{ "Event": { "analysis": "1", "date": "2022-04-18", "extends_uuid": "", "info": "[Threat Intel] Industroyer2: The ICS-capable malware re-emerges in order to cause critical services disruption", "protected": false, "publish_timestamp": "1772407512", "published": true, "threat_level_id": "2", "timestamp": "1772407509", "uuid": "1c545209-80f5-4434-b51e-3bb84871b90f", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"INDUSTROYER2\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772337798", "to_ids": false, "type": "link", "uuid": "ad42756a-5da5-4526-ad55-ade9ffbd9b5d", "value": "https://www.emanueledelucia.net/industroyer2-the-ics-capable-malware-re-emerges-in-order-to-cause-critical-services-disruption/" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772337852", "uuid": "9cd6707e-4f4a-4933-a7ee-b514fdeffc5c", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772337852", "to_ids": false, "type": "text", "uuid": "faa86152-b12a-4cd3-87fc-3e8dfc8487b5", "value": "Sandworm_Industroyer2_76222_00001" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772337852", "to_ids": false, "type": "comment", "uuid": "7fabb37e-cbce-48ea-8b1d-603b2cee2f73", "value": "Strings-based threat detection rule for INDUSTROYER2" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772337852", "to_ids": true, "type": "yara", "uuid": "77f15c77-42ae-4d57-a888-1d3231b6ee5f", "value": "rule Sandworm_Industroyer2_76222_00001 : RUSSIAN THREAT GROUP {\r\nmeta:\r\nauthor = \u201cEmanuele De Lucia\u201d\r\ndescription = \u201cStrings-based threat detection rule for INDUSTROYER2\u201d\r\ntlp = \u201cwhite\u201d\r\ndate = \u201c2022-04-15\u201d\r\nhash1 = \u201cd69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00\u201d\r\nstrings:\r\n$ = \u201cPServiceControl.exe\u201d\r\n$ = \u201cSent=x%X | Received=x%X\u201d\r\n$ = \u201cCause: %s (x%X) | Telegram type: %s (x%X)\u201d\r\n$ = \u201cLength:%u bytes | \u201c\r\n$ = \u201cUnknown APDU format !!!\u201d\r\n$ = \u201c%02hu:%02hu:%02hu:%04hu\u201d\r\ncondition: (uint16(0) == 0x5a4d and all of them)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772352194", "uuid": "6e385886-e98d-4c15-86d4-5c84950c1965", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772352194", "to_ids": true, "type": "md5", "uuid": "4c8f5229-aa31-4ea1-bd39-2ec9a92ace1d", "value": "7c05da2e4612fca213430b6c93e76b06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772352089", "to_ids": true, "type": "sha1", "uuid": "b0bd4ca4-b9db-4ecb-8dbb-f5e1e674b731", "value": "fdeb96bc3d4ab32ef826e7e53f4fe1c72e580379", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772352089", "to_ids": true, "type": "sha256", "uuid": "dca1297d-a7ee-4a7e-b001-97ebe1f48926", "value": "d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772351462", "to_ids": true, "type": "ssdeep", "uuid": "c041a0c1-4684-4c18-b9bc-2341cd1affac", "value": "768:9kQ2SkG1EqihRWlG4ya6kcqCHfv3uWvzPMinhgaXj7:9jo9kc3einhgaXv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772351462", "to_ids": false, "type": "size-in-bytes", "uuid": "b029a1b0-403f-4288-ace3-4de7b53a14ae", "value": "37888" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772351462", "to_ids": true, "type": "vhash", "uuid": "26a5f2b4-0505-4f65-ba80-421121846b3c", "value": "034046551d155az279z25z1039ze7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772351462", "to_ids": true, "type": "filename", "uuid": "87847fc2-4783-4416-9f56-3574ed27327a", "value": "d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772351462", "to_ids": false, "type": "text", "uuid": "222ee5fb-9687-40bb-95da-26f2b4faadb1", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Znyonm!rfn\nVT Total Detection:45/72\nFirst Submission:2022-04-14T12:36:41.000000+00:00\nLast Submission:2025-12-15T13:19:45.000000+00:00" } ] } ] } }