{ "Event": { "analysis": "1", "date": "2017-01-01", "extends_uuid": "", "info": "[Threat Intel] WHEN THE LIGHTS WENT OUT - A COMPREHENSIVE REVIEW OF THE 2015 ATTACKS ON UKRAINIAN CRITICAL INFRASTRUCTURE", "protected": false, "publish_timestamp": "1772419855", "published": true, "threat_level_id": "1", "timestamp": "1772419852", "uuid": "36469906-8e4b-4708-94d4-5770f4183256", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"BlackEnergy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"BlackEnergy 3\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Electric\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"KillDisk\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#150050", "local": false, "name": "rectifyq:sub-category=\"report\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Block Command Message\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Block Serial COM\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Command-Line Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Commonly Used Port\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Data Destruction\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Denial of Control\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Denial of View\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"External Remote Services\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Indicator Removal on Host\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Loss of Availability\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Masquerading\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Network Connection Enumeration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Network Service Scanning\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Remote File Copy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Remote System Discovery\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Scripting\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Spearphishing Attachment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"System Firmware\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Unauthorized Command Message\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"User Execution\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Valid Accounts\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771849123", "to_ids": false, "type": "link", "uuid": "9df801a3-dc6f-4885-be52-22c7770bf840", "value": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771853823", "to_ids": false, "type": "vulnerability", "uuid": "b595791c-cd53-4555-8332-bd6c13f1a554", "value": "CVE-2014-6271" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771853823", "to_ids": false, "type": "vulnerability", "uuid": "ec0784f3-beb0-4f07-8161-41bd46720066", "value": "CVE-2014-7186" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771853823", "to_ids": false, "type": "vulnerability", "uuid": "155c1fab-2edd-4df3-942f-f6c7a63f5f8c", "value": "CVE-2014-7187" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771853823", "to_ids": false, "type": "vulnerability", "uuid": "b2955fe5-e792-44de-b161-e54c0aaa76f5", "value": "CVE-2014-6277" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771853823", "to_ids": false, "type": "vulnerability", "uuid": "ed752e0d-f534-4c4f-8268-c4b9c3c9d793", "value": "CVE-2014-6278" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854728", "uuid": "88129459-e241-425b-8fa1-0c7e0dcb8329", "Attribute": [ { "category": "Payload delivery", "comment": "Weaponized MS Excel file used to deliver BE3 malware", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854728", "to_ids": true, "type": "md5", "uuid": "599263a6-3f03-4c1d-acb2-0bf95083b11e", "value": "97b7577d13cf5e3bf39cbe6d3f0a7732", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Weaponized MS Excel file used to deliver BE3 malware", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854340", "to_ids": true, "type": "sha1", "uuid": "a63698c8-5461-4673-96a1-3d91fff8756b", "value": "aa67ca4fb712374f5301d1d2bab0ac66107a4df1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Weaponized MS Excel file used to deliver BE3 malware", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854340", "to_ids": true, "type": "sha256", "uuid": "2982af1a-a169-49c9-9cfd-e54a0ebf3c90", "value": "052ebc9a518e5ae02bbd1bd3a5a86c3560aefc9313c18d81f6670c3430f1d4d4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850011", "to_ids": true, "type": "ssdeep", "uuid": "552ff9c7-4134-4a43-8ba8-d085578f493f", "value": "12288:WfghhODBvtntqnRwEtjaeIPsmx5Lgc31DH:W43ODBvtntqnRwEtOeIEmDDj" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850011", "to_ids": false, "type": "size-in-bytes", "uuid": "03650d5c-0842-4a46-b031-ad6e12d148e1", "value": "734720" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850011", "to_ids": true, "type": "vhash", "uuid": "0086ad08-42db-49ee-b55b-23f337859973", "value": "c9faacb2d7cd138751c9aa37fdc96de8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850011", "to_ids": true, "type": "filename", "uuid": "aa8270fb-ae27-49d6-8470-4dc4d0149fb7", "value": "Blackenergy.xls" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 18/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850011", "to_ids": false, "type": "text", "uuid": "56cbd047-e3b8-41ba-a2dc-deb80804901b", "value": "Weaponized MS Excel file used to deliver BE3 malware\r\nType Description: MS Excel Spreadsheet\nMicrosoft: TrojanDownloader:O97M/Donoff\nVT Total Detection:46/64\nFirst Submission:2015-08-03T10:37:19.000000+00:00\nLast Submission:2026-01-21T09:51:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854751", "uuid": "d9f0d6a2-9c28-453d-9678-bd2f002194fb", "Attribute": [ { "category": "Payload delivery", "comment": "BE3 INSTALLER (VBA_MACRO.EXE, SAMPLE 2)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854751", "to_ids": true, "type": "md5", "uuid": "ac172870-5bf5-49af-bbea-77bc5e617fb9", "value": "abeab18ebae2c3e445699d256d5f5fb1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "BE3 INSTALLER (VBA_MACRO.EXE, SAMPLE 2)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854341", "to_ids": true, "type": "sha1", "uuid": "7af3cf16-efb5-4867-92d9-57181d865eae", "value": "4c424d5c8cfedf8d2164b9f833f7c631f94c5a4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "BE3 INSTALLER (VBA_MACRO.EXE, SAMPLE 2)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854341", "to_ids": true, "type": "sha256", "uuid": "84729a00-2863-490e-91be-d2a0ad63d0c6", "value": "07e726b21e27eefb2b2887945aa8bdec116b09dbd4e1a54e1c137ae8c7693660", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850033", "to_ids": true, "type": "ssdeep", "uuid": "76acc181-e292-4cb2-a381-9806e2ab5bd2", "value": "1536:Ghe+Kwx4YUaZ8XC68hYS6Oxw2wcW/EE5YxUg3UZBFuLLKpmUPOFA7UBMK1tk:G4+KC4YNCXC6m6v2neEE5YJ3UZEU/K1O" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850033", "to_ids": false, "type": "size-in-bytes", "uuid": "fd122738-9306-4bcc-85e8-8292c3b395fb", "value": "98304" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850033", "to_ids": true, "type": "vhash", "uuid": "a80974b9-1a04-43fc-a7d6-7fb34cef511f", "value": "094046755d15119z3anz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850033", "to_ids": true, "type": "filename", "uuid": "c8c4f5be-0cd3-4c18-9c65-c8cef31b9ecf", "value": "CPLEXE.EXE" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 14/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850033", "to_ids": false, "type": "text", "uuid": "5494713e-cfc9-4503-bc54-c1774f188720", "value": "BE3 INSTALLER (VBA_MACRO.EXE, SAMPLE 2)\r\nType Description: Win32 EXE\nMicrosoft: Backdoor:Win32/Phdet!rfn\nVT Total Detection:63/72\nFirst Submission:2015-03-24T09:49:54.000000+00:00\nLast Submission:2024-08-14T01:03:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854772", "uuid": "7ba40602-2dac-48ca-b589-c4a639e4e9b1", "Attribute": [ { "category": "Payload delivery", "comment": "This script launches the Dropbear SSH server from directory C:\\\\WINDOWS\\TEMP\\DROPBEAR\\, and sets the server to listen on port 6789", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854772", "to_ids": true, "type": "md5", "uuid": "12a56d0d-c46c-47fa-8e8c-246a19f4bf5e", "value": "0af5b1e8eaf5ee4bd05227bf53050770", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This script launches the Dropbear SSH server from directory C:\\\\WINDOWS\\TEMP\\DROPBEAR\\, and sets the server to listen on port 6789", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854342", "to_ids": true, "type": "sha1", "uuid": "e550aa35-ab51-4567-ac51-64968773d410", "value": "72d0b326410e1d0705281fde83cb7c33c67bc8ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This script launches the Dropbear SSH server from directory C:\\\\WINDOWS\\TEMP\\DROPBEAR\\, and sets the server to listen on port 6789", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854343", "to_ids": true, "type": "sha256", "uuid": "2ac1d3bb-88fd-46ce-9574-3a0020977e84", "value": "b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850055", "to_ids": true, "type": "ssdeep", "uuid": "2a38a486-3899-4453-945c-1babf8b64830", "value": "3:jaPFEm8nhmCeRoakvugo/XKVhZotkqQBhKVhLXqFGpBlypB3gWA:j6NqhmCOoLvugoXOfAk1hKVd6kNiqWA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850055", "to_ids": false, "type": "size-in-bytes", "uuid": "6111fa75-5e8c-4ff4-8c75-c082fbaca362", "value": "165" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850055", "to_ids": true, "type": "vhash", "uuid": "f28b5ae7-1b9f-4a56-a0b1-c6d07e49f43d", "value": "d1750ea90596bb4e7cd6479d6b7d019e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850055", "to_ids": true, "type": "filename", "uuid": "d6bfc026-7dbe-45b8-8442-7ea1a4f6ee49", "value": "Blackenergy_b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 17/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850055", "to_ids": false, "type": "text", "uuid": "afcfe1bd-d36b-4e7c-97ec-d5d53154c89f", "value": "This script launches the Dropbear SSH server from directory C:\\\\WINDOWS\\TEMP\\DROPBEAR\\, and sets the server to listen on port 6789\r\nType Description: VBA\nMicrosoft: Trojan:VBS/Dorbear.A\nVT Total Detection:30/62\nFirst Submission:2015-10-13T10:51:25.000000+00:00\nLast Submission:2024-05-08T19:26:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854794", "uuid": "147d800a-c3ff-4cc3-9760-ebd656244301", "Attribute": [ { "category": "Payload delivery", "comment": "Weaponized MS Word file, with an embedded BE3 installer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854794", "to_ids": true, "type": "md5", "uuid": "480c1ac0-5422-46d8-bb8b-0df228aa3a06", "value": "e15b36c2e394d599a8ab352159089dd2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Weaponized MS Word file, with an embedded BE3 installer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854344", "to_ids": true, "type": "sha1", "uuid": "3524ec61-9cb2-41fc-8241-c85897acf3ab", "value": "28719979d7ac8038f24ee0c15114c4a463be85fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Weaponized MS Word file, with an embedded BE3 installer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854344", "to_ids": true, "type": "sha256", "uuid": "9cb61383-95fc-49e7-9a42-4c5863a26a9d", "value": "39d04828ab0bba42a0e4cdd53fe1c04e4eef6d7b26d0008bd0d88b06cc316a81", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850078", "to_ids": true, "type": "ssdeep", "uuid": "19e44425-e971-4cc0-b851-242c957bcfe6", "value": "24576:QWa4kgsv/30DkRkkRbRjwwM6IfS1Uu6OduwW:Q83I/32kSkTjwwM6IfS1Uu6OduwW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850078", "to_ids": false, "type": "size-in-bytes", "uuid": "32fc3c38-5aab-4bd4-baeb-b35a22fc2504", "value": "1194496" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850078", "to_ids": true, "type": "vhash", "uuid": "1546ca2b-a845-4dc2-a32e-2f71be511808", "value": "850225048f1c6dd021739dace14c0b8f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850078", "to_ids": true, "type": "filename", "uuid": "1fcb41db-1ca5-40ab-abfc-77e455121330", "value": "doc.doc" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 04/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850078", "to_ids": false, "type": "text", "uuid": "98468ddb-f3af-4229-ba05-074492be4886", "value": "Weaponized MS Word file, with an embedded BE3 installer\r\nType Description: MS Word Document\nMicrosoft: TrojanDropper:O97M/Aptdrop.H\nVT Total Detection:41/64\nFirst Submission:2016-01-20T08:03:52.000000+00:00\nLast Submission:2024-06-11T10:06:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854815", "uuid": "29073d46-a6bb-4178-83f6-bb608cd5e7ae", "Attribute": [ { "category": "Payload delivery", "comment": "BE3 INSTALLER (VBA_MACRO.EXE, SAMPLE 1)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854815", "to_ids": true, "type": "md5", "uuid": "a22eccc5-4049-4699-84a5-80bfce15e7d7", "value": "ac2d7f21c826ce0c449481f79138aebd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "BE3 INSTALLER (VBA_MACRO.EXE, SAMPLE 1)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854345", "to_ids": true, "type": "sha1", "uuid": "37d3a701-0711-4b91-8494-f0adf031a8d3", "value": "4184888c26778f5596d6e8d83624512ed2f045dd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "BE3 INSTALLER (VBA_MACRO.EXE, SAMPLE 1)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854345", "to_ids": true, "type": "sha256", "uuid": "6366d01b-1105-4212-8e04-da6450d95e25", "value": "ca7a8180996a98e718f427837f9d52453b78d0a307e06e1866db4d4ce969d525", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850099", "to_ids": true, "type": "ssdeep", "uuid": "78968628-5355-4ca9-8839-84f794321310", "value": "1536:40QMVvRZ+U09VjVOztGUL4RuXBYNrgMHvdlTCgXUpkOFA7UBMK1tk:4BMdyfzUBxYNrPdlTXe2K1tk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850099", "to_ids": false, "type": "size-in-bytes", "uuid": "f0152f5b-60e3-4489-842f-08557774a3de", "value": "110592" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850099", "to_ids": true, "type": "vhash", "uuid": "bd73d547-6aed-4453-b264-ceadc599c513", "value": "015046755d15119z3anz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850099", "to_ids": true, "type": "filename", "uuid": "2597b12b-8b6b-49c1-9e09-7e4e261ac5da", "value": "CPLEXE.EXE" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 25/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850099", "to_ids": false, "type": "text", "uuid": "afd80f0e-d1b6-4abc-a7d0-3b77b1eab2ce", "value": "BE3 INSTALLER (VBA_MACRO.EXE, SAMPLE 1)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Aptdrop\nVT Total Detection:61/72\nFirst Submission:2016-01-29T01:59:28.000000+00:00\nLast Submission:2024-06-11T10:06:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854837", "uuid": "31c45fb4-0d3d-4107-bcf8-d78f90a3e3f6", "Attribute": [ { "category": "Payload delivery", "comment": "BE3 IMPLANT (FONTCACHE.DAT, SAMPLE 1)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854837", "to_ids": true, "type": "md5", "uuid": "e1be8bf2-e5f2-4613-b45c-48c39276af21", "value": "3fa9130c9ec44e36e52142f3688313ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "BE3 IMPLANT (FONTCACHE.DAT, SAMPLE 1)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854346", "to_ids": true, "type": "sha1", "uuid": "5baa6567-efdc-4b22-bfc6-05953ec18404", "value": "899baab61f32c68cde98db9d980cd4fe39edd572", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "BE3 IMPLANT (FONTCACHE.DAT, SAMPLE 1)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854346", "to_ids": true, "type": "sha256", "uuid": "0be7c357-4c94-4c29-9f26-348c2ca85203", "value": "ef380e33a854ef9d9052c93fc68d133cfeaae3493683547c2f081dc220beb1b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850121", "to_ids": true, "type": "ssdeep", "uuid": "57237f39-8628-4319-b894-de63a88c79f9", "value": "1536:udeKxHXH7KgTK81tXvArWtQ4ZME5jlIKtx3:ceKBKTWIr9jklIKtx3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850121", "to_ids": false, "type": "size-in-bytes", "uuid": "22d5ca3d-b587-4676-a5ce-d6cf69ff6b21", "value": "56832" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850121", "to_ids": true, "type": "vhash", "uuid": "13e0379e-5fbc-4d33-9558-d03db1cfeb37", "value": "154056755d151510d8z58pz33z15z20" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850121", "to_ids": true, "type": "filename", "uuid": "3f167a28-ce92-45ea-ac2f-eb1f843464c1", "value": "packet.dll" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 04/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850121", "to_ids": false, "type": "text", "uuid": "a60aee5f-8ae3-4552-8e26-11aede71f5d6", "value": "BE3 IMPLANT (FONTCACHE.DAT, SAMPLE 1)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Aptdrop\nVT Total Detection:56/72\nFirst Submission:2016-01-11T10:19:07.000000+00:00\nLast Submission:2024-06-11T10:06:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854858", "uuid": "6aeec9ab-ad24-443b-b7dd-90c4716d2aa2", "Attribute": [ { "category": "Payload delivery", "comment": "This is a BE2 dropper, installer, and RAT bundle. It is either a modified Cyberlink PowerDVD 10 binary or is designed to look like one during string analysis", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854858", "to_ids": true, "type": "md5", "uuid": "de705906-7ac3-494d-a82f-abf175a1e133", "value": "1d6d926f9287b4e4cb5bfc271a164f51", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This is a BE2 dropper, installer, and RAT bundle. It is either a modified Cyberlink PowerDVD 10 binary or is designed to look like one during string analysis", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854347", "to_ids": true, "type": "sha1", "uuid": "72226a7e-6e3f-48e2-9a5e-b2b9cefb35be", "value": "896fcacff6310bbe5335677e99e4c3d370f73d96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This is a BE2 dropper, installer, and RAT bundle. It is either a modified Cyberlink PowerDVD 10 binary or is designed to look like one during string analysis", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854347", "to_ids": true, "type": "sha256", "uuid": "149b4e43-a646-4d69-86fa-0e6625dd7335", "value": "07a76c1d09a9792c348bb56572692fcc4ea5c96a77a2cddf23c0117d03a0dfad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850164", "to_ids": true, "type": "ssdeep", "uuid": "cf1990b2-b094-40fe-8508-28ee9e7a227d", "value": "3072:ZdG47Cf/YfIMooepTY/m0XypfYI6xNZrz9Va/DBE8JIQ8yP676vWgJRQf:ZdGboIMorikpwZ7DV4DG8JI0yuzJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850164", "to_ids": false, "type": "size-in-bytes", "uuid": "d58ec9da-6096-4551-a7bc-1478619b8c2d", "value": "155648" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850164", "to_ids": true, "type": "vhash", "uuid": "1c7bca47-64be-42f1-9bd9-6e5b3cc86ab8", "value": "015046755555108jz57z106001cfz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850164", "to_ids": true, "type": "filename", "uuid": "7dce4b62-c138-4f7e-a344-53cee6500621", "value": "write" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 24/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850164", "to_ids": false, "type": "text", "uuid": "8ca245b6-2dbf-43a6-8b7f-c046b98c122f", "value": "This is a BE2 dropper, installer, and RAT bundle. It is either a modified Cyberlink PowerDVD 10 binary or is designed to look like one during string analysis\r\nType Description: Win32 EXE\nMicrosoft: Trojan:MSIL/Cryptor\nVT Total Detection:60/72\nFirst Submission:2015-10-11T04:17:36.000000+00:00\nLast Submission:2024-02-06T03:08:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854880", "uuid": "6615151b-76b2-40c6-a145-87157c583074", "Attribute": [ { "category": "Payload delivery", "comment": "This is the implant file associated with BE2 Installer (Undisclosed)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854880", "to_ids": true, "type": "md5", "uuid": "18311662-8f20-4b57-98f4-e78b63a4dd05", "value": "e60854c96fab23f2c857dd6eb745961c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This is the implant file associated with BE2 Installer (Undisclosed)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854348", "to_ids": true, "type": "sha1", "uuid": "3f8d3db3-091a-41b6-9850-57a7c1ac1e9d", "value": "4bc2bbd1809c8b66eecd7c28ac319b948577de7b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This is the implant file associated with BE2 Installer (Undisclosed)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854348", "to_ids": true, "type": "sha256", "uuid": "18f198c2-0fd3-4141-b312-76d937cae8c1", "value": "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850185", "to_ids": true, "type": "ssdeep", "uuid": "35acf817-34c6-4094-b0a3-d9028f8054c6", "value": "1536:ZotE8TK/Jv20Q0Oti7SSoWArcYU5u9tly+0OazRy:yTK/Jv20FKiWpdoYU5gqOazRy" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850185", "to_ids": false, "type": "size-in-bytes", "uuid": "2573e75f-8e69-42fe-b2ba-963bdf076b96", "value": "60928" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850185", "to_ids": true, "type": "vhash", "uuid": "3d0ad473-64c0-4b6e-90ca-f6ca912eb0ae", "value": "06406e751d1e55151iz64xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850185", "to_ids": true, "type": "filename", "uuid": "47c74655-3ebe-47db-8f00-3893069f7c52", "value": ".exe" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 27/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850185", "to_ids": false, "type": "text", "uuid": "7e558f40-a5d7-4e1e-8409-8e2b93822057", "value": "This is the implant file associated with BE2 Installer (Undisclosed)\r\nType Description: Win32 EXE\nMicrosoft: VirTool:Win32/Obfuscator.QV\nVT Total Detection:60/72\nFirst Submission:2015-10-09T16:26:08.000000+00:00\nLast Submission:2022-11-27T06:11:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854902", "uuid": "acce6575-1280-488b-95cb-45cbe2c81d68", "Attribute": [ { "category": "Payload delivery", "comment": "This file is the Dropbear server program. Analysis identified that this Dropbear binary code was modified from its source code to include a backdoor and authentication processes", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854902", "to_ids": true, "type": "md5", "uuid": "881a22f5-5ef1-414e-8346-4af92515e93f", "value": "fffeaba10fd83c59c28f025c99d063f8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This file is the Dropbear server program. Analysis identified that this Dropbear binary code was modified from its source code to include a backdoor and authentication processes", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854349", "to_ids": true, "type": "sha1", "uuid": "869f6116-f3a5-4b1b-b391-1303eeab9c3c", "value": "166d71c63d0eb609c4f77499112965db7d9a51bb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This file is the Dropbear server program. Analysis identified that this Dropbear binary code was modified from its source code to include a backdoor and authentication processes", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854349", "to_ids": true, "type": "sha256", "uuid": "a5d1851d-1b44-40d7-a006-da3b48a0ed6f", "value": "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850229", "to_ids": true, "type": "ssdeep", "uuid": "b8341640-38ca-42cb-b65f-91091f0177fe", "value": "3072:eJsQ8wmYajbs0mokp8XzsQmfp1543sDEinXPedm6NKe0j7Z39f2m9TEsngIpRN:xLHjPmokpCqO8r6n4Tnh5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850229", "to_ids": false, "type": "size-in-bytes", "uuid": "a3b71dd4-5c1e-4ccd-89eb-9f70612d5b04", "value": "303152" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850229", "to_ids": true, "type": "vhash", "uuid": "954ccdc4-44fa-4113-a87d-400140e93b10", "value": "0350d76d555c0d1515551bz4!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850229", "to_ids": true, "type": "filename", "uuid": "4cdb36fc-7499-4af7-9ded-3aca1576e2d1", "value": "\u6709\u6548\u8ca0\u8f09.bat" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 03/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850229", "to_ids": false, "type": "text", "uuid": "a5d5c41d-fcbf-43be-b9a7-39e2441dc4e3", "value": "This file is the Dropbear server program. Analysis identified that this Dropbear binary code was modified from its source code to include a backdoor and authentication processes\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Dorbear.A\nVT Total Detection:57/72\nFirst Submission:2015-06-25T09:16:03.000000+00:00\nLast Submission:2025-01-21T03:03:43.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854923", "uuid": "a2bb3155-8934-4890-80ac-4bbd0a9083a5", "Attribute": [ { "category": "Payload delivery", "comment": "This is the implant file associated with BE3 Installer (VBA_macro.exe, Sample 2)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854923", "to_ids": true, "type": "md5", "uuid": "308b4c86-6222-46cf-bcab-fc7a98f718df", "value": "cdfb4cda9144d01fb26b5449f9d189ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This is the implant file associated with BE3 Installer (VBA_macro.exe, Sample 2)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854350", "to_ids": true, "type": "sha1", "uuid": "97e991c9-0089-4320-b5bf-363bfc50179d", "value": "315863c696603ac442b2600e9ecc1819b7ed1b54", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This is the implant file associated with BE3 Installer (VBA_macro.exe, Sample 2)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854350", "to_ids": true, "type": "sha256", "uuid": "372fbcf7-29c1-44ae-87bd-70ac199d42f1", "value": "f5785842682bc49a69b2cbc3fded56b8b4a73c8fd93e35860ecd1b9a88b9d3d8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850251", "to_ids": true, "type": "ssdeep", "uuid": "6e034524-9cc9-4cf8-933d-da19988b5188", "value": "1536:9gnPEZTVI581tXvArWtQ4ZME5/1IKtQX:9g2JaWIr9jo1IKtQX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850251", "to_ids": false, "type": "size-in-bytes", "uuid": "4cd4f15b-fce7-45bc-a79b-dd67d69d573e", "value": "55808" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850251", "to_ids": true, "type": "vhash", "uuid": "057f4629-7395-4207-96cb-2cb2320b5fe0", "value": "154056755d151510d8z58pz33z15z20" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850251", "to_ids": true, "type": "filename", "uuid": "41a7c777-2151-4211-ac95-0c9fc080bda9", "value": "packet.dll" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 08/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850251", "to_ids": false, "type": "text", "uuid": "60cc242f-e64d-4ef9-adb7-604a4f31af13", "value": "This is the implant file associated with BE3 Installer (VBA_macro.exe, Sample 2)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/BlackEnergy!AMTB\nVT Total Detection:59/72\nFirst Submission:2015-07-27T13:17:32.000000+00:00\nLast Submission:2024-08-14T01:03:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771858545", "uuid": "04e67d1e-ed1b-41db-b828-ab9e3f143b7f", "Attribute": [ { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771858545", "to_ids": true, "type": "md5", "uuid": "e04cbe79-134e-4360-ad34-404a9f4a3caf", "value": "108fedcb6aa1e79eb0d2e2ef9bc60e7a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854351", "to_ids": true, "type": "sha1", "uuid": "7b06b4ba-a619-40c0-8a85-3d8e6d963949", "value": "aa0aaa7002bdfe261ced99342a6ee77e0afa2719", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854351", "to_ids": true, "type": "sha256", "uuid": "e7753427-0fb1-4049-9461-3f47159981c2", "value": "30862ab7aaa6755b8fab0922ea819fb48487c063bea4a84174afbbd65ce26b86", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850293", "to_ids": true, "type": "ssdeep", "uuid": "268f3474-cfea-4953-88dd-5e2d99045c5f", "value": "1536:Qs/rn8gU/M3p1thokZGqKTRSpEvMfC6+iLPLvXta:wdwhURSpUMfCvirLPta" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850293", "to_ids": false, "type": "size-in-bytes", "uuid": "f5ef5ca7-ba31-4968-a0b7-d3b13af33a84", "value": "110592" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850293", "to_ids": true, "type": "vhash", "uuid": "6ea80e3e-cc5f-4ad5-9062-ec49ff1b563d", "value": "015046655d151138z73bz23z13z1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850293", "to_ids": true, "type": "filename", "uuid": "2387db34-cb1f-4b4c-8c31-7d47808b7d1b", "value": "svchost.exe" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850293", "to_ids": false, "type": "text", "uuid": "98c88508-70c7-4749-864e-bd5313ad7c5b", "value": "This KillDisk sample executes a destructive disk overwrite function.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Dynamer!ac\nVT Total Detection:60/72\nFirst Submission:2016-03-22T11:54:29.000000+00:00\nLast Submission:2016-07-18T07:56:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771858567", "uuid": "09095c37-7cfb-4a8f-b808-94e6c4777b9d", "Attribute": [ { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771858567", "to_ids": true, "type": "md5", "uuid": "99b3b18b-57fe-498c-836e-d8f36e3b034c", "value": "72bd40cd60769baffd412b84acc03372", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854352", "to_ids": true, "type": "sha1", "uuid": "5e45d67a-ed45-43e1-b979-be3d4dbda32f", "value": "8ad6f88c5813c2b4cd7abab1d6c056d95d6ac569", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854352", "to_ids": true, "type": "sha256", "uuid": "0eba682a-8f37-43e0-b7a9-71a6d08244f7", "value": "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850315", "to_ids": true, "type": "ssdeep", "uuid": "aa1e0b2a-b5e6-44c5-ab56-343644a4dd2d", "value": "1536:vs/rn8gU/M3p1thokZGqKTRSpEvMfC6+iLPLvXta:5dwhURSpUMfCvirLPta" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850315", "to_ids": false, "type": "size-in-bytes", "uuid": "594e3fa2-1b14-457f-b7ce-3d537a0b88e9", "value": "110592" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850315", "to_ids": true, "type": "vhash", "uuid": "630fa52a-1c51-4d27-a68d-d83aad1200fd", "value": "015046655d151138z73bz23z13z1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850315", "to_ids": true, "type": "filename", "uuid": "52ee3378-f9f3-4034-9066-a23b1481abfb", "value": "release.bat" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850315", "to_ids": false, "type": "text", "uuid": "1474a603-6ea8-44c7-83c2-2b66bd82f3af", "value": "This KillDisk sample executes a destructive disk overwrite function\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Dynamer!ac\nVT Total Detection:62/72\nFirst Submission:2015-11-10T09:31:41.000000+00:00\nLast Submission:2025-01-02T20:23:39.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771858589", "uuid": "58d4f1a5-0357-40e5-80a8-f488c3cbd107", "Attribute": [ { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function. In addition to destroying critical OS data, the sample also overwrites thousands of additional files, including log files", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771858589", "to_ids": true, "type": "md5", "uuid": "e3e418a9-3957-4d04-a773-ed768492d955", "value": "7361b64ddca90a1a1de43185bd509b64", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function. In addition to destroying critical OS data, the sample also overwrites thousands of additional files, including log files", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854354", "to_ids": true, "type": "sha1", "uuid": "a241bae4-164f-4aa6-b412-1572fbf7f738", "value": "f3e41eb94c4d72a98cd743bbb02d248f510ad925", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function. In addition to destroying critical OS data, the sample also overwrites thousands of additional files, including log files", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854354", "to_ids": true, "type": "sha256", "uuid": "9fdf80a8-cc22-4886-9328-bf9f95e87c38", "value": "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850337", "to_ids": true, "type": "ssdeep", "uuid": "798d9470-9ca4-437e-9f2d-59cbabd698fc", "value": "1536:RFFgWOBN33zBLLCJ3qpgAXb84sXyA7oi0klOEI6toKtdw:9NEJlLLzLb4I6toKtdw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850337", "to_ids": false, "type": "size-in-bytes", "uuid": "dc39b125-74fc-4321-87cc-05ec5441eebf", "value": "98304" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850337", "to_ids": true, "type": "vhash", "uuid": "930e5d15-a28a-4c59-a00d-9ebaaa97c946", "value": "094046655d151088z6dbz23z13z2fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850337", "to_ids": true, "type": "filename", "uuid": "c6e1a1be-c832-4b3b-aae4-0461d58b56f2", "value": "main.js" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 11/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850337", "to_ids": false, "type": "text", "uuid": "0d4059ff-1a16-47dc-9e91-5054c0030c42", "value": "This KillDisk sample executes a destructive disk overwrite function. In addition to destroying critical OS data, the sample also overwrites thousands of additional files, including log files\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/KillDisk.M\nVT Total Detection:61/72\nFirst Submission:2015-12-23T22:34:19.000000+00:00\nLast Submission:2022-08-16T14:04:59.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771858610", "uuid": "dff79aee-b032-464a-a112-249a86e4a8fc", "Attribute": [ { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771858610", "to_ids": true, "type": "md5", "uuid": "8dac0272-918a-4e7f-ab8f-0d18c229b202", "value": "cd1aa880f30f9b8bb6cf4d4f9e41ddf4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854355", "to_ids": true, "type": "sha1", "uuid": "a649b722-a1f5-4668-81f3-7959e79969c0", "value": "16f44fac7e8bc94eccd7ad9692e6665ef540eec4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This KillDisk sample executes a destructive disk overwrite function", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854355", "to_ids": true, "type": "sha256", "uuid": "25f82425-cbc1-4a7f-b719-94e05f8c7108", "value": "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850359", "to_ids": true, "type": "ssdeep", "uuid": "eb9c1559-4258-45dd-a0a1-3a1623e38196", "value": "1536:Lu/ydBbJe7LkXIkTYkT+5FTd/+J85fUBGtml:aoY7LUTCTdGJOcQtml" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850359", "to_ids": false, "type": "size-in-bytes", "uuid": "3e143bf6-9a1b-47ef-bbaa-f7e17a06d3bf", "value": "90112" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850359", "to_ids": true, "type": "vhash", "uuid": "a1a04293-737c-40b6-94c0-a509ba8631e1", "value": "094046655d151148z7cz23z13z2fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850359", "to_ids": true, "type": "filename", "uuid": "f8707773-13c3-4183-95c5-d64224c72d06", "value": ".bat" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850359", "to_ids": false, "type": "text", "uuid": "d05e851d-ab22-4f99-8a78-e59d1b0122cc", "value": "This KillDisk sample executes a destructive disk overwrite function\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Malagent!MSR\nVT Total Detection:61/72\nFirst Submission:2015-10-25T01:31:24.000000+00:00\nLast Submission:2025-01-02T20:24:59.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771858632", "uuid": "e9a4e269-8c02-47dd-9f79-7a819e32c68a", "Attribute": [ { "category": "Payload delivery", "comment": "This KKillDisk sample executes a destructive disk overwrite function. In addition to destroying critical OS data, the sample also overwrites thousands of additional files, including log files", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771858632", "to_ids": true, "type": "md5", "uuid": "65d59acc-3d44-4478-96f0-bb3651cfc956", "value": "66676deaa9dfe98f8497392064aefbab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This KKillDisk sample executes a destructive disk overwrite function. In addition to destroying critical OS data, the sample also overwrites thousands of additional files, including log files", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854356", "to_ids": true, "type": "sha1", "uuid": "dfcfd4ab-1b5d-48f8-a00c-9e1a68c44084", "value": "6d6ba221da5b1ae1e910bbeaa07bd44aff26a7c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "This KKillDisk sample executes a destructive disk overwrite function. In addition to destroying critical OS data, the sample also overwrites thousands of additional files, including log files", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854357", "to_ids": true, "type": "sha256", "uuid": "507d9883-90a0-4899-93af-abb37562389d", "value": "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771850381", "to_ids": true, "type": "ssdeep", "uuid": "6b143c6b-c5db-4c03-9280-ba3a28e3a63e", "value": "1536:48cluldXhhm0ACyX5xgrkOTJ939LE1suyZNhtaDddO5yZbQwoBBmxGtTK:G+jmaagL39A1sfNPIv+y1QwoB8gtTK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771850381", "to_ids": false, "type": "size-in-bytes", "uuid": "bbdb9f97-e1bd-4c7a-9687-c205b4310178", "value": "126976" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771850381", "to_ids": true, "type": "vhash", "uuid": "35207c08-ce4c-4901-898d-f485ad1886ff", "value": "015046651d151148z7cz23z13z2fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771850381", "to_ids": true, "type": "filename", "uuid": "a082631c-627f-495e-b388-8debce30faa8", "value": "ololo.bin" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771850381", "to_ids": false, "type": "text", "uuid": "e1f11528-4fb4-40d4-9fe2-ed481e52bced", "value": "This KKillDisk sample executes a destructive disk overwrite function. In addition to destroying critical OS data, the sample also overwrites thousands of additional files, including log files\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Detplock\nVT Total Detection:61/72\nFirst Submission:2015-10-25T23:07:26.000000+00:00\nLast Submission:2025-01-02T20:24:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854358", "uuid": "b31e191e-fd7d-48a4-b374-6ad11fa170f5", "Attribute": [ { "category": "Payload delivery", "comment": "This is the shortcut file inserted in the startup folder and used to launch the FONTCACHE.DAT implant No sample in VT\r\nLast check:23/02/2026 No sample in VT\r\nLast check:23/02/2026", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854358", "to_ids": true, "type": "md5", "uuid": "92946bf3-3dac-4b9f-8a92-1287b3716066", "value": "bffd06a38a46c1fe2bde0317176f04b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/02/2026", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854358", "to_ids": true, "type": "sha1", "uuid": "969233cd-2cd7-4f1c-9512-9f12d18df8da", "value": "3feb426ac934f60eee4e08160d9c8bbe926c917e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854358", "to_ids": true, "type": "sha256", "uuid": "62bfb1a6-542e-4392-8cad-c36d56b8b0c8", "value": "22735ffeb3472572f608e9a2625ec91735482d9423ea7a43ed32f8a39308eda8", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771854030", "to_ids": false, "type": "text", "uuid": "ab691722-d94d-4eb2-8c9f-24eceef5c024", "value": "This is the shortcut file inserted in the startup folder and used to launch the FONTCACHE.DAT implant.\r\nFull infection routine details associated with this file are provided in Appendix B.4: BE3 Installer\r\n(VBA_macro.exe, Sample 2)." } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854359", "uuid": "b038a52d-9135-4b22-a251-25f17b371242", "Attribute": [ { "category": "Payload delivery", "comment": "This is the shortcut file inserted in the startup folder and used to launch the FONTCACHE.DAT implant No sample in VT\r\nLast check:23/02/2026 No sample in VT\r\nLast check:23/02/2026", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854359", "to_ids": true, "type": "md5", "uuid": "202896c3-5db5-48d7-80f1-355a5789df5a", "value": "40c74556c36fa14664d9059ad05ca9d3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/02/2026", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854359", "to_ids": true, "type": "sha1", "uuid": "d15cf1c1-a9ae-43f3-8266-814e7400d0a2", "value": "f89ce5ba8e7b8587457848182ff1108b1255b87f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854359", "to_ids": true, "type": "sha256", "uuid": "d49175ad-8b56-4d85-8b31-06cc3f456068", "value": "2872473b7144c2fb6910ebf48786c49f9d4f46117b9d2aaa517450fce940d0da", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771854076", "to_ids": false, "type": "text", "uuid": "b092bc4b-75a0-40d3-9308-95aff087c63b", "value": "This is the shortcut file inserted in the startup folder and used to launch the FONTCACHE.DAT implant.\r\nFull infection routine details associated with this file are provided in Appendix B.3: BE3 Installer\r\n(VBA_macro.exe, Sample 1)." } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771854361", "uuid": "3e3b9ad1-91b3-421a-b8c9-e94c57a75e28", "Attribute": [ { "category": "Payload delivery", "comment": "This is the encrypted configuration and on-disk-store file associated with BE2 Installer (Undisclosed No sample in VT\r\nLast check:23/02/2026 No sample in VT\r\nLast check:23/02/2026", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771854361", "to_ids": true, "type": "md5", "uuid": "d3d47b33-dfbe-4dc9-a81c-3ad4a4c0b44d", "value": "01215f813d3e93ed7e3fc3fe369a6cd5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771854361", "to_ids": true, "type": "sha1", "uuid": "77fa62e0-c2ef-48fe-b042-3c5c50bbe589", "value": "63bf25190139bd307290c301304597bdeffa4351", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771854361", "to_ids": true, "type": "sha256", "uuid": "81857383-4562-46ab-aa51-74fea26332b4", "value": "ad2e333141e4e7a800d725f06e25a58a683b42467645d65ba5a1cf377b4adcbe", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771854124", "to_ids": false, "type": "text", "uuid": "8c1eb833-75f8-45ec-9a37-3e5a42ab5a7d", "value": "This is the encrypted configuration and on-disk-store file associated with Appendix B.5: BE2\r\nInstaller (Undisclosed).\r\nFull infection routine details are provided in Appendix B.5: BE2 Installer (Undisclosed)." } ] } ] } }