{ "Event": { "analysis": "2", "date": "2018-10-01", "extends_uuid": "", "info": "[Threat Intel] Stuxnet Facts Report. A Technical and Strategic Analysis", "protected": false, "publish_timestamp": "1772419517", "published": true, "threat_level_id": "1", "timestamp": "1772419514", "uuid": "1e8c927a-17b3-4f22-8843-073507adea01", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#150050", "local": false, "name": "rectifyq:sub-category=\"report\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Stuxnet\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"israel\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Iran\"", "relationship_type": "" }, { "colour": "#150052", "local": false, "name": "rectifyq:sub-category=\"zero-day\"", "relationship_type": "" }, { "colour": "#7f009f", "local": false, "name": "ms-caro-malware:malware-platform=\"WinNT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Damage to Property\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Replication Through Removable Media\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Rootkit\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Stuxnet\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#8de1e8", "local": false, "name": "SANS-ICS515", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771722138", "to_ids": false, "type": "link", "uuid": "7a63e629-0fa7-4fc0-9355-d5221ae7b890", "value": "https://ccdcoe.org/library/publications/stuxnet-facts-report-a-technical-and-strategic-analysis-2/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771722148", "to_ids": false, "type": "link", "uuid": "ccce27d4-8a14-4498-b58d-894e0be8e03b", "value": "https://ccdcoe.org/uploads/2018/10/Falco2012_StuxnetFactsReport.pdf" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1771723991", "to_ids": true, "type": "hostname", "uuid": "edf97a33-a00c-476e-8ed9-5c578fe991b5", "value": "www.mypremierfutbol.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1771724013", "to_ids": true, "type": "hostname", "uuid": "3f2732c9-16ce-4275-bf22-af3a1825bba9", "value": "www.todaysfutbol.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1771724314", "to_ids": true, "type": "url", "uuid": "5eb8556f-93f6-4a25-a725-f01b80da4e98", "value": "http://www.mypremierfutbol.com/index.php?data", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771722484", "to_ids": false, "type": "vulnerability", "uuid": "061f1726-50fe-4903-a58a-3cfd51369b35", "value": "CVE-2008-4250" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771722484", "to_ids": false, "type": "vulnerability", "uuid": "fc2dbc68-acf7-4551-9f0d-4b7826952c37", "value": "CVE-2010-2568" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771722484", "to_ids": false, "type": "vulnerability", "uuid": "60b8b7d0-2f29-495d-9b90-e85d08141dc7", "value": "CVE-2010-2729" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771722484", "to_ids": false, "type": "vulnerability", "uuid": "1e1e06c1-56e4-4ea2-970d-3c3ae9cbcc51", "value": "CVE-2010-2743" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771722484", "to_ids": false, "type": "vulnerability", "uuid": "a007bbb8-2efd-4c44-be3e-3b3ae935fc3a", "value": "CVE-2010-2772" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771722484", "to_ids": false, "type": "vulnerability", "uuid": "18d1f9cd-cd13-4150-8404-f7b810812769", "value": "CVE-2010-3888" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771729331", "to_ids": false, "type": "link", "uuid": "ca629c56-4692-433d-a8a1-c468147fed91", "value": "https://www.afcea.org/committees/cyber/documents/TheHistoryofStuxnet.pdf", "Tag": [ { "colour": "#8de1e8", "local": false, "name": "SANS-ICS515", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771848197", "to_ids": false, "type": "link", "uuid": "ad10b2b3-b803-40a9-946d-467e38290ec3", "value": "https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-2017-04.pdf" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771724055", "uuid": "ee84cf1b-9d6d-467d-a9ba-19095851e84a", "Attribute": [ { "category": "Payload delivery", "comment": "~wtr4132.tmp - Dropper (main wrapper file, contains all resources needed by the worm)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771724055", "to_ids": true, "type": "md5", "uuid": "e98fb05b-72e8-476e-9e69-cc8bac341cb6", "value": "74ddc49a7c121a61b8d06c03f92d0c13", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "~wtr4132.tmp - Dropper (main wrapper file, contains all resources needed by the worm)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771723950", "to_ids": true, "type": "sha1", "uuid": "a652a518-dbfa-4abe-82b5-3336c8b1988f", "value": "0ccbc128dd8bf73dc7b3922fb67d26bbcdbcaa89", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "~wtr4132.tmp - Dropper (main wrapper file, contains all resources needed by the worm)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771723950", "to_ids": true, "type": "sha256", "uuid": "0015c571-2806-47c4-bdea-384d48b5e162", "value": "743e16b3ef4d39fc11c5e8ec890dcd29f034a6eca51be4f7fca6e23e60dbd7a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771723118", "to_ids": true, "type": "ssdeep", "uuid": "43563b2a-3c89-4d30-a032-0f1d0d6dd029", "value": "12288:4ikBuHsZfYLyB9SqoKumDXh1al+hte5+tAL7LwOJ50UWpGtJxK:3HnqoKpXLaUygKPwob" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771723118", "to_ids": false, "type": "size-in-bytes", "uuid": "07c38c96-32d3-4c26-9b79-1f9ab1537946", "value": "517632" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771723118", "to_ids": true, "type": "vhash", "uuid": "306f1900-e3a3-46e2-8ea6-d3ca215c40e9", "value": "055056551d151d7bzdnz1ez8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771723118", "to_ids": true, "type": "filename", "uuid": "bc18deff-3454-4fcc-88df-44acfdd655c3", "value": "dropper.exe_" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 25/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771723118", "to_ids": false, "type": "text", "uuid": "6ad621ca-fb1a-48df-b3bd-5ecaea472c26", "value": "~wtr4132.tmp - Dropper (main wrapper file, contains all resources needed by the worm)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Stuxnet.E\nVT Total Detection:67/72\nFirst Submission:2010-06-29T17:55:06.000000+00:00\nLast Submission:2025-07-08T06:51:51.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771724076", "uuid": "c44b95bf-e555-48c8-aa58-2a8beb132895", "Attribute": [ { "category": "Payload delivery", "comment": "~wtr4141.tmp - User-mode rootkit", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771724076", "to_ids": true, "type": "md5", "uuid": "58d0d3fd-0b31-4d7b-a8ec-f4067366c399", "value": "055a3421813caf77e1387ff77b2e2e28", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "~wtr4141.tmp - User-mode rootkit", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771723951", "to_ids": true, "type": "sha1", "uuid": "580354a0-baec-43ac-afc8-79fb3f66e1a9", "value": "0c580ee2fad83b3ecd8ff21dee9c1644f8af43ab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "~wtr4141.tmp - User-mode rootkit", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771723951", "to_ids": true, "type": "sha256", "uuid": "4edbd59a-e4f3-4e42-ada4-a7398cd92693", "value": "d58c95a68ae3debf9eedb3497b086c9d9289bc5692b72931f3a12c3041832628", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771723140", "to_ids": true, "type": "ssdeep", "uuid": "635bc3e5-d27f-4752-9227-907263270f33", "value": "384:apjc0UYZy1Ttvyph2adBRd64h+Erl2zB5ls7O7hBWnqTYJLWd6jqdybz:ap4U0Lm2aKF56iBOLAmIybz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771723140", "to_ids": false, "type": "size-in-bytes", "uuid": "561f7cca-7a6d-47c1-bf30-3b7f7e10c7c8", "value": "25720" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771723140", "to_ids": true, "type": "vhash", "uuid": "bd600f94-1ac0-4a6a-a942-52b776950001", "value": "124046655d155az2bbz29z8ez4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771723140", "to_ids": true, "type": "filename", "uuid": "343ac2d3-d7f6-41ac-b802-fe0c199a69b7", "value": "~WTR4141.tmp" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 17/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771723140", "to_ids": false, "type": "text", "uuid": "6b324c79-b0dd-461c-af8f-803e6924035b", "value": "~wtr4141.tmp - User-mode rootkit\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Stuxnet.E\nVT Total Detection:61/72\nFirst Submission:2010-06-09T22:06:14.000000+00:00\nLast Submission:2025-08-04T05:20:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771724097", "uuid": "c74aaebd-0149-4065-866c-a1f821d9eaed", "Attribute": [ { "category": "Payload delivery", "comment": "mrxcls.sys - Kernel-mode loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771724097", "to_ids": true, "type": "md5", "uuid": "66bc1881-3d36-4613-8fae-8a99af3961f0", "value": "f8153747bae8b4ae48837ee17172151e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "mrxcls.sys - Kernel-mode loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771723952", "to_ids": true, "type": "sha1", "uuid": "3ed56a3e-390e-478b-af8e-d19349f1bf21", "value": "cb0793029c60c0bd059ff85de956619f7fdeb4fd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "mrxcls.sys - Kernel-mode loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771723953", "to_ids": true, "type": "sha256", "uuid": "aa745d78-1a75-4acd-83a6-ed852d6d4f6c", "value": "1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771723161", "to_ids": true, "type": "ssdeep", "uuid": "48053813-145f-48c1-8f2f-e4d47e6c87af", "value": "384:GjBfuuPC3LNGL9BLKkVcr7mj3eSW0lhqaWd7pxW3KzMdYJLWd6jqdybI:mfuj3oLukV0mTeSJhm7p+KxLAmIybI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771723161", "to_ids": false, "type": "size-in-bytes", "uuid": "74e369d4-5da7-4d82-8cd9-380864f8bd23", "value": "26616" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771723161", "to_ids": true, "type": "vhash", "uuid": "8f7d8dfd-729c-4bcc-addc-19098fb9a793", "value": "024066655d6e551519z36z23xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771723161", "to_ids": true, "type": "filename", "uuid": "29779146-bba4-4ff4-943a-e982b9134ef2", "value": "MRXCLS.Sys" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 10/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771723161", "to_ids": false, "type": "text", "uuid": "e1bbbdce-9711-4693-af29-38e52de760fb", "value": "mrxcls.sys - Kernel-mode loader\r\nType Description: Win32 EXE\nMicrosoft: Trojan:WinNT/Stuxnet.A\nVT Total Detection:56/72\nFirst Submission:2010-05-16T06:08:06.000000+00:00\nLast Submission:2026-01-22T10:30:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771724119", "uuid": "1a426d60-5e42-4357-ba1d-60c66d47237d", "Attribute": [ { "category": "Payload delivery", "comment": "mrxnet.sys - Kernel-mode rootkit", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771724119", "to_ids": true, "type": "md5", "uuid": "c45e544a-bdca-42e5-81b0-253c956224e3", "value": "cc1db5360109de3b857654297d262ca1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "mrxnet.sys - Kernel-mode rootkit", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771723953", "to_ids": true, "type": "sha1", "uuid": "4f4de334-9579-4f7d-97a3-dc72888f6bb0", "value": "758240613c362bb1fd13e07d3d19f357b7f8a6da", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "mrxnet.sys - Kernel-mode rootkit", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771723953", "to_ids": true, "type": "sha256", "uuid": "91ab614b-a656-4054-8523-ab0dc05ee174", "value": "0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771723183", "to_ids": true, "type": "ssdeep", "uuid": "15ae91af-4013-4ff4-b0e2-82f2e6313a70", "value": "384:MYJsx/EzZYCb6NdEVAFba2iWs7pyWy0YJLWd6jqdybm:MYSx/ElbAdbY7p+ZLAmIybm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771723183", "to_ids": false, "type": "size-in-bytes", "uuid": "54354012-7c60-4816-a9a3-1697071f9e90", "value": "17400" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771723183", "to_ids": true, "type": "vhash", "uuid": "010be02a-d260-448f-83c5-5974ef69502a", "value": "014066651d1e55155iz1bxz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771723183", "to_ids": true, "type": "filename", "uuid": "55d5d68c-2eab-44e0-8d6f-9f57cf00264d", "value": "MRXNET.Sys" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 29/09/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771723183", "to_ids": false, "type": "text", "uuid": "e92715d2-84fc-4a94-a1c6-b1028a6b5d2a", "value": "mrxnet.sys - Kernel-mode rootkit\r\nType Description: Win32 EXE\nMicrosoft: Trojan:WinNT/Stuxnet.B\nVT Total Detection:54/72\nFirst Submission:2010-05-22T07:24:01.000000+00:00\nLast Submission:2025-10-07T10:20:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771724140", "uuid": "070c36e3-849a-49f5-936e-cd742c02434d", "Attribute": [ { "category": "Payload delivery", "comment": "mdmeric3.pnf - Configuration data", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771724140", "to_ids": true, "type": "md5", "uuid": "26960240-0e36-4bdf-ae33-15814e0e8562", "value": "b834ebeb777ea07fb6aab6bf35cdf07f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "mdmeric3.pnf - Configuration data", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771723954", "to_ids": true, "type": "sha1", "uuid": "fb7e3816-2bef-4933-9ee2-a2c627b2ac19", "value": "f7b86531ad78eb283e59091a1c64b0c47d50e6c6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "mdmeric3.pnf - Configuration data", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771723954", "to_ids": true, "type": "sha256", "uuid": "98db3e2c-05dd-489d-85c3-cdba831c2352", "value": "1e7d6cb0b1c29bf2caeb6983da647eb253d4764415ae8dfc493a75053dffe85f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771723205", "to_ids": true, "type": "ssdeep", "uuid": "929c7cc0-062f-46a1-8832-08a10ba18f13", "value": "3:Xr+VIN7AVmHZxNO9TUtQGkRS2haa9vmtZ82em:6eN7AVmH4TjTha2vmtZf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771723205", "to_ids": false, "type": "size-in-bytes", "uuid": "c1e234d9-bdfc-4724-9a8a-144883eb6b00", "value": "90" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771723205", "to_ids": true, "type": "filename", "uuid": "6a226b31-ed6d-47b2-ad0c-a833e56409e1", "value": "S7P00001.DBF.VIRUS" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 13/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771723205", "to_ids": false, "type": "text", "uuid": "936d653c-ada8-455b-936a-668982c30d0a", "value": "mdmeric3.pnf - Configuration data\r\nType Description: PGP Security Key\nMicrosoft: Trojan:Win32/Stuxnet\nVT Total Detection:25/62\nFirst Submission:2010-05-11T16:38:06.000000+00:00\nLast Submission:2026-02-11T12:26:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771724161", "uuid": "e39a3faa-572d-4335-8303-687304456752", "Attribute": [ { "category": "Payload delivery", "comment": "oem7a.pnf - Main payload (encrypted DLL)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771724161", "to_ids": true, "type": "md5", "uuid": "0b5d40ad-0063-4cd7-8cd3-25edd0b62eb4", "value": "ad19fbaa55e8ad585a97bbcddcde59d4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "oem7a.pnf - Main payload (encrypted DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771723955", "to_ids": true, "type": "sha1", "uuid": "417aad74-d827-4049-8e31-a463502c34fe", "value": "bcfcc25c6d0f58d784d5b5a4c631e920f655f50e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "oem7a.pnf - Main payload (encrypted DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771723956", "to_ids": true, "type": "sha256", "uuid": "222b5c26-d1a4-4b94-8103-65745a5e511a", "value": "484b7de26369566d473675d08b23b17c0ea0556977c0db2d8cd8b3598d05ce9d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771723226", "to_ids": true, "type": "ssdeep", "uuid": "df800969-be79-4c09-b3cd-fb77f1e1044d", "value": "12288:YkBuHsZfYLyB9SqoKumDXh1al+hte5+tAL7LwOJ50UWpGtJxKI:cHnqoKpXLaUygKPwobd" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771723226", "to_ids": false, "type": "size-in-bytes", "uuid": "d4c3212b-c520-459e-947d-75b5aa54a262", "value": "498176" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771723226", "to_ids": true, "type": "filename", "uuid": "e6869a0d-0809-49a3-8e9b-7375187e38d3", "value": "cc_alg.sav" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 19/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771723226", "to_ids": false, "type": "text", "uuid": "965ab4ca-1055-42ea-9124-e681d0f0f797", "value": "oem7a.pnf - Main payload (encrypted DLL)\r\nType Description: unknown\nMicrosoft: None\nVT Total Detection:27/63\nFirst Submission:2010-06-28T15:45:09.000000+00:00\nLast Submission:2017-09-29T13:23:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771724183", "uuid": "18da4fc0-a14d-4130-9853-6ba5bdc62d74", "Attribute": [ { "category": "Payload delivery", "comment": "s7otbxdx.dll - Simatic Manager DLL replacement", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771724183", "to_ids": true, "type": "md5", "uuid": "9b33b9dd-d1f5-44c9-9caa-cea3e7a761a7", "value": "7a4e2d2638a454442efb95f23df391a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "s7otbxdx.dll - Simatic Manager DLL replacement", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771723957", "to_ids": true, "type": "sha1", "uuid": "a7386e28-c088-4592-9e30-f892c50f5358", "value": "46abf654a7f16e83fdc6af15cba0e183bbd95979", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "s7otbxdx.dll - Simatic Manager DLL replacement", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771723957", "to_ids": true, "type": "sha256", "uuid": "76401079-d97c-43f1-a91e-8f6d716f8fc8", "value": "a4270ab091360d45ad089295c8a638125f3dbc710c0af6104fa554396f4c6636", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771723248", "to_ids": true, "type": "ssdeep", "uuid": "c6d81582-27cc-405b-9c32-01d80c6c084f", "value": "3072:FmbCnjfaHdRIBrsV6wBuGrkmrZkzqIIZm5bFNVd5QgLWnbn+p/1JIiXDdthu4YCl:sbHIuVBB5rqxIYZVDQg4j+eCdCX/e" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771723248", "to_ids": false, "type": "size-in-bytes", "uuid": "ea772474-ad13-4c9c-b716-8f6543b71bbc", "value": "298000" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771723248", "to_ids": true, "type": "vhash", "uuid": "95b10f55-a5f3-4f08-b5fa-f06549c82ab1", "value": "125056657d15155048z43=z6d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771723248", "to_ids": true, "type": "filename", "uuid": "c264b1dc-77cf-4b95-83d6-adf8de0736b9", "value": "S7OTBLDX.DLL" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 08/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771723248", "to_ids": false, "type": "text", "uuid": "79946e60-1282-417a-8059-fb3459ab7150", "value": "s7otbxdx.dll - Simatic Manager DLL replacement\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Stuxnet.A\nVT Total Detection:61/73\nFirst Submission:2010-04-21T06:03:07.000000+00:00\nLast Submission:2023-09-10T16:52:41.000000+00:00" } ] } ] } }