misp-circl-feed/feeds/circl/stix-2.1/59afedbe-12f4-4585-9048-4b8b950d210f.json

825 lines
No EOL
35 KiB
JSON

{
"type": "bundle",
"id": "bundle--59afedbe-12f4-4585-9048-4b8b950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:59.000Z",
"modified": "2017-09-06T14:15:59.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--59afedbe-12f4-4585-9048-4b8b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:59.000Z",
"modified": "2017-09-06T14:15:59.000Z",
"name": "OSINT - Dragonfly: Western energy sector targeted by sophisticated attack group",
"published": "2017-09-06T14:16:11Z",
"object_refs": [
"observed-data--59afeddc-0fc0-471d-8894-2b8f950d210f",
"url--59afeddc-0fc0-471d-8894-2b8f950d210f",
"x-misp-attribute--59afee32-7834-49c8-83a1-2a5e950d210f",
"indicator--59afeeef-c93c-414e-8a00-2a4f950d210f",
"indicator--59afeeef-2138-4eb2-be22-2a4f950d210f",
"indicator--59afeeef-9094-4c28-af46-2a4f950d210f",
"indicator--59afeeef-d2a8-4044-be77-2a4f950d210f",
"indicator--59afeeef-2e84-4d01-bd45-2a4f950d210f",
"indicator--59afeeef-ba6c-4f95-b2eb-2a4f950d210f",
"indicator--59afeeef-9e9c-47fc-b818-2a4f950d210f",
"indicator--59afeeef-2250-49ea-b0ab-2a4f950d210f",
"indicator--59afef44-f9c8-4bd0-9214-2fb4950d210f",
"indicator--59afef44-2fa4-4a68-93e5-2fb4950d210f",
"indicator--59afef44-0f1c-46e7-9221-2fb4950d210f",
"indicator--59b00317-7184-4065-929b-45ca02de0b81",
"indicator--59b00317-767c-45f4-909d-45e802de0b81",
"observed-data--59b00317-8c90-429a-9187-4f7b02de0b81",
"url--59b00317-8c90-429a-9187-4f7b02de0b81",
"indicator--59b00317-8f78-44a7-87a2-449d02de0b81",
"indicator--59b00317-d548-4a07-a646-49d602de0b81",
"observed-data--59b00317-ff24-460a-8067-4d0302de0b81",
"url--59b00317-ff24-460a-8067-4d0302de0b81",
"indicator--59b00317-c7bc-46a0-92b5-46cd02de0b81",
"indicator--59b00317-d3bc-419d-936c-421302de0b81",
"observed-data--59b00317-715c-49a9-84cb-49e002de0b81",
"url--59b00317-715c-49a9-84cb-49e002de0b81",
"indicator--59b00317-5b68-4e2d-80f2-4f7502de0b81",
"indicator--59b00317-892c-4dd0-a380-40b402de0b81",
"observed-data--59b00317-5e44-43ab-bcf4-440502de0b81",
"url--59b00317-5e44-43ab-bcf4-440502de0b81",
"indicator--59b00317-3aa4-4feb-b8c0-46ac02de0b81",
"indicator--59b00317-7f60-4222-80d3-4cc102de0b81",
"observed-data--59b00317-1d58-41e5-97c0-441b02de0b81",
"url--59b00317-1d58-41e5-97c0-441b02de0b81",
"indicator--59b00317-0dbc-4932-8748-464502de0b81",
"indicator--59b00317-8cd8-440c-8c01-4efb02de0b81",
"observed-data--59b00317-24f4-44f6-bfd7-4ca902de0b81",
"url--59b00317-24f4-44f6-bfd7-4ca902de0b81"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"misp-galaxy:mitre-intrusion-set=\"Dragonfly\"",
"misp-galaxy:threat-actor=\"Energetic Bear\"",
"type:OSINT",
"osint:source-type=\"blog-post\"",
"certsi:critical-sector=\"energy\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59afeddc-0fc0-471d-8894-2b8f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"first_observed": "2017-09-06T14:15:51Z",
"last_observed": "2017-09-06T14:15:51Z",
"number_observed": 1,
"object_refs": [
"url--59afeddc-0fc0-471d-8894-2b8f950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59afeddc-0fc0-471d-8894-2b8f950d210f",
"value": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--59afee32-7834-49c8-83a1-2a5e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\"",
"osint:source-type=\"blog-post\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "The energy sector in Europe and North America is being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations. The group behind these attacks is known as Dragonfly. The group has been in operation since at least 2011 but has re-emerged over the past two years from a quiet period following exposure by Symantec and a number of other researchers in 2014. This \u00e2\u20ac\u0153Dragonfly 2.0\u00e2\u20ac\u009d campaign, which appears to have begun in late 2015, shares tactics and tools used in earlier campaigns by the group."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afeeef-c93c-414e-8a00-2a4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Backdoor.Dorshel",
"pattern": "[file:hashes.MD5 = 'b3b5d67f5bbf5a043f5bf5d079dbcb56']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afeeef-2138-4eb2-be22-2a4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Karagany.B",
"pattern": "[file:hashes.MD5 = '1560f68403c5a41e96b28d3f882de7f1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afeeef-9094-4c28-af46-2a4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Heriplor",
"pattern": "[file:hashes.MD5 = 'e02603178c8c47d198f7d34bcf2d68b8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afeeef-d2a8-4044-be77-2a4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Listrix",
"pattern": "[file:hashes.MD5 = 'da9d8c78efe0c6c8be70e6b857400fb1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afeeef-2e84-4d01-bd45-2a4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Hacktool.Credrix",
"pattern": "[file:hashes.MD5 = 'a4cf567f27f3b2f8b73ae15e2e487f00']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afeeef-ba6c-4f95-b2eb-2a4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Backdoor.Goodor",
"pattern": "[file:hashes.MD5 = '765fcd7588b1d94008975c4627c8feb6']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afeeef-9e9c-47fc-b818-2a4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Phisherly",
"pattern": "[file:hashes.MD5 = '141e78d16456a072c9697454fc6d5f58']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afeeef-2250-49ea-b0ab-2a4f950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Screenutil",
"pattern": "[file:hashes.MD5 = 'db07e1740152e09610ea826655d27e8d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afef44-f9c8-4bd0-9214-2fb4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Command & Control for Backdoor.Dorshel",
"pattern": "[url:value = 'http://103.41.177.69/A56WY']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afef44-2fa4-4a68-93e5-2fb4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Command & Control for Trojan.Karagany.B",
"pattern": "[url:value = 'http://37.1.202.26/getimage/622622.jpg']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"url\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59afef44-0f1c-46e7-9221-2fb4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Command & Control for Trojan.Phisherly",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '184.154.150.66']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-7184-4065-929b-45ca02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Phisherly - Xchecked via VT: 141e78d16456a072c9697454fc6d5f58",
"pattern": "[file:hashes.SHA256 = 'c272a2d96aefdef746f983e7f8720792e8a6dee97a766a651dc55f70f605b23d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-767c-45f4-909d-45e802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Phisherly - Xchecked via VT: 141e78d16456a072c9697454fc6d5f58",
"pattern": "[file:hashes.SHA1 = 'eff5e2a3ac471a1b5ecdf51a72e003a82c350506']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59b00317-8c90-429a-9187-4f7b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"first_observed": "2017-09-06T14:15:51Z",
"last_observed": "2017-09-06T14:15:51Z",
"number_observed": 1,
"object_refs": [
"url--59b00317-8c90-429a-9187-4f7b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59b00317-8c90-429a-9187-4f7b02de0b81",
"value": "https://www.virustotal.com/file/c272a2d96aefdef746f983e7f8720792e8a6dee97a766a651dc55f70f605b23d/analysis/1504702236/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-8f78-44a7-87a2-449d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Hacktool.Credrix - Xchecked via VT: a4cf567f27f3b2f8b73ae15e2e487f00",
"pattern": "[file:hashes.SHA256 = '178348c14324bc0a3e57559a01a6ae6aa0cb4013aabbe324b51f906dcf5d537e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-d548-4a07-a646-49d602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Hacktool.Credrix - Xchecked via VT: a4cf567f27f3b2f8b73ae15e2e487f00",
"pattern": "[file:hashes.SHA1 = '4f2faef3d65099c19d617df73af5119dd719240c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59b00317-ff24-460a-8067-4d0302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"first_observed": "2017-09-06T14:15:51Z",
"last_observed": "2017-09-06T14:15:51Z",
"number_observed": 1,
"object_refs": [
"url--59b00317-ff24-460a-8067-4d0302de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59b00317-ff24-460a-8067-4d0302de0b81",
"value": "https://www.virustotal.com/file/178348c14324bc0a3e57559a01a6ae6aa0cb4013aabbe324b51f906dcf5d537e/analysis/1504704171/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-c7bc-46a0-92b5-46cd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Listrix - Xchecked via VT: da9d8c78efe0c6c8be70e6b857400fb1",
"pattern": "[file:hashes.SHA256 = 'fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-d3bc-419d-936c-421302de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Listrix - Xchecked via VT: da9d8c78efe0c6c8be70e6b857400fb1",
"pattern": "[file:hashes.SHA1 = 'cd9519127efcc9a65068befe17ae038c94085358']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59b00317-715c-49a9-84cb-49e002de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"first_observed": "2017-09-06T14:15:51Z",
"last_observed": "2017-09-06T14:15:51Z",
"number_observed": 1,
"object_refs": [
"url--59b00317-715c-49a9-84cb-49e002de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59b00317-715c-49a9-84cb-49e002de0b81",
"value": "https://www.virustotal.com/file/fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9/analysis/1504707156/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-5b68-4e2d-80f2-4f7502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Heriplor - Xchecked via VT: e02603178c8c47d198f7d34bcf2d68b8",
"pattern": "[file:hashes.SHA256 = 'b051a5997267a5d7fa8316005124f3506574807ab2b25b037086e2e971564291']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-892c-4dd0-a380-40b402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Heriplor - Xchecked via VT: e02603178c8c47d198f7d34bcf2d68b8",
"pattern": "[file:hashes.SHA1 = 'd6ef3e457819425bf9524e8a7070f3fcf21c3ad5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59b00317-5e44-43ab-bcf4-440502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"first_observed": "2017-09-06T14:15:51Z",
"last_observed": "2017-09-06T14:15:51Z",
"number_observed": 1,
"object_refs": [
"url--59b00317-5e44-43ab-bcf4-440502de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59b00317-5e44-43ab-bcf4-440502de0b81",
"value": "https://www.virustotal.com/file/b051a5997267a5d7fa8316005124f3506574807ab2b25b037086e2e971564291/analysis/1504704663/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-3aa4-4feb-b8c0-46ac02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Karagany.B - Xchecked via VT: 1560f68403c5a41e96b28d3f882de7f1",
"pattern": "[file:hashes.SHA256 = '28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-7f60-4222-80d3-4cc102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Trojan.Karagany.B - Xchecked via VT: 1560f68403c5a41e96b28d3f882de7f1",
"pattern": "[file:hashes.SHA1 = '95db15c67b48945237af7de61f3dbab92c99edd1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59b00317-1d58-41e5-97c0-441b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"first_observed": "2017-09-06T14:15:51Z",
"last_observed": "2017-09-06T14:15:51Z",
"number_observed": 1,
"object_refs": [
"url--59b00317-1d58-41e5-97c0-441b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59b00317-1d58-41e5-97c0-441b02de0b81",
"value": "https://www.virustotal.com/file/28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0/analysis/1504696978/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-0dbc-4932-8748-464502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Backdoor.Dorshel - Xchecked via VT: b3b5d67f5bbf5a043f5bf5d079dbcb56",
"pattern": "[file:hashes.SHA256 = 'cee4211af96df184236e816ab0b11d95d1075148299a29719fcd9675b2714426']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--59b00317-8cd8-440c-8c01-4efb02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"description": "Backdoor.Dorshel - Xchecked via VT: b3b5d67f5bbf5a043f5bf5d079dbcb56",
"pattern": "[file:hashes.SHA1 = 'c7eae6cd08d0601223b641745f078dffce285066']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-09-06T14:15:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--59b00317-24f4-44f6-bfd7-4ca902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2017-09-06T14:15:51.000Z",
"modified": "2017-09-06T14:15:51.000Z",
"first_observed": "2017-09-06T14:15:51Z",
"last_observed": "2017-09-06T14:15:51Z",
"number_observed": 1,
"object_refs": [
"url--59b00317-24f4-44f6-bfd7-4ca902de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--59b00317-24f4-44f6-bfd7-4ca902de0b81",
"value": "https://www.virustotal.com/file/cee4211af96df184236e816ab0b11d95d1075148299a29719fcd9675b2714426/analysis/1504696840/"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}