": "2016-08-29T09:56:19.000Z",
"description": "Dridex 1124 Loader",
"pattern": "[file:hashes.SHA256 = 'bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c3-7aac-4786-8508-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:19.000Z",
"modified": "2016-08-29T09:56:19.000Z",
"description": "Dridex 302 Loader",
"pattern": "[file:hashes.SHA256 = '2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c406c3-0004-4083-ab33-800e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:56:19.000Z",
"modified": "2016-08-29T09:56:19.000Z",
"description": "Dridex 1024 dropped by Neutrino",
"pattern": "[file:hashes.SHA256 = 'fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:56:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57c406f4-914c-4f8a-bf4b-7a58950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:57:08.000Z",
"modified": "2016-08-29T09:57:08.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_comment": "Appendix A: Applications Targeted by Dridex 228 on August 16, 2016",
"x_misp_type": "comment",
"x_misp_value": "crealogix | multiversa | abacus | ebics | agro-office | cashcomm | softcrew | coconet | macrogram | mammut | omikron | multicash | quatersoft | alphasys | wineur | epsitec | myaccessweb | bellin | financesuite | moneta | softcash | trinity | financesuite | abrantix | starmoney | sfirm | migrosbank | migros bank | online banking | star money | multibit | bitgo | bither | blockchain | copay | msigna | armory | electrum | coinbase | magnr | keepkey | coinsbank | coolwallet | bitoex | xapo | changetip | coinapult | blocktrail | breadwallet | luxstack | airbitz | schildbach | ledger nano | mycelium | trezor | coinomi | bitcore | WinBacs | albacs | Albany.EFT.Corporate.Client | wpc | eSigner | StartStarMoney | StarMoney | acsagent | accrdsub | acevents | acCOMpkcs | jp2launcher | sllauncher | cspregtool | RegisterTool | OEBMCC32 | sfirm | Bbm24win | wip | paypen | mammut_tb | telelink | translink | deltaworks | dfsvc | bitcoin-qt | multibit | BacscomIP2 | runclient | paycentre | accesspay | PaymentStudio | DiasClient | SynIntegrationClient | QuestLauncher | RemoteAdminServer | SymForm2App | plink | launch | PaygateWpfClient | terminal | Telelink | EBsec | ftrskr | Suite Entreprise | rbpmain2 | rbpmain | tkc | ecbl-nxbp | sagedirect | turbo_teletransmission | cedripack | cedrisend | QikDesktop | QikDesktopCitrix | ConfigurationEditor | InteractFastConfig | otscm-client | ecb-sg | crs1 | GbpSV | pstw32 | MopaMaes | ldcptv10 | gslshmsrvc | launcher | tokensharesrv | universe | ifrun60 | roiwin31 | guawin32 | intwin31 | kb_pcb | spawin31 | cziwin31 | czawin31 | sta2gpc | etsr | tellerlauncher | prowin32 | dirclt32 | PLT1751 | PLT1151 | cegidebics | CCS3 | CCMPS3 | ComSX | keepass | c_agent | transac | relaisbtp | telebanking | ewallet | mstsc | cardentry | TPComplianceManager | TPWorkstation | BancLine 2.0 | MS000000 | BancLine 3.0 | BancLine 4.0 | BancLine 5.0 | SFW | ptw1151 | fedcomp | sfmain | VRNetWorld | KDS | Kasir | ICS | mpkds | pspooler | ipspool | POS-CFG | callerIdserver | EftTray | dpseftxc | EFTSERV | QBPOS | APRINT6 | POSCONFG | jRestaurant | AFR38 | rmpos | roi | AxUpdatePortal | Firefly | InitEpp | SM22 | xfsExplorer | XFSSimulator | WosaXFSTest | kiosk | CRE2004 | aspnet_wp | javav | XChrgSrv | rpccEngine | PTService | Rpro8 | UTG2Svc | Active-Charge | javaw | DDCDSRV1 | alohaedc | dbstpssvc | XPS | Transnet | posw | NCRLoader | PSTTransfer | TSTSolutions | wndaudit | TSTAdmin | TellerDR | merapplauncher | contact manager | goldtllr32 | goldtrakpc | farm42phyton | fx4cash | bpcssm | vp-ebanking | LLB Online Banking | efix | iberclear | AMBCN | SGO | SQLpnr | vmware-view | banktelapk | SynJhaIntService | uniservice | client32 | CanaraCustMaintenance | legaclt | pcsfe | pcscmenu | cwbtf | srvview | pcsmc2vb | cwb3uic | trcgui | cwbsvstr | rtopcb | cwbujcnv | cwbujbld | cwbuisxe | pcsws | cwbsvd | cwblog | cwbdsk | securID | jhaintexec | appupdate | SGNavigatorApp | dbr | WINTRV | bsaadmin | encompass | eautomate | link | adminconsole | commandclientplugin | commandclientplugin_gui | mfmanager | verex director-server manager | verex director-communication manager | notes | nlnotes | notes2 | sacmonitor | netterm | fspnet | bridgerinside | cardserver | si | dais.ebank.client.offlineclient | BGFWIN31 | BGDWIN31 | BGXWIN31 | bocusertool | CLXReader | UBSPay | Migros_Bank_E-Banking | Bank linth Online Banking | java | abastart | abamenu | abajvm | sage200.finanz.gui | vpxclient | htmlshell | mmc | e3K.Main | QOPT | cresus | wineur | abaeb | efinance | GestionPE | BCN-Netkey | Sage 30 | ISL_light_client | msaccess | proffix.v4 | pxShowThread"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57c40714-8904-4705-8609-8ac9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:57:40.000Z",
"modified": "2016-08-29T09:57:40.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"Targeting data\""
],
"x_misp_category": "Targeting data",
"x_misp_comment": "Appendix B: Applications Targeted by Dridex 120 in July 2015",
"x_misp_type": "comment",
"x_misp_value": "Uniface | bankline | Aptos | Hyposwiss | episys quest | bancline | tellerplus | ACE Software Solutions | ACI Worldwide | Alliance Enterprise | Bottomline Technologies | Broadridge | China Systems | CMA Small Systems | Clear2Pay | Adaptor Payments | Decillion Group | EastNets | Infosys | Flexcube | ECS Financials | FircoSoft | Fiserv | Kyriba | Premium Technology | Smartstream Technologies | Sopra Banking | Surecomp | Tieto Payment | TONBELLER | Wall Street Systems | Western Union | MoneyGram | Unistream | Direct Link | Abacus | agro-twin | coconet | crealogix | macrogram | mammut soft | omikron | quatersoft | experian payment gateway | softcrew | WinBacs | albacs | Albany.EFT.Corporate.Client | wpc | eSigner | StartStarMoney | StarMoney | acsagent | accrdsub | acevents | acCOMpkcs | ac.sharedstore | jp2launcher+ | sllauncher | cspregtool | RegisterTool | OEBMCC32 | sfirm | Bbm24win | wip | paypen | mammut_tb | telelink | translink | deltaworks | dfsvc | bitcoin-qt | multibit | BacscomIP2 | runclient | paycentre | accesspay | PaymentStudio | DiasClient | SynIntegrationClient | QuestLauncher | RemoteAdminServer | SymForm2App | plink | launch | PaygateWpfClient | terminal | Telelink | EBsec | ftrskr | Suite | Entreprise | rbpmain2 | rbpmain | tkc | ecbl-nxbp | sagedirect | turbo_teletransmission | cedripack | cedrisend | QikDesktop | QikDesktopCitrix | ConfigurationEditor | InteractFastConfig | javaw | otscm-client+ | ecb-sg | crs1 | GbpSV | pstw32 | MopaMaes | ldcptv10 | gslshmsrvc | launcher | tokensharesrv | sage"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c40730-30cc-42d6-809e-8aca950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:58:08.000Z",
"modified": "2016-08-29T09:58:08.000Z",
"first_observed": "2016-08-29T09:58:08Z",
"last_observed": "2016-08-29T09:58:08Z",
"number_observed": 1,
"object_refs": [
"url--57c40730-30cc-42d6-809e-8aca950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c40730-30cc-42d6-809e-8aca950d210f",
"value": "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/offline-payment-software.html"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c4076e-0bb4-45d7-89d4-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:10.000Z",
"modified": "2016-08-29T09:59:10.000Z",
"description": "Dridex 1024 dropped by Neutrino - Xchecked via VT: fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb",
"pattern": "[file:hashes.SHA1 = '6207bb1f208867a3b357c64e635993cc4ee01c7b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c4076e-0bcc-458c-b1ec-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:10.000Z",
"modified": "2016-08-29T09:59:10.000Z",
"description": "Dridex 1024 dropped by Neutrino - Xchecked via VT: fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb",
"pattern": "[file:hashes.MD5 = '87f8402f0e46fcb929e175f3a722a202']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c4076e-dc1c-4fb6-8cb0-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:10.000Z",
"modified": "2016-08-29T09:59:10.000Z",
"first_observed": "2016-08-29T09:59:10Z",
"last_observed": "2016-08-29T09:59:10Z",
"number_observed": 1,
"object_refs": [
"url--57c4076e-dc1c-4fb6-8cb0-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c4076e-dc1c-4fb6-8cb0-7a5102de0b81",
"value": "https://www.virustotal.com/file/fc39a8ef9567ce977215b8699762843d4f8a98504d9495bf9f8edad0a60b5fcb/analysis/1471591636/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c4076f-05e4-4b12-9725-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:11.000Z",
"modified": "2016-08-29T09:59:11.000Z",
"description": "Dridex 302 Loader - Xchecked via VT: 2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44",
"pattern": "[file:hashes.SHA1 = '39b2aa526c79e263b77daf93c2426e96b61427ac']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c4076f-1da4-4c89-ac85-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:11.000Z",
"modified": "2016-08-29T09:59:11.000Z",
"description": "Dridex 302 Loader - Xchecked via VT: 2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44",
"pattern": "[file:hashes.MD5 = 'd4c3e289e5c2240b4bc06e344be6e5b6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c4076f-43f4-4dba-8473-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:11.000Z",
"modified": "2016-08-29T09:59:11.000Z",
"first_observed": "2016-08-29T09:59:11Z",
"last_observed": "2016-08-29T09:59:11Z",
"number_observed": 1,
"object_refs": [
"url--57c4076f-43f4-4dba-8473-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c4076f-43f4-4dba-8473-7a5102de0b81",
"value": "https://www.virustotal.com/file/2d9c2edc8d1cfb2b5691b0f6a938d17d5adf1e7797ab401dfa12bd29df79af44/analysis/1471129011/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c4076f-c114-4aee-86b6-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:11.000Z",
"modified": "2016-08-29T09:59:11.000Z",
"description": "Dridex 1124 Loader - Xchecked via VT: bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f",
"pattern": "[file:hashes.SHA1 = 'f16fb1512e40ab115fb26ad5e516cd3660d903d7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40770-51e4-4454-9097-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:12.000Z",
"modified": "2016-08-29T09:59:12.000Z",
"description": "Dridex 1124 Loader - Xchecked via VT: bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f",
"pattern": "[file:hashes.MD5 = '5a5dfe4ec70529af9f937f58399410cf']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c40770-ca40-4836-bea3-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:12.000Z",
"modified": "2016-08-29T09:59:12.000Z",
"first_observed": "2016-08-29T09:59:12Z",
"last_observed": "2016-08-29T09:59:12Z",
"number_observed": 1,
"object_refs": [
"url--57c40770-ca40-4836-bea3-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c40770-ca40-4836-bea3-7a5102de0b81",
"value": "https://www.virustotal.com/file/bcaa57c93dc973aabd419b65dcdc4e9ae68bcae5ddfe920070cc2b2ae9dbaf3f/analysis/1472443888/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40771-2eac-4b02-849f-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:13.000Z",
"modified": "2016-08-29T09:59:13.000Z",
"description": "Dridex 228 Loader - Xchecked via VT: 160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8",
"pattern": "[file:hashes.SHA1 = 'e682a268c7807fa3d4a5c7b0244a2f44663aadfc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40771-731c-4fa8-a4f2-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:13.000Z",
"modified": "2016-08-29T09:59:13.000Z",
"description": "Dridex 228 Loader - Xchecked via VT: 160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8",
"pattern": "[file:hashes.MD5 = '08f44a4d709f1a16a1a99598e6038960']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c40771-38a8-4b85-ba46-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:13.000Z",
"modified": "2016-08-29T09:59:13.000Z",
"first_observed": "2016-08-29T09:59:13Z",
"last_observed": "2016-08-29T09:59:13Z",
"number_observed": 1,
"object_refs": [
"url--57c40771-38a8-4b85-ba46-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c40771-38a8-4b85-ba46-7a5102de0b81",
"value": "https://www.virustotal.com/file/160c95261abba3e71c52195251db075ed922acdf010aa85fef1760e8fa198bd8/analysis/1472283781/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40771-9430-4687-bddd-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:13.000Z",
"modified": "2016-08-29T09:59:13.000Z",
"description": "Dridex 144 Loader - Xchecked via VT: 75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782",
"pattern": "[file:hashes.SHA1 = 'ae99800e25d331403995c08fbbeef47a659ab804']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40772-a618-4472-8d3e-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:14.000Z",
"modified": "2016-08-29T09:59:14.000Z",
"description": "Dridex 144 Loader - Xchecked via VT: 75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782",
"pattern": "[file:hashes.MD5 = 'd58ec78a177b82da975f2a42edfcdbad']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c40772-ea1c-4941-a9eb-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:14.000Z",
"modified": "2016-08-29T09:59:14.000Z",
"first_observed": "2016-08-29T09:59:14Z",
"last_observed": "2016-08-29T09:59:14Z",
"number_observed": 1,
"object_refs": [
"url--57c40772-ea1c-4941-a9eb-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c40772-ea1c-4941-a9eb-7a5102de0b81",
"value": "https://www.virustotal.com/file/75717e7acf4f41de953e0c6f57986844bc21dcda546d5a37371ad8d5a7952782/analysis/1471678904/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40772-e9b0-4f2a-ae55-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:14.000Z",
"modified": "2016-08-29T09:59:14.000Z",
"description": "Dridex 124 Loader - Xchecked via VT: 207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8",
"pattern": "[file:hashes.SHA1 = '4af210a9c7c7c5d62dfac90de213c559bd04295c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40772-48e0-4f43-bf9f-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:14.000Z",
"modified": "2016-08-29T09:59:14.000Z",
"description": "Dridex 124 Loader - Xchecked via VT: 207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8",
"pattern": "[file:hashes.MD5 = '52faad132ecc0a103d368640db9274b7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c40773-bc68-460c-aff9-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:15.000Z",
"modified": "2016-08-29T09:59:15.000Z",
"first_observed": "2016-08-29T09:59:15Z",
"last_observed": "2016-08-29T09:59:15Z",
"number_observed": 1,
"object_refs": [
"url--57c40773-bc68-460c-aff9-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c40773-bc68-460c-aff9-7a5102de0b81",
"value": "https://www.virustotal.com/file/207b4ae38b3a5c51614aacd6b9d09bff242b23fab777446e9f752eefde57bac8/analysis/1470206023/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40773-62d0-47a3-80dc-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:15.000Z",
"modified": "2016-08-29T09:59:15.000Z",
"description": "Dridex 38923 Loader - Xchecked via VT: 10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4",
"pattern": "[file:hashes.SHA1 = '8dda6643074fc4c08e621b06a4b9ba2b02307462']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:15Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40774-2914-4485-8441-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:16.000Z",
"modified": "2016-08-29T09:59:16.000Z",
"description": "Dridex 38923 Loader - Xchecked via VT: 10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4",
"pattern": "[file:hashes.MD5 = 'b8946d3329e56a3f3e52547aac913e8e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:16Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c40774-8b28-49e0-9519-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:16.000Z",
"modified": "2016-08-29T09:59:16.000Z",
"first_observed": "2016-08-29T09:59:16Z",
"last_observed": "2016-08-29T09:59:16Z",
"number_observed": 1,
"object_refs": [
"url--57c40774-8b28-49e0-9519-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c40774-8b28-49e0-9519-7a5102de0b81",
"value": "https://www.virustotal.com/file/10cf55031c31f8a615b93cec9d3675b6af2fb7d9aa4ef5163723b55e43b9a9f4/analysis/1469142637/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40775-c9e4-42d9-b7da-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:17.000Z",
"modified": "2016-08-29T09:59:17.000Z",
"description": "August 15/16 Dridex 228 document \u00e2\u20ac\u0153Ord191878.docm\u00e2\u20ac\u009d - Xchecked via VT: 026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99",
"pattern": "[file:hashes.SHA1 = '880d6e1db2928dacf3977595507a0b8441e18778']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40775-da1c-470f-9cf8-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:17.000Z",
"modified": "2016-08-29T09:59:17.000Z",
"description": "August 15/16 Dridex 228 document \u00e2\u20ac\u0153Ord191878.docm\u00e2\u20ac\u009d - Xchecked via VT: 026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99",
"pattern": "[file:hashes.MD5 = 'd0f9189af92bf014d2c3d1384806079b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c40775-ed24-4616-b20f-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:17.000Z",
"modified": "2016-08-29T09:59:17.000Z",
"first_observed": "2016-08-29T09:59:17Z",
"last_observed": "2016-08-29T09:59:17Z",
"number_observed": 1,
"object_refs": [
"url--57c40775-ed24-4616-b20f-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c40775-ed24-4616-b20f-7a5102de0b81",
"value": "https://www.virustotal.com/file/026b724fe9d07d47f8fcdf02f7e1072a74bc518e415430a2c23881fb179b4a99/analysis/1471302720/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40776-4d88-4efb-9eb3-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:18.000Z",
"modified": "2016-08-29T09:59:18.000Z",
"description": "August 11 Dridex 144 document \u00e2\u20ac\u0153rechnung11aug.docm\u00e2\u20ac\u009d - Xchecked via VT: 1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639",
"pattern": "[file:hashes.SHA1 = '05e3a7ee1df443b75ec8106a7ef857ddeb299ac5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40776-3c6c-4746-9439-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:18.000Z",
"modified": "2016-08-29T09:59:18.000Z",
"description": "August 11 Dridex 144 document \u00e2\u20ac\u0153rechnung11aug.docm\u00e2\u20ac\u009d - Xchecked via VT: 1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639",
"pattern": "[file:hashes.MD5 = '5e89753e6a7e1cb8f18004aaa4c47374']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c40777-54f8-4870-b385-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:19.000Z",
"modified": "2016-08-29T09:59:19.000Z",
"first_observed": "2016-08-29T09:59:19Z",
"last_observed": "2016-08-29T09:59:19Z",
"number_observed": 1,
"object_refs": [
"url--57c40777-54f8-4870-b385-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c40777-54f8-4870-b385-7a5102de0b81",
"value": "https://www.virustotal.com/file/1a6859d265b94a2109d690999f62fdbadd8cb1894205e2e1b260a9f3bdcd8639/analysis/1471932146/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40777-45a0-4150-b8e4-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:19.000Z",
"modified": "2016-08-29T09:59:19.000Z",
"description": "July 15 Dridex 124 document \u00e2\u20ac\u01531666.docm\u00e2\u20ac\u009d - Xchecked via VT: 1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5",
"pattern": "[file:hashes.SHA1 = 'fcec303b9de6eb89f621ca3d469471a011e84b2f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40778-09ec-4e47-9c47-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:20.000Z",
"modified": "2016-08-29T09:59:20.000Z",
"description": "July 15 Dridex 124 document \u00e2\u20ac\u01531666.docm\u00e2\u20ac\u009d - Xchecked via VT: 1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5",
"pattern": "[file:hashes.MD5 = 'bc4b5dbf114c3ad5ba93d966781257fa']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c40779-fd00-407c-8951-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:21.000Z",
"modified": "2016-08-29T09:59:21.000Z",
"first_observed": "2016-08-29T09:59:21Z",
"last_observed": "2016-08-29T09:59:21Z",
"number_observed": 1,
"object_refs": [
"url--57c40779-fd00-407c-8951-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c40779-fd00-407c-8951-7a5102de0b81",
"value": "https://www.virustotal.com/file/1fe24808cabd3fa69e58824a58a1e302ce677362603d4f26240cff7c145421b5/analysis/1469347569/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c40779-48e0-4c1a-9091-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:21.000Z",
"modified": "2016-08-29T09:59:21.000Z",
"description": "June 29 Dridex 38923 document \u00e2\u20ac\u0153[name].doc\u00e2\u20ac\u009d - Xchecked via VT: 313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6",
"pattern": "[file:hashes.SHA1 = 'eb78f441a57ffeec110a1cc3d6255043e612e5dd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57c4077a-c778-43bc-a0ba-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:22.000Z",
"modified": "2016-08-29T09:59:22.000Z",
"description": "June 29 Dridex 38923 document \u00e2\u20ac\u0153[name].doc\u00e2\u20ac\u009d - Xchecked via VT: 313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6",
"pattern": "[file:hashes.MD5 = '6369e4e4ddd8312b52a1c1b4818e463c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-08-29T09:59:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57c4077a-7bbc-4d8a-83fa-7a5102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-08-29T09:59:22.000Z",
"modified": "2016-08-29T09:59:22.000Z",
"first_observed": "2016-08-29T09:59:22Z",
"last_observed": "2016-08-29T09:59:22Z",
"number_observed": 1,
"object_refs": [
"url--57c4077a-7bbc-4d8a-83fa-7a5102de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57c4077a-7bbc-4d8a-83fa-7a5102de0b81",
"value": "https://www.virustotal.com/file/313e2282bffcd2df612404c7ab6e7e913495c13b6f3011c1a2739e289b5451b6/analysis/1470643493/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}