{ "Event": { "analysis": "1", "date": "2026-01-30", "extends_uuid": "", "info": "[Threat Intel] DynoWiper update: Technical analysis", "protected": false, "publish_timestamp": "1777816507", "published": true, "threat_level_id": "1", "timestamp": "1776743168", "uuid": "2346e215-b23f-4ebf-9b77-f9aecfc36701", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"ESET\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Proxy - T1090.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server - T1584.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Time Discovery - T1124\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disk Content Wipe - T1561.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Poland\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Storage Discovery - T1680\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#7f009f", "local": false, "name": "ms-caro-malware:malware-platform=\"WinNT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sandworm\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770030015", "to_ids": false, "type": "link", "uuid": "aeddce81-c5a7-4e00-93de-d97e8fb2536a", "value": "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1770030015", "to_ids": false, "type": "text", "uuid": "bd20c198-e4ae-4528-bb45-758f6a0205fb", "value": "ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1770030015", "to_ids": false, "type": "text", "uuid": "a85b808a-82e5-47c1-bc0d-9a6d8f9c354a", "value": "Name: DynoWiper update: Technical analysis\nAuthor: AlienVault\nAdversary: Sandworm\nTags: [\"poland\", \"sting wiper\", \"dynowiper\", \"sharpnikowiper\", \"roarbat\", \"swiftslicer\", \"zov wiper\", \"arguepatch\", \"orcshred\", \"industroyer\", \"energy sector\", \"soloshred\", \"hermeticwiper\", \"zerolot\", \"hermeticransom\", \"nikowiper\", \"prestige\", \"cyberattack\", \"russia-aligned\", \"bidswipe\", \"caddywiper\", \"doublezero\", \"wiper malware\", \"data destruction\", \"industroyer2\", \"ransomboggs\", \"awfulshred\"]\nTgtd countries: [\"Poland\", \"Ukraine\"]\nMlwr families: [\"DynoWiper\", \"ZOV wiper\", \"Industroyer2 - S1072\", \"Industroyer2 - S1072\", \"HermeticWiper - S0697\", \"Trojan.Killdisk\", \"DriveSlayer\", \"HermeticRansom\", \"CaddyWiper - S0693\", \"DoubleZero\", \"ARGUEPATCH\", \"ORCSHRED\", \"SOLOSHRED\", \"AWFULSHRED\", \"Prestige - S1058\", \"RansomBoggs\", \"BidSwipe\", \"ROARBAT\", \"SwiftSlicer\", \"NikoWiper\", \"SharpNikoWiper\", \"ZEROLOT\", \"Sting wiper\"]\nAttack_ids: [\"T1053.005\", \"T1082\", \"T1003.001\", \"T1090.002\", \"T1083\", \"T1059.001\", \"T1059.003\", \"T1584.004\", \"T1105\", \"T1124\", \"T1561.001\", \"T1529\"]\nIndustries: [\"Energy\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1770030015", "to_ids": false, "type": "threat-actor", "uuid": "59afb0dc-b228-402e-9566-9f537fef917a", "value": "Sandworm" }, { "category": "Network activity", "comment": "SOCKS5 server.", "deleted": false, "disable_correlation": false, "timestamp": "1770129001", "to_ids": true, "type": "ip-dst", "uuid": "682df719-816f-4680-8048-3223ad9a6607", "value": "31.172.71.5", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "server is used by ProGame; a programming school for kids in Vladivostok, Russia, and was likely compromised.", "deleted": false, "disable_correlation": false, "timestamp": "1770129022", "to_ids": true, "type": "domain", "uuid": "1148171a-7062-4418-8664-f0d6c38e21cc", "value": "progamevl.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZOV wiper. No sample in VT\r\nLast check:03/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770122337", "to_ids": true, "type": "sha1", "uuid": "97e66a9b-867b-40ac-9d72-6b78de603c0a", "value": "4f8e9336a784a196353023133e0f8fa54f6a92e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1770129043", "uuid": "91b4038a-58ed-429f-9fac-cac09063ad94", "Attribute": [ { "category": "Payload delivery", "comment": "Rubeus toolset for Kerberos attacks.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1770129043", "to_ids": true, "type": "md5", "uuid": "67b323fc-f234-49a4-addc-010edb1ac0c1", "value": "5249503900c735425130477649872dfb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Rubeus toolset for Kerberos attacks.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1770122331", "to_ids": true, "type": "sha1", "uuid": "4bc0bf74-8ac5-457c-b435-c66899da89f9", "value": "410c8a57fe6e09edbfebaba7d5d3e4797ca80a19", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Rubeus toolset for Kerberos attacks.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770122331", "to_ids": true, "type": "sha256", "uuid": "a2bd4b17-5ada-43f0-a854-745fcfaa6078", "value": "40a4b5e54fecce52c9d8ef5b2fa3973a3dd748c5bcedd7bde1154aa4a936c2e1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770121082", "to_ids": true, "type": "ssdeep", "uuid": "920554b4-17b2-4909-911e-2fddadb9888c", "value": "12288:LmK9Wcy9bjMDPD1tyigCTW6OYycAqgGIOHH+B+gJItvs2qAaomD:LmW8fMDPD1tyigCTW6OYycAqgGIOHH+P" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770121082", "to_ids": false, "type": "size-in-bytes", "uuid": "a5efb3a9-0739-48b5-b80c-7acad299df84", "value": "462848" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770121082", "to_ids": true, "type": "vhash", "uuid": "55691ca8-33ae-4a9b-8dbc-4dca7e83240a", "value": "245036551512a08dffb6001aff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770121082", "to_ids": true, "type": "filename", "uuid": "81beda48-dc1e-4fe0-a37a-e52d6ab1867e", "value": "Rubeus.exe" }, { "category": "Other", "comment": "Checked: 03/02/2026\nLast-scan\t: 03/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770121082", "to_ids": false, "type": "text", "uuid": "6ba5f227-49d2-497b-b9b8-cb191102bf22", "value": "Rubeus toolset for Kerberos attacks.\r\nType Description: Win32 EXE\nMicrosoft: VirTool:Win32/Kekeo.A!MTB\nVT Total Detection:55/72\nFirst Submission:2024-11-11T20:07:14.000000+00:00\nLast Submission:2025-12-18T11:38:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1770129065", "uuid": "440c7704-d0e7-481d-81d5-477b39ac1e3c", "Attribute": [ { "category": "Payload delivery", "comment": "ZOV wiper.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1770129065", "to_ids": true, "type": "md5", "uuid": "80fd7842-1e99-4aa4-b3cf-dfa729d3ab44", "value": "9d896e0e3e369c2edf1c8fb070f49c22", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZOV wiper.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1770122332", "to_ids": true, "type": "sha1", "uuid": "2ad47dc8-1d27-4032-bd68-c041d115e90a", "value": "472ca448f82a7ff6f373a32fdb9586fd7c38b631", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZOV wiper.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770122333", "to_ids": true, "type": "sha256", "uuid": "4a53f768-6f24-4446-990c-7d089e07633b", "value": "bfda142bc5c44913eed9ef1cf2a8ad07b7a71312a26e4c7c519bf1a3fedeb6a0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770121104", "to_ids": true, "type": "ssdeep", "uuid": "ae90ed57-b06a-4964-9520-4f09cd0b922d", "value": "768:rzk/JAH3NOpcPIjz3r8hrZPfoIIp01PkECEDjnmlxm//Tl7P6q:k/2dOp4Oz3g5fiqPlScTJP6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770121104", "to_ids": false, "type": "size-in-bytes", "uuid": "977f2d34-ae13-4ee6-b9a9-3aa8ac5944e1", "value": "51200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770121104", "to_ids": true, "type": "vhash", "uuid": "592e1b99-b486-491d-8520-308a7b309844", "value": "054056655d15751038z52hz23z4fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770121104", "to_ids": true, "type": "filename", "uuid": "2f1c6938-c22a-4737-9a02-1e0abf8671cd", "value": "bfda142bc5c44913eed9ef1cf2a8ad07b7a71312a26e4c7c519bf1a3fedeb6a0.exe" }, { "category": "Other", "comment": "Checked: 03/02/2026\nLast-scan\t: 03/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770121104", "to_ids": false, "type": "text", "uuid": "91777b4a-db17-4be5-adbf-cf6acb2105d4", "value": "ZOV wiper.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Etset!rfn\nVT Total Detection:47/72\nFirst Submission:2025-11-28T20:19:48.000000+00:00\nLast Submission:2026-02-01T06:44:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1770129086", "uuid": "f48fb513-1bb3-4ae5-8c0a-f740bcdcc2b6", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1770129086", "to_ids": true, "type": "md5", "uuid": "fb56da24-c425-4105-be79-8b7ea5985569", "value": "a727362416834fa63672b87820ff7f27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1770122333", "to_ids": true, "type": "sha1", "uuid": "1c0f074a-5cae-4b30-a8fa-e3a77c787239", "value": "4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770122334", "to_ids": true, "type": "sha256", "uuid": "5904f662-bbae-40d6-94c2-631d89b897c1", "value": "835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770121126", "to_ids": true, "type": "ssdeep", "uuid": "9e578807-d332-4254-9684-b9a0b810e5f8", "value": "3072:fT4SpKtaWp+id2jJgc43l4l2tgQyRUJWXBVDhDq2:r4SMtaz0l1fHyaoThDR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770121126", "to_ids": false, "type": "size-in-bytes", "uuid": "e6482c8d-0a6a-4645-a286-a4fccb104ac6", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770121126", "to_ids": true, "type": "vhash", "uuid": "c125575b-ec43-4f5f-8b96-1a29b5654dd0", "value": "015056651d15556038z4enz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770121126", "to_ids": true, "type": "filename", "uuid": "4dffd55a-8dd4-4d71-b944-32d79a2924e5", "value": "835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5.exe" }, { "category": "Other", "comment": "Checked: 03/02/2026\nLast-scan\t: 03/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770121126", "to_ids": false, "type": "text", "uuid": "759f234b-4b29-49be-98f6-bdadc50aac3e", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/WprLandblan!rfn\nVT Total Detection:49/72\nFirst Submission:2026-01-30T10:35:33.000000+00:00\nLast Submission:2026-01-31T13:47:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1770129107", "uuid": "4b79f355-058f-4a93-863a-9492e6baf765", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1770129107", "to_ids": true, "type": "md5", "uuid": "814e902a-5042-4119-90c3-167b1b3edf6f", "value": "c4379da51e8b9e86ec3de934f9373f4a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1770122334", "to_ids": true, "type": "sha1", "uuid": "13fc9a1f-d58c-4c89-b3f6-266f204194c0", "value": "69ede7e341fd26fa0577692b601d80cb44778d93", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770122335", "to_ids": true, "type": "sha256", "uuid": "0453d85b-53cd-4b83-a31c-cca0425069af", "value": "d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770121170", "to_ids": true, "type": "ssdeep", "uuid": "17afab3d-3521-48eb-bd39-7b3f4c7d5a29", "value": "1536:AIlx+cpS8+c48t3UjpGyAgGsu0X55l1tSsHGVIdWQe7AtaCxc2BGywukCbg6DjcA:AaSz8tkNn9/Nc3mECxd8eD9yUS70V8E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770121170", "to_ids": false, "type": "size-in-bytes", "uuid": "26be6585-1891-493a-bda7-2aa3dc7f4950", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770121170", "to_ids": true, "type": "vhash", "uuid": "7d885820-da9e-4d4a-ad9e-7c91af45b0ec", "value": "015056651d15556az4e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770121170", "to_ids": true, "type": "filename", "uuid": "fe645c3b-2836-4438-9256-a87516633d31", "value": "d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160.exe" }, { "category": "Other", "comment": "Checked: 03/02/2026\nLast-scan\t: 03/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770121170", "to_ids": false, "type": "text", "uuid": "53d47985-b2ab-45c7-a949-8da8723a868a", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/WprLandblan.B!dha\nVT Total Detection:41/72\nFirst Submission:2026-01-30T10:35:54.000000+00:00\nLast Submission:2026-01-31T07:46:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1770129129", "uuid": "ddee564d-edcf-4a15-9e45-96adbff9eccd", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1770129129", "to_ids": true, "type": "md5", "uuid": "0ad01916-e45e-44f0-96be-0afcbe446fee", "value": "75fec5afb2deebab6dd9c16d9de35032", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1770122335", "to_ids": true, "type": "sha1", "uuid": "ff4b9800-f242-4b44-a131-fb70f24bcc28", "value": "86596a5c5b05a8bfbd14876de7404702f7d0d61b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770122336", "to_ids": true, "type": "sha256", "uuid": "48b9b009-84b1-4b9f-9981-718a2e166094", "value": "60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770121191", "to_ids": true, "type": "ssdeep", "uuid": "71d30cff-25d6-4b2d-929f-c2ea13e2ca83", "value": "1536:RI5x+cpS8+c48t3UjpGyAgGsu0X55l1tSsHGVIdWQe7AtaCxc2BGywukCbg+DjcX:R2Sz8tkNn9/Nc3mECxd8iD9yUS7vV8E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770121191", "to_ids": false, "type": "size-in-bytes", "uuid": "f34cb216-e9a8-439c-ab94-0c54d0042bd0", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770121191", "to_ids": true, "type": "vhash", "uuid": "fd3f05cc-b349-47f2-a77f-e7898d1306bb", "value": "015056651d15556az4e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770121191", "to_ids": true, "type": "filename", "uuid": "f0651524-54e7-41ca-9a94-0bb23b8ba78d", "value": "60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b.exe" }, { "category": "Other", "comment": "Checked: 03/02/2026\nLast-scan\t: 03/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770121191", "to_ids": false, "type": "text", "uuid": "aad90fa4-a1ae-4df0-a59f-63c23752fdf8", "value": "DynoWiper\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/WprLandblan.C!dha\nVT Total Detection:46/72\nFirst Submission:2026-01-30T10:36:02.000000+00:00\nLast Submission:2026-01-31T07:38:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1770129151", "uuid": "5817b5c3-6571-4442-9b59-84f3ae1f67d1", "Attribute": [ { "category": "Payload delivery", "comment": "rsocx SOCKS5 proxy tool.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1770129151", "to_ids": true, "type": "md5", "uuid": "561ee401-0643-4681-b8a7-a2f8f4197fa8", "value": "f5271a6d909091527ed9f30eafa0ded6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "rsocx SOCKS5 proxy tool.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1770122336", "to_ids": true, "type": "sha1", "uuid": "06cffb2f-5178-4481-8922-b4e96d77a227", "value": "9ec4c38394ea2048ca81d48b1bd66de48d8bd4e8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "rsocx SOCKS5 proxy tool.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770122337", "to_ids": true, "type": "sha256", "uuid": "e27e2bb1-6b3c-4047-8748-e1542a92e303", "value": "648c2067ef3d59eb94b54c43e798707b030e0383b3651bcc6840dae41808d3a9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770121213", "to_ids": true, "type": "ssdeep", "uuid": "f68f9504-31d3-42c6-b834-ef8969ed8bb3", "value": "6144:qmX5EsKQpVx8YTVvW16emzegNlOlF9U4LqVuW0C8ZD78nSHkh:pJEsKUVxlvW1yzPNglvUeAuW0COInIU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770121213", "to_ids": false, "type": "size-in-bytes", "uuid": "23b9a712-6830-445a-a07a-e1a81c6dbeb3", "value": "307200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770121213", "to_ids": true, "type": "vhash", "uuid": "ee4f5228-44f2-4b1f-93d8-0c609a1c8dca", "value": "03503e0f7d1019z43z1pz17z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770121213", "to_ids": true, "type": "filename", "uuid": "283398bb-e38c-4c91-890c-3a8aa04a46c1", "value": "parser.exe" }, { "category": "Other", "comment": "Checked: 03/02/2026\nLast-scan\t: 03/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770121213", "to_ids": false, "type": "text", "uuid": "28ccfacd-f59f-4349-bdfd-66624e2fc5cc", "value": "rsocx SOCKS5 proxy tool.\r\nType Description: Win32 EXE\nMicrosoft: HackTool:Win32/Malgent!MSR\nVT Total Detection:43/72\nFirst Submission:2022-07-16T16:47:36.000000+00:00\nLast Submission:2025-11-21T09:58:21.000000+00:00" } ] } ] } }