misp-circl-feed/feeds/circl/misp/571de8da-be78-4d1d-851f-448d950d210f.json

822 lines
No EOL
36 KiB
JSON

{
"type": "bundle",
"id": "bundle--571de8da-be78-4d1d-851f-448d950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T13:09:32.000Z",
"modified": "2016-04-25T13:09:32.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--571de8da-be78-4d1d-851f-448d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T13:09:32.000Z",
"modified": "2016-04-25T13:09:32.000Z",
"name": "OSINT - New FAREIT Strain Abuses PowerShell",
"published": "2016-04-25T14:01:44Z",
"object_refs": [
"x-misp-attribute--571de8e8-be8c-4f59-b5b2-4aad950d210f",
"observed-data--571de8fa-f540-4df1-ab19-460a950d210f",
"url--571de8fa-f540-4df1-ab19-460a950d210f",
"indicator--571deb15-7a84-4ad5-99fe-4804950d210f",
"indicator--571deb15-4824-409d-86e8-4692950d210f",
"indicator--571deb15-6290-4e20-8792-4738950d210f",
"indicator--571deb15-b778-4440-acbf-4bf6950d210f",
"indicator--571deb15-a658-458b-95f5-4654950d210f",
"indicator--571deb15-7dfc-44be-896f-43ff950d210f",
"indicator--571deb15-6974-4675-9e90-43bf950d210f",
"indicator--571deb22-78c0-40ea-8d6c-4e3502de0b81",
"indicator--571deb22-ca5c-4862-80cc-48e002de0b81",
"observed-data--571deb22-9160-47d9-9637-408002de0b81",
"url--571deb22-9160-47d9-9637-408002de0b81",
"indicator--571deb22-1348-4179-ab26-444502de0b81",
"indicator--571deb22-f794-4e33-9143-49f502de0b81",
"observed-data--571deb22-4568-49b2-a586-425902de0b81",
"url--571deb22-4568-49b2-a586-425902de0b81",
"indicator--571deb22-fe80-4838-a1b4-41c702de0b81",
"indicator--571deb23-9980-4ec2-9c3f-498e02de0b81",
"observed-data--571deb23-cbf0-45dd-8657-40bd02de0b81",
"url--571deb23-cbf0-45dd-8657-40bd02de0b81",
"indicator--571deb23-3e40-4959-9562-462202de0b81",
"indicator--571deb23-19c0-4d9c-af16-487902de0b81",
"observed-data--571deb23-512c-4434-a828-48f002de0b81",
"url--571deb23-512c-4434-a828-48f002de0b81",
"indicator--571deb23-a7f0-4248-b820-46d502de0b81",
"indicator--571deb23-3eec-43fe-b73a-4f7802de0b81",
"observed-data--571deb24-d2c8-4866-9b32-448802de0b81",
"url--571deb24-d2c8-4866-9b32-448802de0b81",
"indicator--571deb24-b0c8-4bdc-9b40-443c02de0b81",
"indicator--571deb24-4c08-4a14-a26b-498402de0b81",
"observed-data--571deb24-2ce8-44f5-9c39-442302de0b81",
"url--571deb24-2ce8-44f5-9c39-442302de0b81",
"indicator--571deb24-d6e8-4a42-81a0-483f02de0b81",
"indicator--571deb24-2bd8-4613-a160-40fc02de0b81",
"observed-data--571deb25-dc48-496f-9cb9-401d02de0b81",
"url--571deb25-dc48-496f-9cb9-401d02de0b81",
"observed-data--571e170d-e06c-4485-9a7a-40e802de0b81",
"url--571e170d-e06c-4485-9a7a-40e802de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"circl:topic=\"finance\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--571de8e8-be8c-4f59-b5b2-4aad950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T09:52:40.000Z",
"modified": "2016-04-25T09:52:40.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "In 2014, we began seeing attacks that abused the Windows PowerShell. Back then, it was uncommon for malware to use this particular feature of Windows. However, there are several good reasons for an attacker to use this particular feature.\r\n\r\nFirst, users cannot easily spot any malicious behavior since PowerShell runs in the background. Secondly, PowerShell can be used to steal usernames, passwords, and other system information without an executable file being present. This makes it a powerful tool for attackers.\r\n\r\nLast March 2016, we noted that PowerWare crypto-ransomware also abused PowerShell. Recently, we spotted a new attack where PowerShell was abused to deliver a FAREIT variant. This particular family of information stealers has been around since 2011."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571de8fa-f540-4df1-ab19-460a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T09:52:58.000Z",
"modified": "2016-04-25T09:52:58.000Z",
"first_observed": "2016-04-25T09:52:58Z",
"last_observed": "2016-04-25T09:52:58Z",
"number_observed": 1,
"object_refs": [
"url--571de8fa-f540-4df1-ab19-460a950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571de8fa-f540-4df1-ab19-460a950d210f",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/new-fareit-strain-delivered-abusing-powershell/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-7a84-4ad5-99fe-4804950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = 'acaeb29abf2458b862646366917f44e987176ec9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-4824-409d-86e8-4692950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = 'cfd1a77155b9af917e22a8ac0fe16eeb26e00c6e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-6290-4e20-8792-4738950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = 'da3b7c89ec9ca4157af52d40db76b2c23a62a15e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-b778-4440-acbf-4bf6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = '03798dc7221efdcec95b991735f38b49dff29542']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-a658-458b-95f5-4654950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = '04fffc28bed615d7da50c0286290d452b9c5ee50']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-7dfc-44be-896f-43ff950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = '125156e24958f18ad86cc406868948dc100791d4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb15-6974-4675-9e90-43bf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:01:57.000Z",
"modified": "2016-04-25T10:01:57.000Z",
"description": "Imported via the freetext import.",
"pattern": "[file:hashes.SHA1 = '4f739261372d4adce7f152f16fbf20a5c18b8903']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:01:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb22-78c0-40ea-8d6c-4e3502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 4f739261372d4adce7f152f16fbf20a5c18b8903",
"pattern": "[file:hashes.SHA256 = '6dceceeb1aff7b613f7bdf9259173d30cabda4a1d142af5f52e03c291c8adb9f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb22-ca5c-4862-80cc-48e002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 4f739261372d4adce7f152f16fbf20a5c18b8903",
"pattern": "[file:hashes.MD5 = 'b3dbdb86a443be3d6e310ceb84bb4c2c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb22-9160-47d9-9637-408002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"first_observed": "2016-04-25T10:02:10Z",
"last_observed": "2016-04-25T10:02:10Z",
"number_observed": 1,
"object_refs": [
"url--571deb22-9160-47d9-9637-408002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb22-9160-47d9-9637-408002de0b81",
"value": "https://www.virustotal.com/file/6dceceeb1aff7b613f7bdf9259173d30cabda4a1d142af5f52e03c291c8adb9f/analysis/1461305595/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb22-1348-4179-ab26-444502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 125156e24958f18ad86cc406868948dc100791d4",
"pattern": "[file:hashes.SHA256 = '658b0994a6ccfde063293ffbc3f2b85c4cdab2489ed5351f85011e3957e1e143']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb22-f794-4e33-9143-49f502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 125156e24958f18ad86cc406868948dc100791d4",
"pattern": "[file:hashes.MD5 = '1eeb67994aae158dc8486269728fc177']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb22-4568-49b2-a586-425902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"first_observed": "2016-04-25T10:02:10Z",
"last_observed": "2016-04-25T10:02:10Z",
"number_observed": 1,
"object_refs": [
"url--571deb22-4568-49b2-a586-425902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb22-4568-49b2-a586-425902de0b81",
"value": "https://www.virustotal.com/file/658b0994a6ccfde063293ffbc3f2b85c4cdab2489ed5351f85011e3957e1e143/analysis/1461303615/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb22-fe80-4838-a1b4-41c702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:10.000Z",
"modified": "2016-04-25T10:02:10.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 04fffc28bed615d7da50c0286290d452b9c5ee50",
"pattern": "[file:hashes.SHA256 = '30bcc5a700e08c91095c3a8e6c52495a6b60f9ff07ac3c0b96e75befc44b1f5a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb23-9980-4ec2-9c3f-498e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 04fffc28bed615d7da50c0286290d452b9c5ee50",
"pattern": "[file:hashes.MD5 = '8ce49433b0442f3d9d81662f9f3c9342']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb23-cbf0-45dd-8657-40bd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"first_observed": "2016-04-25T10:02:11Z",
"last_observed": "2016-04-25T10:02:11Z",
"number_observed": 1,
"object_refs": [
"url--571deb23-cbf0-45dd-8657-40bd02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb23-cbf0-45dd-8657-40bd02de0b81",
"value": "https://www.virustotal.com/file/30bcc5a700e08c91095c3a8e6c52495a6b60f9ff07ac3c0b96e75befc44b1f5a/analysis/1461393556/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb23-3e40-4959-9562-462202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 03798dc7221efdcec95b991735f38b49dff29542",
"pattern": "[file:hashes.SHA256 = '300a50991cb2c6eb16b7e14ba5ef72a3a83c9f2b7d6cd7da259b866fbc527985']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb23-19c0-4d9c-af16-487902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: 03798dc7221efdcec95b991735f38b49dff29542",
"pattern": "[file:hashes.MD5 = 'f43c1178362caf94e7670208b054d285']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb23-512c-4434-a828-48f002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"first_observed": "2016-04-25T10:02:11Z",
"last_observed": "2016-04-25T10:02:11Z",
"number_observed": 1,
"object_refs": [
"url--571deb23-512c-4434-a828-48f002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb23-512c-4434-a828-48f002de0b81",
"value": "https://www.virustotal.com/file/300a50991cb2c6eb16b7e14ba5ef72a3a83c9f2b7d6cd7da259b866fbc527985/analysis/1460188306/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb23-a7f0-4248-b820-46d502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: da3b7c89ec9ca4157af52d40db76b2c23a62a15e",
"pattern": "[file:hashes.SHA256 = '5f6cfc97884476c469b11ef2c22d0d181879ba9ac1d26176f9f1b35b009a6646']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb23-3eec-43fe-b73a-4f7802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:11.000Z",
"modified": "2016-04-25T10:02:11.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: da3b7c89ec9ca4157af52d40db76b2c23a62a15e",
"pattern": "[file:hashes.MD5 = 'c04d18f4e9e8fd4ffba04a9ced5c27bc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb24-d2c8-4866-9b32-448802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"first_observed": "2016-04-25T10:02:12Z",
"last_observed": "2016-04-25T10:02:12Z",
"number_observed": 1,
"object_refs": [
"url--571deb24-d2c8-4866-9b32-448802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb24-d2c8-4866-9b32-448802de0b81",
"value": "https://www.virustotal.com/file/5f6cfc97884476c469b11ef2c22d0d181879ba9ac1d26176f9f1b35b009a6646/analysis/1461206794/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb24-b0c8-4bdc-9b40-443c02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: cfd1a77155b9af917e22a8ac0fe16eeb26e00c6e",
"pattern": "[file:hashes.SHA256 = '933e8206dd259578c14ffecf9166ac937c6f2c49f0fb8a126283f7211a442fe5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb24-4c08-4a14-a26b-498402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: cfd1a77155b9af917e22a8ac0fe16eeb26e00c6e",
"pattern": "[file:hashes.MD5 = '10492d71bf833499217c0a3f48278dc0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb24-2ce8-44f5-9c39-442302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"first_observed": "2016-04-25T10:02:12Z",
"last_observed": "2016-04-25T10:02:12Z",
"number_observed": 1,
"object_refs": [
"url--571deb24-2ce8-44f5-9c39-442302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb24-2ce8-44f5-9c39-442302de0b81",
"value": "https://www.virustotal.com/file/933e8206dd259578c14ffecf9166ac937c6f2c49f0fb8a126283f7211a442fe5/analysis/1461238630/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb24-d6e8-4a42-81a0-483f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: acaeb29abf2458b862646366917f44e987176ec9",
"pattern": "[file:hashes.SHA256 = 'c8ec0981f22303b81f5463dce7e9bb3d34f9c162710be9fb766ecaad86a9afa3']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571deb24-2bd8-4613-a160-40fc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"description": "Imported via the freetext import. - Xchecked via VT: acaeb29abf2458b862646366917f44e987176ec9",
"pattern": "[file:hashes.MD5 = 'f0e55995b81e974e9df4d1c060bc4bcc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-25T10:02:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571deb25-dc48-496f-9cb9-401d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T10:02:12.000Z",
"modified": "2016-04-25T10:02:12.000Z",
"first_observed": "2016-04-25T10:02:12Z",
"last_observed": "2016-04-25T10:02:12Z",
"number_observed": 1,
"object_refs": [
"url--571deb25-dc48-496f-9cb9-401d02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571deb25-dc48-496f-9cb9-401d02de0b81",
"value": "https://www.virustotal.com/file/c8ec0981f22303b81f5463dce7e9bb3d34f9c162710be9fb766ecaad86a9afa3/analysis/1461421373/"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571e170d-e06c-4485-9a7a-40e802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-25T13:09:33.000Z",
"modified": "2016-04-25T13:09:33.000Z",
"first_observed": "2016-04-25T13:09:33Z",
"last_observed": "2016-04-25T13:09:33Z",
"number_observed": 1,
"object_refs": [
"url--571e170d-e06c-4485-9a7a-40e802de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571e170d-e06c-4485-9a7a-40e802de0b81",
"value": "https://www.virustotal.com/file/30bcc5a700e08c91095c3a8e6c52495a6b60f9ff07ac3c0b96e75befc44b1f5a/analysis/1461585661/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}