{ "Event": { "analysis": "1", "date": "2018-10-03", "extends_uuid": "", "info": "[Threat Intel] ANATOMY OF AN ATTACK: DETECTING AND DEFEATING CRASHOVERRIDE", "protected": false, "publish_timestamp": "1772418897", "published": true, "threat_level_id": "2", "timestamp": "1772418894", "uuid": "357c7a82-78fd-49cb-876e-38d2d738dccb", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Dragos\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Industroyer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Industroyer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-assets=\"Engineering Workstation\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-assets=\"Field Controller/RTU/PLC/IED\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-assets=\"Human-Machine Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Data Destruction\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sandworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772244373", "to_ids": false, "type": "link", "uuid": "4c57e1e5-bd14-4097-8fc2-38e9a952f13d", "value": "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Slowik.pdf" }, { "category": "Payload delivery", "comment": "Runs ufn.vbs and sqlc.vbs, copies 101 payloads to specified hosts No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772336998", "to_ids": true, "type": "sha256", "uuid": "868d9d37-ba59-4c2a-8d08-ed840629f9f4", "value": "a95f6d43e62a5cfb4e95667df9b04d07b60d103b36f4cff12c07e7c2dab88a98", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Runs sqlc.vbs, configures ImapiService No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772336999", "to_ids": true, "type": "sha256", "uuid": "f6b06373-40fc-454b-aced-7d98c2bea065", "value": "07d5d5ba8cd17efab2ebf3b76cb6b61825249518c11c3910ceb6473e0efb3deb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Runs ufn.vbs and sqlc.vbs, copies 104 payloads to specified hosts No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772337000", "to_ids": true, "type": "sha256", "uuid": "971f80f3-96d5-47bc-919d-18892a8fe26e", "value": "693c631f1673bd61135080e9b4759342c5835d20231f6f4f7b55117fda111e4f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "System recon No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772337001", "to_ids": true, "type": "sha256", "uuid": "0b06f9e0-8c0c-4a75-b0a3-9d32aea41e46", "value": "fb5bbea0f1acfcf123979e4c615d54474c4f079276ee3828f5b8613bb3bbdf26", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772244893", "to_ids": false, "type": "link", "uuid": "d0a0d023-17f8-4be9-898e-f84bbf1d861d", "value": "https://web.archive.org/web/20200615175701/https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337005", "uuid": "3c3af117-a44c-4888-8c1f-5545a89467d4", "Attribute": [ { "category": "Payload delivery", "comment": "104 effects module", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337005", "to_ids": true, "type": "md5", "uuid": "3ff56f2b-435b-49b2-8854-0ae3008d89a7", "value": "a193184e61e34e2bc36289deaafdec37", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "104 effects module", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336963", "to_ids": true, "type": "sha1", "uuid": "6f578fd7-3a61-4514-be39-abf91fa28011", "value": "94488f214b165512d2fc0438a581f5c9e3bd4d4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "104 effects module", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336963", "to_ids": true, "type": "sha256", "uuid": "22ab2432-c788-4b13-b97c-a71637f30cca", "value": "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336258", "to_ids": true, "type": "ssdeep", "uuid": "5aa79e02-1e8b-4100-81f9-ff5bcadde760", "value": "3072:McaprOfoaXmgD31r4VWBvRZoiTprUZNZ9VQ6s6W9:McuOJ2gD31QW51pgE6st9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336258", "to_ids": false, "type": "size-in-bytes", "uuid": "92ff82de-182d-496f-b454-1a8d8e7c27e9", "value": "136704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336258", "to_ids": true, "type": "vhash", "uuid": "19f0ab9a-16ca-4ed9-aada-7bee3b73ed5a", "value": "115066655d1515556az4dvza6z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336258", "to_ids": true, "type": "filename", "uuid": "f244073e-56d7-4760-b47e-0b85774f4442", "value": "fxrhgtw.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 24/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336258", "to_ids": false, "type": "text", "uuid": "7e532ab5-1c0a-4efd-9fda-021a2a403e24", "value": "104 effects module\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/CrashOverride.A\nVT Total Detection:57/72\nFirst Submission:2016-12-19T10:06:04.000000+00:00\nLast Submission:2026-02-28T06:57:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337026", "uuid": "37feaf2d-9ec7-43d0-a42c-2e05896bd572", "Attribute": [ { "category": "Payload delivery", "comment": "61850 effects module - DLL variant", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337026", "to_ids": true, "type": "md5", "uuid": "3c1185fd-5279-4434-8818-768724bb3a48", "value": "f73188706e0bdc1877ad77eb723c2eba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "61850 effects module - DLL variant", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336965", "to_ids": true, "type": "sha1", "uuid": "bcd2457d-602c-4e32-a082-eca2aa4dbb0d", "value": "8a638f7b653bb368df1c21f16a908fc80fd01a49", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "61850 effects module - DLL variant", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336965", "to_ids": true, "type": "sha256", "uuid": "0421e891-d9ea-4b79-9f64-474c3c0708fb", "value": "4e7d2b269088c1575a31668d86de95fd3dde6caa88051d7ec110f7f150058789", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336301", "to_ids": true, "type": "ssdeep", "uuid": "80a75ded-3dcf-4966-8f91-369bf84c03f5", "value": "3072:vd9844Uv3H4giLZQQd1VbsmlAg0FujUQ8azV:lr3H4hLL/lAOZzV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336301", "to_ids": false, "type": "size-in-bytes", "uuid": "9516ec1f-2076-4bd4-9dcc-c80da5e3939d", "value": "136192" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336301", "to_ids": true, "type": "vhash", "uuid": "be8a3592-e6a0-430b-aea3-597727797724", "value": "115076655d151d15556az4bnz15zf6z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336301", "to_ids": true, "type": "filename", "uuid": "2e0690f5-a7d5-464b-8b91-87699003e3a9", "value": "ph80unzx.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 28/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336301", "to_ids": false, "type": "text", "uuid": "1301aaf3-72fa-4863-8cc4-d4d637bf73c0", "value": "61850 effects module - DLL variant\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:48/72\nFirst Submission:2020-03-07T23:02:17.000000+00:00\nLast Submission:2026-02-28T06:55:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337047", "uuid": "4dc0cb78-f7b0-4f82-88e0-27f357fc78ce", "Attribute": [ { "category": "Payload delivery", "comment": "61850 effects module - EXE variant", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337047", "to_ids": true, "type": "md5", "uuid": "de808203-d4a3-4edc-b0c8-b1d8bd1f560c", "value": "75c7e63c1389337aefe1170f7ccc1822", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "61850 effects module - EXE variant", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336966", "to_ids": true, "type": "sha1", "uuid": "8bd5677e-8286-4220-8991-d72ee031441f", "value": "ecf6adf20a7137a84a1b319ccaa97cb0809a8454", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "61850 effects module - EXE variant", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336966", "to_ids": true, "type": "sha256", "uuid": "3bd6fd66-762b-41ac-b79e-759bbb33f9fb", "value": "55e7471ad841bd8a110818760ea89af3bb456493f0798a54ce3b8e7b790afd0a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336323", "to_ids": true, "type": "ssdeep", "uuid": "5ed835fe-b5c8-4e8d-8bc2-f25561c2dc18", "value": "3072:pTZuWpPwr7jPlHA9azECvXgEHAg0FujUORYws:RZu7r7TSwHAOZYw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336323", "to_ids": false, "type": "size-in-bytes", "uuid": "568d86b7-9447-450e-87e5-7d39fa9e5bbe", "value": "136704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336323", "to_ids": true, "type": "vhash", "uuid": "b8e3bc77-50bb-479c-88f7-81435d279210", "value": "015076655d151d15556az4anz15zf7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336323", "to_ids": true, "type": "filename", "uuid": "31aecf45-7d9c-482a-b602-b8249b9a35a7", "value": "\u751f\u7522.js" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336323", "to_ids": false, "type": "text", "uuid": "287c9573-fa94-4057-a237-107a51d51245", "value": "61850 effects module - EXE variant\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:47/72\nFirst Submission:2021-03-17T05:59:44.000000+00:00\nLast Submission:2021-03-17T05:59:44.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337069", "uuid": "aebbf37a-7eda-42e8-a481-a45e88e26be8", "Attribute": [ { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337069", "to_ids": true, "type": "md5", "uuid": "e8b0faa2-16d0-49cd-9ddd-4380889bc6e8", "value": "11a67ff9ad6006bd44f08bcc125fb61e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336967", "to_ids": true, "type": "sha1", "uuid": "d65b05f1-a50c-4dc8-bbdb-3cff76d1b798", "value": "8e39eca1e48240c01ee570631ae8f0c9a9637187", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336967", "to_ids": true, "type": "sha256", "uuid": "d7bea21f-00b5-4dd8-9dc9-8abf04339cdf", "value": "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336344", "to_ids": true, "type": "ssdeep", "uuid": "fb1ab86b-c4cb-46b3-a50e-387df8ba06de", "value": "1536:65kQyQKkuX+tRahJBQknNpZj5OnBFAjzfNT36Akr8fMDQJ9sWm4CfcdIcNhBE1:65kQyQKkuX+tA7j5OBWHVTqJrrDwPCOu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336344", "to_ids": false, "type": "size-in-bytes", "uuid": "ac8f3521-ac3b-4ca5-9d33-2fdf747c3f70", "value": "88576" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336344", "to_ids": true, "type": "vhash", "uuid": "cd368e04-846e-4e35-9795-90ba105a2ebe", "value": "084066655d151555619z58hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336344", "to_ids": true, "type": "filename", "uuid": "ee766bb4-8267-479e-bd87-39dadf80c292", "value": "usw4eo.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336344", "to_ids": false, "type": "text", "uuid": "d681fc29-4663-44f7-85b6-af4dcb64be4a", "value": "Primary backdoor\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:62/72\nFirst Submission:2016-12-18T14:05:39.000000+00:00\nLast Submission:2026-02-27T08:21:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337090", "uuid": "7314e387-a882-46a7-b393-aede5485af6a", "Attribute": [ { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337090", "to_ids": true, "type": "md5", "uuid": "b90c5148-3f2a-43b4-9cdc-accf28f7d101", "value": "f67b65b9346ee75a26f491b70bf6091b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336969", "to_ids": true, "type": "sha1", "uuid": "b94541cc-95ee-4e03-aa76-51a50d13ffe0", "value": "f6c21f8189ced6ae150f9ef2e82a3a57843b587d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336969", "to_ids": true, "type": "sha256", "uuid": "2cf0517e-ed95-4dc9-839b-00593fa14032", "value": "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336366", "to_ids": true, "type": "ssdeep", "uuid": "6f3028b9-be61-4446-90cd-f2d4ebf18799", "value": "192:7YmE5zgvM3cGfjnhDVYPp6GSDyBESi3eiKxWvJCDpFnTZ0k:7YVgk3VjnFVRJp39GWJCDpFTZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336366", "to_ids": false, "type": "size-in-bytes", "uuid": "4488cbc4-7cbb-4764-936f-46d079882fac", "value": "10752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336366", "to_ids": true, "type": "vhash", "uuid": "1bec9d7d-d61b-4317-80a9-289b7d7f7328", "value": "014056551d055550d8z27hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336366", "to_ids": true, "type": "filename", "uuid": "fac9a266-982b-4d18-a73e-9521beff492a", "value": "2max4.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336366", "to_ids": false, "type": "text", "uuid": "82cd9676-3ad5-4e2b-adca-779ef848a996", "value": "Primary backdoor\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:62/72\nFirst Submission:2016-12-20T09:21:17.000000+00:00\nLast Submission:2025-07-20T07:34:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337111", "uuid": "ebd7f295-9114-49ee-bd5a-0f936f947f1d", "Attribute": [ { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337111", "to_ids": true, "type": "md5", "uuid": "1ddab739-cb23-4612-a762-9d933e4952f4", "value": "f01db1e908c9a832a936724493a372c3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336970", "to_ids": true, "type": "sha1", "uuid": "8181476a-2b32-4df3-b40a-983769bd4c69", "value": "0278e270f195e4c583e9e3718f0e098c1571b4be", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336970", "to_ids": true, "type": "sha256", "uuid": "08a9ca0f-9fb8-4298-88f3-01144f8a320b", "value": "41658472df4074a0a2a2298ba3f17e0b17112fed99e495bf34dac138d6f7b247", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336387", "to_ids": true, "type": "ssdeep", "uuid": "c70ca7d4-7583-453d-a028-90dda092b7b3", "value": "192:7YmE5zgvM3cGfjn8QlYvpKGSDyBEii3eeKxWvJCDpFnTZ0k:7YVgk3VjnBlhJZ31GWJCDpFTZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336387", "to_ids": false, "type": "size-in-bytes", "uuid": "bdf5dfb9-9670-434c-82b1-a4bb780024b8", "value": "10752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336387", "to_ids": true, "type": "vhash", "uuid": "70f8aac5-5369-4e72-8e02-12edd2dea064", "value": "014056551d055550d8z27hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336387", "to_ids": true, "type": "filename", "uuid": "02d5ddb5-f09f-4120-b441-ea8adb761ad1", "value": "avtask2.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 21/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336387", "to_ids": false, "type": "text", "uuid": "479a3a1d-a106-4f1e-9f27-2cb56c8fbc5c", "value": "Primary backdoor\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Multiverze\nVT Total Detection:62/72\nFirst Submission:2021-03-17T06:00:40.000000+00:00\nLast Submission:2021-03-17T06:00:40.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337132", "uuid": "bd333f2a-46bc-4bc5-a5c8-db4b62f45069", "Attribute": [ { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337132", "to_ids": true, "type": "md5", "uuid": "a8683e61-149a-4a7a-b86c-33b985e866fc", "value": "8049c6f56ebfd86578f41025790ed143", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336971", "to_ids": true, "type": "sha1", "uuid": "802209e2-f832-4602-9189-33bc88443455", "value": "e194107999db29be68d3c288267f1338f0d7bd5c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336971", "to_ids": true, "type": "sha256", "uuid": "4ea21548-3b52-4796-8182-9a819b0315bf", "value": "502402f8568359645d50f1d6e58ab927f05702f6220b60767897b3912b761b99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336409", "to_ids": true, "type": "ssdeep", "uuid": "128b58a4-1762-4f04-8098-5fa0678c4203", "value": "192:gYmE5zgvM3cGfjnxVYPp6GSDyBESi3eSKxWvJCDpFnTZ0k:gYVgk3VjnxVRJp3RGWJCDpFTZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336409", "to_ids": false, "type": "size-in-bytes", "uuid": "7f89c5a9-6ce4-427f-af53-8ae77f9b7d8a", "value": "10752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336409", "to_ids": true, "type": "vhash", "uuid": "049c5b8e-1a8d-447d-b2de-0f8e5f922f21", "value": "014056551d055550d8z27hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336409", "to_ids": true, "type": "filename", "uuid": "b702e7aa-2dae-42bb-b928-a97b6b454de1", "value": "c.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 02/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336409", "to_ids": false, "type": "text", "uuid": "e6775273-e857-41d1-9301-93191d45c6a9", "value": "Primary backdoor\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:61/72\nFirst Submission:2021-03-17T06:00:43.000000+00:00\nLast Submission:2021-03-17T06:00:43.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337154", "uuid": "382cfe6a-55f0-4065-b1a4-51e2445a91be", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337154", "to_ids": true, "type": "md5", "uuid": "78affabc-6ad7-4648-964b-bdcab5263f83", "value": "4fcb25687f3da9debeec6c65b2714689", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336972", "to_ids": true, "type": "sha1", "uuid": "cbf0d969-f7cc-4273-96dd-7ea161484b8a", "value": "4841722f3033eac5f879839a8d1192472bed4d54", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336972", "to_ids": true, "type": "sha256", "uuid": "2bb4fa51-f2ba-4fbe-a976-6d3f8fb1e832", "value": "f6e62b1d75d91171ab30e8985189ea5aacd947c887222fdb58acbc2db2542f64", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336431", "to_ids": true, "type": "ssdeep", "uuid": "1fd38270-d3bc-4233-95f6-93c7292bcdbe", "value": "1536:owOnbNQKWKWDyy1o5I0foMJUEbooPRrKKReFX338:iNQKWKWDyDI0fFJltZrpReFX3M" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336431", "to_ids": false, "type": "size-in-bytes", "uuid": "0e37ef49-db8f-4bf8-8ce4-4a09633cf528", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336431", "to_ids": true, "type": "vhash", "uuid": "d38d3a99-03e3-4cfd-8041-668489f33372", "value": "0740366d1550701090018003916fz42z4afz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336431", "to_ids": true, "type": "filename", "uuid": "2bfeb984-760c-4ef1-8121-d02bff727bd4", "value": "NOTEPAD.EXE" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 27/07/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336431", "to_ids": false, "type": "text", "uuid": "8e5dccbb-7bcc-4d30-b786-a91f01b3f9f0", "value": "Backdoor NOTEPAD variant\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Meterpreter!rfn\nVT Total Detection:48/72\nFirst Submission:2021-03-17T06:00:45.000000+00:00\nLast Submission:2021-03-17T06:00:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337175", "uuid": "0a8512e4-e19d-40e3-8ef5-6d4be8658a55", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337175", "to_ids": true, "type": "md5", "uuid": "72ef9653-1e08-404d-8f09-ba80272b264a", "value": "09fc87a5c5cd10b0fe0c7b5bb56f53c6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336973", "to_ids": true, "type": "sha1", "uuid": "abe3a19a-42f9-4f40-97c3-0dd09d509c7b", "value": "ccf35f644fcbe86555c3faca38a83ddb50185087", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336974", "to_ids": true, "type": "sha256", "uuid": "df7e1205-ee9b-40c8-ac24-91d5333ff38a", "value": "767b078645baef34cfb366a41df8fe65bcce597c2bc9c08cae063d287f7a8011", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336452", "to_ids": true, "type": "ssdeep", "uuid": "23926338-7f27-4972-950d-0275b619098d", "value": "1536:kwOnbNQKx/YWDyy1o5I0foMJUEbooPRrKKReFX39QrZH:WNQKxQWDyDI0fFJltZrpReFX39" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336452", "to_ids": false, "type": "size-in-bytes", "uuid": "c3329e83-1f58-4c87-adf7-d836d4872829", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336452", "to_ids": true, "type": "vhash", "uuid": "154df3e4-bb3b-4e2d-8b7b-ee7ba6918313", "value": "0740366d1550701090018003916fz42z4afz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336452", "to_ids": true, "type": "filename", "uuid": "a3fb0ddd-5544-49e0-b1a5-08c72d47a00a", "value": "NOTEPAD.EXE" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 09/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336452", "to_ids": false, "type": "text", "uuid": "fe81cca0-5694-46be-aef2-89d94b879af5", "value": "Backdoor NOTEPAD variant\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Meterpreter!rfn\nVT Total Detection:45/72\nFirst Submission:2021-03-17T06:00:46.000000+00:00\nLast Submission:2021-03-17T06:00:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337196", "uuid": "b063bb3e-c194-41fb-bc24-601da74dcc47", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337196", "to_ids": true, "type": "md5", "uuid": "3dbf403d-352f-4982-b31b-f1089eae122d", "value": "19c207f21473a1b69f91c96fed96ce84", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336975", "to_ids": true, "type": "sha1", "uuid": "951b71b6-5de9-40c8-93dd-3968274fbf57", "value": "26f3d7c2797c80e884e741f084c94de82ae49df7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336975", "to_ids": true, "type": "sha256", "uuid": "d32037ab-ecec-4631-8233-19934a8ffb15", "value": "9860c3d30233c7f1c6631caefa2b6632a01b2b729909bc0dd894c5b418b4eb1b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336474", "to_ids": true, "type": "ssdeep", "uuid": "8420e907-35bb-4f91-822f-d822c2a73c93", "value": "1536:fwOnbNQKLNAEWDyy1o5I0foMJUEbooPRrKKReFX3aEPX:tNQKLNAEWDyDI0fFJltZrpReFX3aEPX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336474", "to_ids": false, "type": "size-in-bytes", "uuid": "4ddcae5a-69ad-4d0d-a0ad-241fd9f15fac", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336474", "to_ids": true, "type": "vhash", "uuid": "d3bff08b-b901-4192-9016-d5f0a2d0051e", "value": "0740366d1550701090018003916fz42z4afz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336474", "to_ids": true, "type": "filename", "uuid": "1145cb38-86b7-4ec8-93b9-8faf6c1ac140", "value": "NOTEPAD.EXE" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 03/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336474", "to_ids": false, "type": "text", "uuid": "30ce1b1b-db15-49af-8486-e83250540f41", "value": "Backdoor NOTEPAD variant\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Ymacco.AA98\nVT Total Detection:45/72\nFirst Submission:2021-03-17T06:00:47.000000+00:00\nLast Submission:2021-07-15T14:31:29.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337218", "uuid": "fba5fba1-d7d2-4615-a24d-c19c60ad464b", "Attribute": [ { "category": "Payload delivery", "comment": "Launcher module", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337218", "to_ids": true, "type": "md5", "uuid": "b44ba2b5-df9e-49aa-a605-ae46896f15d6", "value": "f9005f8e9d9b854491eb2fbbd06a16e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Launcher module", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336976", "to_ids": true, "type": "sha1", "uuid": "273a3500-34b7-469b-b308-cdd1e2db55b7", "value": "79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Launcher module", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336976", "to_ids": true, "type": "sha256", "uuid": "243349cd-5576-4aea-a125-dc3c154616fb", "value": "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336496", "to_ids": true, "type": "ssdeep", "uuid": "4b487c29-6334-473f-9a53-079fe2b25b06", "value": "1536:1730kyqC5KnUjdA6j/WZW9UaBECv6lQJnCsW1wnLcd2AhNs6Qaw:dnUjKm+49UaCCkwvna2AhNsNT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336496", "to_ids": false, "type": "size-in-bytes", "uuid": "788878a6-4ae8-4263-b8d3-8d343675bec8", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336496", "to_ids": true, "type": "vhash", "uuid": "57af007b-54f9-4ef5-ab10-0ca0ca3f5d5e", "value": "074066655d1515556038z51hz1lz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336496", "to_ids": true, "type": "filename", "uuid": "f74af1f5-8fa2-44b9-b84d-f2fcd676c85c", "value": "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336496", "to_ids": false, "type": "text", "uuid": "adffd647-aabb-4bd5-a407-6aed65862953", "value": "Launcher module\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A\nVT Total Detection:60/72\nFirst Submission:2016-12-19T09:47:05.000000+00:00\nLast Submission:2025-12-15T13:19:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337239", "uuid": "5181894a-ce64-40db-b8d2-da8207abd9fd", "Attribute": [ { "category": "Payload delivery", "comment": "Siemens SIPROTEC DoS module", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337239", "to_ids": true, "type": "md5", "uuid": "7fdf9b23-dece-4870-b4c1-454374d441b5", "value": "5dd4dacb7aea5ff182ea0d7eb8ee035d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Siemens SIPROTEC DoS module", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336977", "to_ids": true, "type": "sha1", "uuid": "51c9050e-a9e1-48f2-be21-fc47c4f58a22", "value": "82d96268c6679f30b40d0eaade50efc4e15a63a4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Siemens SIPROTEC DoS module", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336977", "to_ids": true, "type": "sha256", "uuid": "cb364259-2378-49c0-a3be-775a9992c5b8", "value": "4587ccfecc9a1ff5c5538a3475409ca1687d304bcde252077a119c436296857b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336518", "to_ids": true, "type": "ssdeep", "uuid": "17612b2c-7dd1-454d-962a-740c9e0f7215", "value": "3072:pY7F8YDhOIq4xJpHXTHSwVnZXYkQedAFjK2rWV:pinQ+vpHXT7pUDaV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336518", "to_ids": false, "type": "size-in-bytes", "uuid": "62d8d425-95b9-48ec-988e-52b9bb4e2dcd", "value": "99328" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336518", "to_ids": true, "type": "vhash", "uuid": "5bcd7b19-01e8-4503-a350-ec9841fd8124", "value": "094066655d1515556az3fvz97z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336518", "to_ids": true, "type": "filename", "uuid": "737a53cf-5e18-402c-a098-ad88d06bc751", "value": "3A570AE7.vsc" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 16/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336518", "to_ids": false, "type": "text", "uuid": "aef73e2e-98df-4879-bbe6-4da3e5625708", "value": "Siemens SIPROTEC DoS module\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:55/72\nFirst Submission:2019-03-05T16:00:37.000000+00:00\nLast Submission:2023-07-31T22:44:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337261", "uuid": "d53c9825-3ee4-4942-9287-13ae1de7b902", "Attribute": [ { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337261", "to_ids": true, "type": "md5", "uuid": "da60a850-6a7c-42f2-83dc-deb08ad57b78", "value": "35d3784c786814b3be91ac2307b3564f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336978", "to_ids": true, "type": "sha1", "uuid": "2dd4e1ed-0c3b-45e2-9856-418169c53950", "value": "b25d9560f7de743907871c6e03626a5aa918f3c6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336978", "to_ids": true, "type": "sha256", "uuid": "1f044e2d-4b91-4d3c-83fc-48c48f787d0b", "value": "3ca252fb405c83cceea25041c3f1c01bead8f1afe0144f8cdee795bb868a903d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336539", "to_ids": true, "type": "ssdeep", "uuid": "5dd3fea2-e57e-4454-9a8d-c70bbb7702ed", "value": "192:QYmE5zgvM3cGfjntdYOapCGSDyBE+di3eIKxWvJCDpFnTZ0k:QYVgk3VjntdfhJ+03XGWJCDpFTZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336539", "to_ids": false, "type": "size-in-bytes", "uuid": "14cab5d5-408f-47db-b227-468b171dad43", "value": "10752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336539", "to_ids": true, "type": "vhash", "uuid": "985ce298-c92f-48c6-a7d4-16e33f267ec6", "value": "014056551d055550d8z27hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336539", "to_ids": true, "type": "filename", "uuid": "91fb8753-51c1-4d3b-a70c-216481fa4485", "value": "ep.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 24/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336539", "to_ids": false, "type": "text", "uuid": "d9ed02ed-f4c2-4707-9bb8-3d51de1895e4", "value": "Primary backdoor\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:64/72\nFirst Submission:2021-03-17T06:00:52.000000+00:00\nLast Submission:2021-03-17T06:00:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337282", "uuid": "04498508-bc62-4e14-aef0-eb4e9d8ec526", "Attribute": [ { "category": "Payload delivery", "comment": "Destructive module", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337282", "to_ids": true, "type": "md5", "uuid": "7bf95692-1b06-4d8f-88a6-13a66a6d30e1", "value": "ab17f2b17c57b731cb930243589ab0cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Destructive module", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336980", "to_ids": true, "type": "sha1", "uuid": "7f2172d7-e885-4d05-902c-4d2d90dd23d0", "value": "5a5fafbc3fec8d36fd57b075ebf34119ba3bff04", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Destructive module", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336980", "to_ids": true, "type": "sha256", "uuid": "cd64a833-3ce1-46ea-8f3a-59007cb15639", "value": "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336562", "to_ids": true, "type": "ssdeep", "uuid": "a275a49d-6dc6-49b2-9d76-1bba6bcabeae", "value": "1536:ipIv8wiD3kkZZpgq8QK8mfkCwbq4QY1sWfScdAUehZfh9UQ:kwPQ6MbtF3TAUehZZ9J" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336562", "to_ids": false, "type": "size-in-bytes", "uuid": "556404b9-54da-47a4-9ef4-4c083fc10aac", "value": "75776" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336562", "to_ids": true, "type": "vhash", "uuid": "6848e9fb-7ff2-48ac-a200-59502bb4dc34", "value": "174066655d1515556048z4bbz15z21z1ez1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336562", "to_ids": true, "type": "filename", "uuid": "a4794a85-103c-46eb-89f1-993ff3a49121", "value": "exkko.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336562", "to_ids": false, "type": "text", "uuid": "cfdd6430-8575-4006-92b1-5cbc64db68f6", "value": "Destructive module\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:61/72\nFirst Submission:2016-12-19T11:06:32.000000+00:00\nLast Submission:2024-05-08T00:31:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337303", "uuid": "38482031-43bf-40d2-b601-8ead94a78c89", "Attribute": [ { "category": "Payload delivery", "comment": "Destructive module", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337303", "to_ids": true, "type": "md5", "uuid": "9bd186a2-5b66-4e4b-a6b7-567bbb501698", "value": "7a7ace486dbb046f588331a08e869d58", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Destructive module", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336981", "to_ids": true, "type": "sha1", "uuid": "5c308e55-dac2-4247-b501-1bff7b223f4a", "value": "b92149f046f00bb69de329b8457d32c24726ee00", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Destructive module", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336981", "to_ids": true, "type": "sha256", "uuid": "775527f9-e882-4292-b72d-befcb30a0010", "value": "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336584", "to_ids": true, "type": "ssdeep", "uuid": "51c4f943-5860-43cd-9cff-ca903dc5af7a", "value": "1536:txjX3k9R4Bdde5eFN73+WmS3UJ64b69AQJRCsWmcd2jjGVjpU:jddewFVO1S3I64LwRg2jjGJK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336584", "to_ids": false, "type": "size-in-bytes", "uuid": "69841daa-aaa8-47f6-a1e0-e965f0942f64", "value": "76800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336584", "to_ids": true, "type": "vhash", "uuid": "6bd1d095-c84f-44b3-a1aa-8a581753d133", "value": "074066655d1515556048z49bz15z21z1ez1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336584", "to_ids": true, "type": "filename", "uuid": "c76ae9bb-bc81-4f82-a190-cdfd8031065b", "value": "625yo1.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 15/09/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336584", "to_ids": false, "type": "text", "uuid": "1856a3d6-6b68-49df-a816-4f23a1724d88", "value": "Destructive module\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:65/72\nFirst Submission:2016-12-19T09:58:43.000000+00:00\nLast Submission:2023-06-19T08:39:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337325", "uuid": "1e2edc26-5dcf-437b-abff-1c788c3e2da7", "Attribute": [ { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337325", "to_ids": true, "type": "md5", "uuid": "ceafafc7-a54f-468a-9af7-92b4ce91a05e", "value": "9f42bccf7e989a6c28b8bca11ef52dd6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336982", "to_ids": true, "type": "sha1", "uuid": "83a935ac-3c27-48e0-8426-6302c9a2baee", "value": "5a497154418350c80b213284389f640d50be7d31", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336982", "to_ids": true, "type": "sha256", "uuid": "fd04acae-e07e-487e-a8aa-34ef87aa33e0", "value": "c57e390d4c1ba116a28fe618d407395d261f25c2901d1fe68f420fb47a26f444", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336606", "to_ids": true, "type": "ssdeep", "uuid": "e1bb9eca-0c33-4c46-933a-9bb85fb43748", "value": "1536:UU0LHoDIAWcDpBK7pBwkXNrBlp1nUfLQOzwOhQTwJVfsQJ4ZusWk8cd2mMNi5:UU0LIDI8Dpkzlp1i8qfhQEJ+w0Jd2JN6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336606", "to_ids": false, "type": "size-in-bytes", "uuid": "c5b9cede-8f8e-45db-aea8-899a340fd3ef", "value": "88576" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336606", "to_ids": true, "type": "vhash", "uuid": "3d3ff874-20d4-447a-af82-e1c5ac114491", "value": "084066655d151555619z58hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336606", "to_ids": true, "type": "filename", "uuid": "9093449c-21e5-4621-bea0-0bc5b3184fee", "value": "ilaunchr.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 06/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336606", "to_ids": false, "type": "text", "uuid": "efad9391-8b79-43f2-aaf2-486a839c32bd", "value": "Primary backdoor\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:53/72\nFirst Submission:2021-03-17T06:00:53.000000+00:00\nLast Submission:2021-03-17T06:00:53.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337347", "uuid": "b072bd2e-b638-4aea-a54c-8ce40fd4c21b", "Attribute": [ { "category": "Payload delivery", "comment": "Hybrid 61850 and OPC effects module", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337347", "to_ids": true, "type": "md5", "uuid": "e23b1141-e3d7-450e-a1f6-b5cf6f3dfa9b", "value": "2a5a6f0940d6d105781761da12350271", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Hybrid 61850 and OPC effects module", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336984", "to_ids": true, "type": "sha1", "uuid": "e474cdf3-3bf1-4ebc-967d-2fcca855378d", "value": "8332e941bffd10b8409fa9b8a279dfb76ff67d64", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Hybrid 61850 and OPC effects module", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336984", "to_ids": true, "type": "sha256", "uuid": "82eab938-1804-4c09-9265-08954061699c", "value": "12ba9887d3007b0a0713d9f1973e1176bd33eccb017b5a7dba166c7c172151e9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336627", "to_ids": true, "type": "ssdeep", "uuid": "e984c92b-9926-4fb0-be62-868cedc47608", "value": "6144:hHVqRlhFIIQ5uFAC/MvLvaS7edAOgcZZ:hHMX05uFAC/MvLilBZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336627", "to_ids": false, "type": "size-in-bytes", "uuid": "f6fc2897-7b1f-47ed-b353-abdd5ed67313", "value": "250368" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336627", "to_ids": true, "type": "vhash", "uuid": "07589e70-210d-4af9-9b5d-a3950145bd54", "value": "125076655d151d15556028z597z802bz15zf6z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336627", "to_ids": true, "type": "filename", "uuid": "9c49cee2-862b-4a9c-8822-0eb3bcebffa7", "value": "imapi.dll" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 07/06/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336627", "to_ids": false, "type": "text", "uuid": "0072a1e2-fcc9-40fd-a938-7dbfe40be3e2", "value": "Hybrid 61850 and OPC effects module\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:42/72\nFirst Submission:2020-03-07T23:04:22.000000+00:00\nLast Submission:2020-03-07T23:04:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337368", "uuid": "6fd65a9c-6583-4c27-b3c9-e0223bb7bce6", "Attribute": [ { "category": "Payload delivery", "comment": "Hybrid 61850 and OPC effects module launcher", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337368", "to_ids": true, "type": "md5", "uuid": "a50a1d08-4839-41a3-891c-d03b15544c31", "value": "a2fc5b98f69095c7475c80589fb246dd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Hybrid 61850 and OPC effects module launcher", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336985", "to_ids": true, "type": "sha1", "uuid": "60215102-c1bc-43e8-a12a-3fa513b618ff", "value": "b8ab38c15772104aa3d22f5a021e9e83abb598b2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Hybrid 61850 and OPC effects module launcher", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336985", "to_ids": true, "type": "sha256", "uuid": "ddee85a2-810e-45c0-9deb-946c8d9b34b6", "value": "56ae7705ffcd56e74e5aecb0e43f17d510c2eaaddc7356f991c0db1daf32a641", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336649", "to_ids": true, "type": "ssdeep", "uuid": "1d050afc-e4de-49f6-bffb-377840f318e5", "value": "1536:HL3UkyqCJZnEmdQqj/WZW99aBUCv68QJnCsW1wnLcd2yhNs6Qaw:onEm62+499aSCtwvna2yhNsNT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336649", "to_ids": false, "type": "size-in-bytes", "uuid": "8d82d066-580e-4b84-9a97-f024c3a35bcd", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336649", "to_ids": true, "type": "vhash", "uuid": "8fb879d3-efbc-43c2-945c-55a572f18c33", "value": "074066655d1515556038z51hz1lz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336649", "to_ids": true, "type": "filename", "uuid": "d47bf7a7-9f10-4569-9125-d3ddeb502841", "value": "imapi.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 21/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336649", "to_ids": false, "type": "text", "uuid": "0fc98d14-1db6-46f6-abd2-8602367605bb", "value": "Hybrid 61850 and OPC effects module launcher\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:54/72\nFirst Submission:2021-03-17T06:00:54.000000+00:00\nLast Submission:2021-03-17T06:00:54.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337389", "uuid": "863bedab-faef-4d13-a98c-1f0f2bb17ee7", "Attribute": [ { "category": "Payload delivery", "comment": "Launcher module", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337389", "to_ids": true, "type": "md5", "uuid": "4a9426ed-9620-4eae-a717-21d534d67bac", "value": "53dc3a7cc1f604d7f97d226af60af842", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Launcher module", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336986", "to_ids": true, "type": "sha1", "uuid": "4bfc484d-3492-45d7-9f96-8489d39bf3f2", "value": "4c070cdc760b8ef551768af820582a49da1ec0b9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Launcher module", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336986", "to_ids": true, "type": "sha256", "uuid": "94e9966f-9ad6-4616-97b3-eee766619d18", "value": "7cc9ac6383437dd96161b93b017500a22a2c8d05f58778b9b9fce8ea73304546", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336671", "to_ids": true, "type": "ssdeep", "uuid": "b38e2a8e-8be6-43c3-9ecf-8c54c9d124d0", "value": "1536:aL3UkyqCJZnEmdQqj/WZW99aBUCv68QJnCsW1wnLcd2qhNs6Qaw:ZnEm62+499aSCtwvna2qhNsNT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336671", "to_ids": false, "type": "size-in-bytes", "uuid": "b623ab00-cc18-48f1-ac96-be571eed58c3", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336671", "to_ids": true, "type": "vhash", "uuid": "cc55ae4d-e7b9-4545-951b-b0d297ec4df1", "value": "074066655d1515556038z51hz1lz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336671", "to_ids": true, "type": "filename", "uuid": "dd5ab4e1-d6ab-433e-a271-e92d7fe1bde1", "value": "svchost.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 16/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336671", "to_ids": false, "type": "text", "uuid": "baf99af8-4ecd-4178-9801-45082e3fb57f", "value": "Launcher module\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.B!dha\nVT Total Detection:55/72\nFirst Submission:2020-05-25T18:36:09.000000+00:00\nLast Submission:2020-05-25T18:36:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337411", "uuid": "da81c49b-4faf-43a1-a66a-a294032d67ef", "Attribute": [ { "category": "Payload delivery", "comment": "UPX-packed credential dumper using extensive Mimikatz source code", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337411", "to_ids": true, "type": "md5", "uuid": "babd417d-b627-41db-80bc-432e5e505a5f", "value": "64f81ac7ff7206513435ebdb3fe13dbb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "UPX-packed credential dumper using extensive Mimikatz source code", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336987", "to_ids": true, "type": "sha1", "uuid": "67b91fc7-a007-4a95-870d-5aa23b22ecb0", "value": "e2c07c7b5a0fd204f9398bcce940499d451a3dd4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "UPX-packed credential dumper using extensive Mimikatz source code", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336987", "to_ids": true, "type": "sha256", "uuid": "1ab66088-27f1-4979-b04b-2d19d6e9c225", "value": "13a71a050d20aaad43ef78d771f22d636475b2ef8e4918731ff64d162287c480", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336692", "to_ids": true, "type": "ssdeep", "uuid": "83a55eec-6026-4e80-b106-fc33a3d7b366", "value": "6144:OPjrgBFz2kpRbF3SZRjTm5H5G92ZKOLz3ANzZO5JV2chCvz0a9d9g:YgBHBym5sFOQNy24CLF9d9g" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336692", "to_ids": false, "type": "size-in-bytes", "uuid": "200c1df7-4740-4f74-a03d-118b7b065c8d", "value": "337408" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336692", "to_ids": true, "type": "vhash", "uuid": "5d349137-1cd4-478d-af5e-0c7651cb371d", "value": "03503e0f7d1013z13z61z1011z13z10101011z1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336692", "to_ids": true, "type": "filename", "uuid": "d756de2e-985a-4e6b-bc8d-e6b42436d51e", "value": "ld.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 11/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336692", "to_ids": false, "type": "text", "uuid": "270c8789-e912-4db1-9f7f-22ac66b94d7a", "value": "UPX-packed credential dumper using extensive Mimikatz source code\r\nType Description: Win32 EXE\nMicrosoft: HackTool:Win32/Mimikatz.D\nVT Total Detection:51/73\nFirst Submission:2021-03-17T06:00:56.000000+00:00\nLast Submission:2021-03-17T06:00:56.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337432", "uuid": "d869c9c5-966e-4a43-b443-9f5785d35fa5", "Attribute": [ { "category": "Payload delivery", "comment": "UPX-packed Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337432", "to_ids": true, "type": "md5", "uuid": "b1d565db-e8bf-48b0-ac5b-f00df3339acc", "value": "68b4101375ca36797f80fdc71f3f7bbb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "UPX-packed Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336988", "to_ids": true, "type": "sha1", "uuid": "959af6c8-f8c6-4f63-b5c2-fe39eefa7a8d", "value": "5b629bb8f82a1d7e272ee86abdda8295520c8975", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "UPX-packed Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336989", "to_ids": true, "type": "sha256", "uuid": "6e9dc8f4-4241-4ca8-a472-ea2e082f1ef8", "value": "286c63d24fe9259bb6a758ce86e48c7f9094304ce4a32054641923a8cb4eab3c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336714", "to_ids": true, "type": "ssdeep", "uuid": "7b67f16c-8bd0-44d9-b9d0-c262816df196", "value": "6144:5Q1ic6QdWGWPBWfODVJzspuCC7jxh8imrIvFqVvB4fwDl4X:6I+WfZWfODVJoQCyjxCimdV8Sl" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336714", "to_ids": false, "type": "size-in-bytes", "uuid": "469f1e74-84d9-46d1-be21-deafa8da7c2f", "value": "295424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336714", "to_ids": true, "type": "vhash", "uuid": "74c7b37b-5918-4733-a016-c8bcc4b3553a", "value": "02503e0f7d5013z13z61z1011z13z1011z11z1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336714", "to_ids": true, "type": "filename", "uuid": "c1fb2a99-f9cc-49ad-b69e-8b311cade048", "value": "mm.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 14/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336714", "to_ids": false, "type": "text", "uuid": "0fba1b35-cca5-4b37-ae50-8d0954654fdc", "value": "UPX-packed Mimikatz\r\nType Description: Win32 EXE\nMicrosoft: HackTool:Win32/Mimikatz.D\nVT Total Detection:50/73\nFirst Submission:2021-03-17T06:00:58.000000+00:00\nLast Submission:2021-03-17T06:00:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337453", "uuid": "3cf34f9b-0b0e-4e43-ad17-b8bc74949977", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337453", "to_ids": true, "type": "md5", "uuid": "1c62f87f-325d-4587-b7c3-c1d30cc51a71", "value": "c75bccd657ca04c8d5096404885efb98", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336989", "to_ids": true, "type": "sha1", "uuid": "80a464c1-e45e-429d-b82b-12276844834e", "value": "599dce245a2a182575b7c643b4fcb8440339ce8a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336989", "to_ids": true, "type": "sha256", "uuid": "03c4a7df-0c9b-4b92-8475-3469cafd10a2", "value": "376c0608820598f2f20666a82e1d801fce347233e2051010fbcf43c8278220dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336735", "to_ids": true, "type": "ssdeep", "uuid": "70a8785f-aa5a-4a69-a35f-1af39ba4054b", "value": "1536:2wOnbNQK9snrAMWDyy1o5I0foMJUEbooPRrKKReFX3Xe9:MNQK6fWDyDI0fFJltZrpReFX3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336735", "to_ids": false, "type": "size-in-bytes", "uuid": "c7ef6985-2ded-404c-abc7-3e8a26b060d9", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336735", "to_ids": true, "type": "vhash", "uuid": "07c2b199-8557-4fcf-9353-c35994798d56", "value": "0740366d1550701090018003916fz42z4afz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336735", "to_ids": true, "type": "filename", "uuid": "02c23012-c16f-4def-b069-d1e17600ccaa", "value": "NOTEPAD.EXE" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 15/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336735", "to_ids": false, "type": "text", "uuid": "7cebb20b-9ce3-4139-81b4-e01e52c44ea3", "value": "Backdoor NOTEPAD variant\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Meterpreter.gen!G\nVT Total Detection:45/73\nFirst Submission:2021-03-17T06:00:58.000000+00:00\nLast Submission:2021-03-17T06:00:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337475", "uuid": "c68c4673-763b-4147-bc35-b435a9564a7e", "Attribute": [ { "category": "Payload delivery", "comment": "Stand-alone module", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337475", "to_ids": true, "type": "md5", "uuid": "ebf8e57d-f1e1-4f35-a527-4da9e136d695", "value": "36997bdef02b63d411d0bea0335c6899", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stand-alone module", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336991", "to_ids": true, "type": "sha1", "uuid": "58b9cfe8-f4a1-4233-9c8c-ee41f158cad5", "value": "7fac2eddf22ff692e1b4e7f99910e5dbb51295e6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stand-alone module", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336991", "to_ids": true, "type": "sha256", "uuid": "d4bfad0c-fed7-4353-89e0-b8f3dc60baad", "value": "156bd34d713d0c8419a5da040b3c2dd48c4c6b00d8a47698e412db16b1ffac0f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336757", "to_ids": true, "type": "ssdeep", "uuid": "82d829ec-deb6-470a-8498-b8376caa4121", "value": "3072:HM35lWVEFFaup+juJH6RVVVYBTOr83GqK8vbxU+HvaAg0FujoYVzYSwn:s35Q+FFhp+eaj7Y4rXayAOASw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336757", "to_ids": false, "type": "size-in-bytes", "uuid": "7d3f6247-7592-4f60-b240-405afdf859d8", "value": "245248" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336757", "to_ids": true, "type": "vhash", "uuid": "99b739b2-453d-4a84-86ea-59b3a9e14fbb", "value": "025066655d1d15556028z537z802tz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336757", "to_ids": true, "type": "filename", "uuid": "12c0e595-f6cc-401c-84da-ab3a07d29ec7", "value": "3A586EB6.vsc" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 25/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336757", "to_ids": false, "type": "text", "uuid": "c3ba2a65-5b60-4684-b330-a8e50d472599", "value": "Stand-alone module\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:50/72\nFirst Submission:2019-03-05T15:55:44.000000+00:00\nLast Submission:2026-02-28T06:56:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337496", "uuid": "cd94703f-2a19-45d3-bd45-b4368685cda4", "Attribute": [ { "category": "Payload delivery", "comment": "Variant of primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337496", "to_ids": true, "type": "md5", "uuid": "5e12afbb-3b68-443e-801a-318408253f32", "value": "a06bc585d1c6e24d837d0198490da575", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Variant of primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336992", "to_ids": true, "type": "sha1", "uuid": "71e1895d-11b6-4dd4-8260-25532d0f25a1", "value": "a71fabd764a3b0116fefb14433ffb2c51629b2c6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Variant of primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336992", "to_ids": true, "type": "sha256", "uuid": "fa4634f6-ec62-48db-a2ed-82421426eeb5", "value": "dcb7d2fc46f61d5522e005ac66f3f0661e2d5284d5a3f8b3a0c8b4050d8397a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336799", "to_ids": true, "type": "ssdeep", "uuid": "b27de2ce-ae80-4fa3-92d2-fc3d52192520", "value": "1536:/730kyqC5KnUjdA6j/WZW9UaBECv6lQJnCsW1wnLcd27hNs6Qaw:bnUjKm+49UaCCkwvna27hNsNT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336799", "to_ids": false, "type": "size-in-bytes", "uuid": "5c6c6434-afbe-4c3a-8b4b-2369b1320a3c", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336799", "to_ids": true, "type": "vhash", "uuid": "d1d21566-8a36-49b6-b767-e4dd63b37b19", "value": "074066655d1515556038z51hz1lz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336799", "to_ids": true, "type": "filename", "uuid": "03ae579d-5789-4561-b48f-86858fb21b2c", "value": "a06bc585d1c6e24d837d0198490da575.virus" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 25/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336799", "to_ids": false, "type": "text", "uuid": "775058b0-afc2-48dd-962f-8559b503e1e3", "value": "Variant of primary backdoor\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:45/72\nFirst Submission:2021-05-04T04:30:30.000000+00:00\nLast Submission:2021-05-04T04:30:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337518", "uuid": "fb862b01-e849-469e-b4a3-925046a4fb60", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337518", "to_ids": true, "type": "md5", "uuid": "fc6f00a0-c4f7-414d-adb0-17a32be71545", "value": "1e3ed25e8aa0ca2b03e18be49e6a1b35", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336993", "to_ids": true, "type": "sha1", "uuid": "7e49ccba-ce53-4f4e-b3e8-d612fcf7d80d", "value": "0a306ea6d64c7cb91551d069363dd1f24854a204", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor NOTEPAD variant", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336993", "to_ids": true, "type": "sha256", "uuid": "0131be76-4dc6-4c71-9a30-71c3c7283ae4", "value": "9a12493af09b0711edb0d6797fb195c64f3ca65437dd6274b171ebd22558172c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336821", "to_ids": true, "type": "ssdeep", "uuid": "729e34ee-4b1f-4e76-b493-4d4c4a3e4fd8", "value": "1536:ohVY3Acg07m7EIdJwtmLaCMUAtdFYkNNOQ7TOnBFAjzfNT36ABr8fREQJ9sWm4Cr:ohVY3Acg07m7EIdJwtYFZA/7TOBWHVTX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336821", "to_ids": false, "type": "size-in-bytes", "uuid": "8dbc5ef5-7e2b-439c-842e-51070af2b129", "value": "89088" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336821", "to_ids": true, "type": "vhash", "uuid": "b68bbd6b-52aa-46ad-b024-00d7d4a63e9b", "value": "084066655d151555619z58hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336821", "to_ids": true, "type": "filename", "uuid": "d204a707-8c32-4f7c-906c-bd25ceb921c3", "value": "tiering.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 21/09/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336821", "to_ids": false, "type": "text", "uuid": "d82e4eff-0d6a-4111-8f2f-e0821f49152f", "value": "Backdoor NOTEPAD variant\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:53/72\nFirst Submission:2021-03-17T06:01:02.000000+00:00\nLast Submission:2021-03-17T06:01:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337539", "uuid": "52b139c3-c1ab-4f29-88f9-20a174457c19", "Attribute": [ { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337539", "to_ids": true, "type": "md5", "uuid": "ee727f7a-c355-4d4e-a5d1-5ef4b8f231e5", "value": "ff69615e3a8d7ddcdc4b7bf94d6c7ffb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336995", "to_ids": true, "type": "sha1", "uuid": "2113da3c-338e-49d9-adcb-3ead97f111c6", "value": "2cb8230281b86fa944d3043ae906016c8b5984d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336995", "to_ids": true, "type": "sha256", "uuid": "6031752a-f499-46ba-8adb-b8f67676f3d9", "value": "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336843", "to_ids": true, "type": "ssdeep", "uuid": "b4a0580f-dde2-4225-a789-161d7c8b8693", "value": "1536:4mlzHdKCtCgl4DgBbAhSk/NOoBD+niVAjzfNT36WBrMf4QJKLsWhcdIyeGvm3VAN:4mVHdKCtCa9xCBD+iGHVTq2rPwKmIyI0" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336843", "to_ids": false, "type": "size-in-bytes", "uuid": "05b3e59d-67fc-4ab7-a5c5-0707d5398be8", "value": "89088" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336843", "to_ids": true, "type": "vhash", "uuid": "9f17cf6b-25dd-4e3c-aac8-c5eb4e6893eb", "value": "084066655d151555619z58hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336843", "to_ids": true, "type": "filename", "uuid": "be3ae8b5-fcaa-46b7-ba93-24d4d19596c1", "value": "cigjy0.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336843", "to_ids": false, "type": "text", "uuid": "6681c75e-1d83-4013-a764-6b5e449f6186", "value": "Primary backdoor\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:64/72\nFirst Submission:2016-12-18T14:08:21.000000+00:00\nLast Submission:2024-08-06T08:33:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337562", "uuid": "f0704c80-1f51-4f5f-b203-d45bb0a63a2e", "Attribute": [ { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337562", "to_ids": true, "type": "md5", "uuid": "709910bf-ab9f-417f-a307-1fda00dd8ca7", "value": "fc4fe1b933183c4c613d34ffdb5fe758", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336995", "to_ids": true, "type": "sha1", "uuid": "2c4a0738-a056-4250-aa04-0561518c7830", "value": "cccce62996d578b984984426a024d9b250237533", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336996", "to_ids": true, "type": "sha256", "uuid": "4264559d-6ca4-4ceb-b0e9-eda547726846", "value": "6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336865", "to_ids": true, "type": "ssdeep", "uuid": "2cb764e3-226e-4e66-94eb-2c5a71a5cff9", "value": "192:JYmE5zgvM3cGfjntdYOapCGSDyBE+di3eKKxWvJCDpFnTZ0k:JYVgk3VjntdfhJ+03xGWJCDpFTZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336865", "to_ids": false, "type": "size-in-bytes", "uuid": "a0d37d99-2baf-48ff-a140-5a58d624e36b", "value": "10752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336865", "to_ids": true, "type": "vhash", "uuid": "c29455c0-e6c8-4c4e-b92e-e1f98be1b771", "value": "014056551d055550d8z27hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772336865", "to_ids": true, "type": "filename", "uuid": "67d92c94-e1e2-4712-8a24-4e43e010cf3b", "value": "3s3fef0.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336865", "to_ids": false, "type": "text", "uuid": "6d853b73-308f-4ada-a9d0-1e1a3989819c", "value": "Primary backdoor\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:62/72\nFirst Submission:2016-12-18T14:07:28.000000+00:00\nLast Submission:2024-09-26T13:11:04.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772337583", "uuid": "c71ea813-3136-4ed6-94eb-100f1b4f2594", "Attribute": [ { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772337583", "to_ids": true, "type": "md5", "uuid": "19957403-83d1-4ab0-9747-f54c6b56720b", "value": "ae72878a63ed589cfd5996a623dda4cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772336997", "to_ids": true, "type": "sha1", "uuid": "10a32d8f-ba23-40d9-8c2b-8659254553ae", "value": "de15a697a8ec72064e124c0fae0837b861e87073", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Primary backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772336997", "to_ids": true, "type": "sha256", "uuid": "9f6f5504-841e-4724-80f3-8b803408351e", "value": "7e96849c69263e0125419a3fbb2547050329b7189db599d8136650171818bd81", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772336887", "to_ids": true, "type": "ssdeep", "uuid": "8387b5ad-481a-4843-8c41-4ce41b008e8a", "value": "192:hYmE5zgvM3cGfjn5dYOapCGSDyBEii3e5KxWvJCDpFnTZ0k:hYVgk3Vjn5dfhJZ3aGWJCDpFTZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772336887", "to_ids": false, "type": "size-in-bytes", "uuid": "7a55ed34-6518-4ec3-8045-2bf2c62fbdd9", "value": "10752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772336887", "to_ids": true, "type": "vhash", "uuid": "6d9155bc-001e-4f14-9f3c-1983af6ed18e", "value": "014056551d055550d8z27hz2020102fz" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 13/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772336887", "to_ids": false, "type": "text", "uuid": "9e150ea3-c0c1-4f24-b6ec-c5f5c9ed64b4", "value": "Primary backdoor\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Multiverze\nVT Total Detection:62/72\nFirst Submission:2022-12-14T02:49:53.000000+00:00\nLast Submission:2022-12-14T10:15:23.000000+00:00" } ] } ] } }