{ "Event": { "analysis": "1", "date": "2022-01-01", "extends_uuid": "", "info": "[Threat Intel] Industroyer2 and INCONTROLLER", "protected": false, "publish_timestamp": "1772407602", "published": true, "threat_level_id": "2", "timestamp": "1772407599", "uuid": "0a7981fe-093c-4ba6-9005-ae1ca2effee1", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Industroyer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"INCONTROLLER\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"INDUSTROYER2\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-groups=\"Sandworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"ArguePatch\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772330744", "to_ids": false, "type": "link", "uuid": "39c6c423-b049-476c-b2b2-76e75f252611", "value": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Industroyer2 sample from the original incident (CERT-UA) No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772349581", "to_ids": true, "type": "sha256", "uuid": "af6ac19c-87eb-4d9a-a6cb-b88a20d686cc", "value": "7062403bccacc7c0b84d27987b204777f6078319c3f4caa361581825c1a94e87", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "OrcShred sample from the original incident (CERT-UA) No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772349583", "to_ids": true, "type": "sha256", "uuid": "5b7eeaa7-578f-4ed3-a392-44c449452c20", "value": "43d07f28b7b699f43abd4f695596c15a90d772bfbd6029c8ee7bc5859c2b0861", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Potentially, an IP address related to the initial access (according to CERT-UA)", "deleted": false, "disable_correlation": false, "timestamp": "1772350398", "to_ids": true, "type": "ip-dst", "uuid": "0aa90c99-84c2-4568-8d2a-5c39e8a47946", "value": "91.245.255.243", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Potentially, an IP address related to the initial access (according to CERT-UA)", "deleted": false, "disable_correlation": false, "timestamp": "1772350419", "to_ids": true, "type": "ip-dst", "uuid": "e2c2c8ab-fc68-4d75-a437-a738297e3e20", "value": "195.230.23.19", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772350441", "uuid": "97cc2bfa-66ed-4405-b3a5-6326647b3e55", "Attribute": [ { "category": "Payload delivery", "comment": "Industroyer2 samples (public sources)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772350441", "to_ids": true, "type": "md5", "uuid": "a469be96-c084-402e-b18b-5362cc937cc9", "value": "71b2ad584bfb94c006c648e401efeead", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Industroyer2 samples (public sources)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772349573", "to_ids": true, "type": "sha1", "uuid": "9de28349-e481-45a4-93d3-b21187d34f1a", "value": "39b27de81915b748ec56d1c5df7e017b4a20323b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Industroyer2 samples (public sources)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772349573", "to_ids": true, "type": "sha256", "uuid": "a6a90acc-fc6f-4763-bd83-469cc2f8dc21", "value": "ea16cb89129ab062843c84f6c6661750f18592b051549b265aaf834e100cd6fc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772349140", "to_ids": true, "type": "ssdeep", "uuid": "967e2ff7-60ae-4406-a361-467433fe6987", "value": "768:9kQ2SkG1EqihRWlG4ya6kcqCHfv3uWvzPMinhgaXj7n:9jo9kc3einhgaXvn" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772349140", "to_ids": false, "type": "size-in-bytes", "uuid": "753f38c0-db89-49e9-b614-38a424552183", "value": "37920" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772349140", "to_ids": true, "type": "vhash", "uuid": "c53b772f-41e0-44db-b945-1af00d6b3122", "value": "034046551d155az279z25z1039ze7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772349140", "to_ids": true, "type": "filename", "uuid": "efeb0df4-baf8-4917-8314-05d8e95e61c7", "value": "ea16cb89129ab062843c84f6c6661750f18592b051549b265aaf834e100cd6fc.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 14/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772349140", "to_ids": false, "type": "text", "uuid": "de57b601-4891-4f88-8d94-70e77c55513a", "value": "Industroyer2 samples (public sources)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Industroyer!MSR\nVT Total Detection:58/72\nFirst Submission:2022-04-18T08:05:06.000000+00:00\nLast Submission:2026-02-14T13:33:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772350462", "uuid": "b2843346-d987-4a4b-8a60-01ea978f820f", "Attribute": [ { "category": "Payload delivery", "comment": "Industroyer2 samples (public sources)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772350462", "to_ids": true, "type": "md5", "uuid": "aec1e563-d2bb-486d-95bd-bdd12038370c", "value": "b63b9929b8f214c4e8dcff7956c87277", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Industroyer2 samples (public sources)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772349575", "to_ids": true, "type": "sha1", "uuid": "eb970d7d-1f6a-4a21-9c8a-17eda4637af3", "value": "13aa2b7c1dad663462efc0a88d64770d2bc5dc4d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Industroyer2 samples (public sources)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772349575", "to_ids": true, "type": "sha256", "uuid": "97def00c-887d-4374-ac29-a77aaeaef7a4", "value": "fc0e6f2effbfa287217b8930ab55b7a77bb86dbd923c0e8150551627138c9caa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772349161", "to_ids": true, "type": "ssdeep", "uuid": "b8d6f509-5576-4e2a-9874-78e9d1648f59", "value": "48:73BnC4rIH1VDDmQXv63wlBCIijlnKDMDAclNH4MgE4fLRhvtvmRUSU1uMeLCu8lH:D5kHfrCCCIsK4scnwjfLRttqkjrZo6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772349161", "to_ids": false, "type": "size-in-bytes", "uuid": "85cdfcb7-006b-43ea-a9b2-0670d27b6383", "value": "3734" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772349161", "to_ids": true, "type": "filename", "uuid": "dd627ba8-a826-48a7-b5fe-4af05d36db90", "value": "435425___852ad4d0-093f-4749-a872-099fe00d1d02.dat" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772349161", "to_ids": false, "type": "text", "uuid": "da5a6077-3125-4fe0-a7b4-5e0ec27bc33a", "value": "Industroyer2 samples (public sources)\r\nType Description: MS Compress\nMicrosoft: DoS:Win32/CaddyWiper.B!dha\nVT Total Detection:23/63\nFirst Submission:2022-04-12T20:55:55.000000+00:00\nLast Submission:2024-09-18T06:19:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772350483", "uuid": "cdbaf443-6722-492d-9cec-d0dc4ffd589f", "Attribute": [ { "category": "Payload delivery", "comment": "AwfulShred sample from the original incident (CERT-UA)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772350483", "to_ids": true, "type": "md5", "uuid": "092ae4f6-a096-4df1-8586-09663a1514a7", "value": "73561d9a331c1d8a334ec48dfd94db99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AwfulShred sample from the original incident (CERT-UA)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772349576", "to_ids": true, "type": "sha1", "uuid": "12f55e50-84f2-4089-991b-654e05b44939", "value": "3cdbc19bc4f12d8d00b81380f7a2504d08074c15", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AwfulShred sample from the original incident (CERT-UA)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772349576", "to_ids": true, "type": "sha256", "uuid": "438e4d76-305b-4a57-aa42-826621840fe8", "value": "bcdf0bd8142a4828c61e775686c9892d89893ed0f5093bdc70bde3e48d04ab99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772349204", "to_ids": true, "type": "ssdeep", "uuid": "50f639f3-20f4-4e37-8104-ab22387be66d", "value": "192:jNhE21baNxtrilGAL4WDnEHgCyLslERTJx+f4:jNS4OxtOlTE6EAJsp4" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772349204", "to_ids": false, "type": "size-in-bytes", "uuid": "8434bf65-1918-4024-8117-7ab73b774f0c", "value": "10046" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772349204", "to_ids": true, "type": "filename", "uuid": "3aa032be-59cb-48c1-b754-a50fb0da29fd", "value": "bcdf0bd8142a4828c61e775686c9892d89893ed0f5093bdc70bde3e48d04ab99.sh" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772349204", "to_ids": false, "type": "text", "uuid": "b81b203e-0b3d-43c5-805f-9fd40cc739a0", "value": "AwfulShred sample from the original incident (CERT-UA)\r\nType Description: Shell script\nMicrosoft: Trojan:Linux/ShellAgent.AC!MTB\nVT Total Detection:34/62\nFirst Submission:2022-05-04T04:52:12.000000+00:00\nLast Submission:2025-06-28T09:24:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772350505", "uuid": "88589f65-d257-4cc0-a878-5907c14605d1", "Attribute": [ { "category": "Payload delivery", "comment": "ArguePatch sample from the original incident (CERT-UA)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772350505", "to_ids": true, "type": "md5", "uuid": "56c69859-a7e2-4908-afab-68099c7b5008", "value": "9ec8468dd4a81b0b35c499b31e67375e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ArguePatch sample from the original incident (CERT-UA)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772349578", "to_ids": true, "type": "sha1", "uuid": "f6f17aaa-7d48-46c3-83d4-6be09db2d5fc", "value": "6fa04992c0624c7aa3ca80da6a30e6de91226a16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ArguePatch sample from the original incident (CERT-UA)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772349578", "to_ids": true, "type": "sha256", "uuid": "e9b271cf-6148-4cfb-af25-7579b9ea05fd", "value": "cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772349226", "to_ids": true, "type": "ssdeep", "uuid": "e23eedc6-37f3-4681-8b73-a96b487ed040", "value": "12288:CpCB9AVqhPDUHvOdO21ai1m2Y+o1mQR5LaVfnkBUxarLIN8Wah5/wodPdv7PVTFe:Cp12UPQkBUO/B5/lzTVTFH+" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772349226", "to_ids": false, "type": "size-in-bytes", "uuid": "392593f8-fa33-4926-9661-6436be3cbeef", "value": "639488" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772349226", "to_ids": true, "type": "vhash", "uuid": "a190305a-14ca-4917-9745-7b378aa27a3d", "value": "065046655d1565z12z7d7z5023z95z14z1c7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772349226", "to_ids": true, "type": "filename", "uuid": "d56d48c9-b8e6-4fc5-a3b1-328331175943", "value": "cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772349226", "to_ids": false, "type": "text", "uuid": "543ad25c-1fa2-457e-8dca-7ad0a155df5a", "value": "ArguePatch sample from the original incident (CERT-UA)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/AprilAxe.B!dha\nVT Total Detection:59/72\nFirst Submission:2022-04-11T17:14:03.000000+00:00\nLast Submission:2025-12-15T13:19:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772350526", "uuid": "c7590946-1515-47fe-b457-9aff484db4df", "Attribute": [ { "category": "Payload delivery", "comment": "Lazycargo sample from vxunderground", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772350526", "to_ids": true, "type": "md5", "uuid": "ec526d2d-4ad6-4a5a-8b26-a29d910534a9", "value": "838f055690a2a3617be42b8101c27d49", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Lazycargo sample from vxunderground", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772349579", "to_ids": true, "type": "sha1", "uuid": "0d311c31-c451-4c3e-8a1d-3bbce5555c3b", "value": "95bd07b4400095acdafce05888da27228d7d07ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Lazycargo sample from vxunderground", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772349579", "to_ids": true, "type": "sha256", "uuid": "10353533-84b4-44bd-90d1-7901816d3e68", "value": "69296ca3575d9bc04ce0250d734d1a83c1348f5b6da756944933af0578bd41d2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772349247", "to_ids": true, "type": "ssdeep", "uuid": "3ac87d6d-0105-431b-9a47-89634d7eb8e6", "value": "6144:HG7pXZ07Hxn+X9vR3iXh+LxJNCbxS0CUvPupYoW8d3qdCx77pGuPmHKN:6pXZoRn+n3iXh+hR5qdCx77VPmHM" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772349247", "to_ids": false, "type": "size-in-bytes", "uuid": "c35e0400-ba1f-4755-9281-82f4e071fc31", "value": "445440" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772349247", "to_ids": true, "type": "vhash", "uuid": "d6ba52c6-f88d-4510-a42e-9a72cb1dc8d4", "value": "045066551d6555555088z56!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772349247", "to_ids": true, "type": "filename", "uuid": "86a03078-a896-4e76-afd4-4b9c09c066b5", "value": "LazyCargo" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 07/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772349247", "to_ids": false, "type": "text", "uuid": "c3dfe4cd-0290-482a-bd20-847d37677530", "value": "Lazycargo sample from vxunderground\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Tnega!MSR\nVT Total Detection:51/72\nFirst Submission:2022-03-28T16:56:07.000000+00:00\nLast Submission:2026-02-27T01:04:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772350548", "uuid": "7c185760-89ee-492c-bec0-430cfed94797", "Attribute": [ { "category": "Payload delivery", "comment": "TailJump sample from the original incident (CERT-UA)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772350548", "to_ids": true, "type": "md5", "uuid": "ee2e6b37-3210-4772-806a-5ed7314532aa", "value": "1938380a81a23b8b1100de8403b583a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TailJump sample from the original incident (CERT-UA)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772349580", "to_ids": true, "type": "sha1", "uuid": "c4d4e4b2-0a6c-46a0-b1a7-14867c3350d7", "value": "9ce1491ce69809f92ae1fe8d4c0783bd1d11fbe7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TailJump sample from the original incident (CERT-UA)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772349580", "to_ids": true, "type": "sha256", "uuid": "2652634d-761d-4fb0-a0a6-49dd18335c4b", "value": "1724a0a3c9c73f4d8891f988b5035effce8d897ed42336a92e2c9bc7d9ee7f5a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772349269", "to_ids": true, "type": "ssdeep", "uuid": "3b3e6b43-a1be-4c45-8d4c-d76778db6934", "value": "96:6vWh+Y890aCVtXugDPkriXR4RmGM+nqi3nr/:6T0VduD4tG9r/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772349269", "to_ids": false, "type": "size-in-bytes", "uuid": "5da34b25-d66e-4fc2-939d-43054e936276", "value": "3734" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772349269", "to_ids": true, "type": "filename", "uuid": "98cd12ab-4584-4fef-8294-281384128e7c", "value": "1724a0a3c9c73f4d8891f988b5035effce8d897ed42336a92e2c9bc7d9ee7f5a.unknown" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 09/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772349269", "to_ids": false, "type": "text", "uuid": "bb0d9e9e-46a2-4b5a-99bb-200cff4d6701", "value": "TailJump sample from the original incident (CERT-UA)\r\nType Description: unknown\nMicrosoft: None\nVT Total Detection:30/62\nFirst Submission:2022-04-11T17:15:15.000000+00:00\nLast Submission:2026-02-26T01:17:34.000000+00:00" } ] } ] } }