{ "Event": { "analysis": "1", "date": "2017-06-13", "extends_uuid": "3552e71b-675c-4291-afbf-8399ac6af719", "info": "[Threat Intel] CRASHOVERRIDE Analyzing the Threat to Electric Grid Operations", "protected": false, "publish_timestamp": "1772419960", "published": true, "threat_level_id": "1", "timestamp": "1772419957", "uuid": "40973d6f-3aef-4204-a9fe-9f9df4f5cef2", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Dragos\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Electric\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Industroyer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Industroyer\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Data Destruction\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Loss of Control\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Loss of View\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771859266", "to_ids": false, "type": "link", "uuid": "413ba261-de42-40bd-980b-5529ce9e2390", "value": "https://web.archive.org/web/20190926041500/https://dragos.com/wp-content/uploads/CrashOverride-01.pdf" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771859470", "to_ids": false, "type": "mutex", "uuid": "606dd1a1-e8a3-4459-aa73-8aa9652cd1fa", "value": "ApiPortection9d3" }, { "category": "Network activity", "comment": "External C2 server [DEC 2016] (likely TOR node at time of attack)", "deleted": false, "disable_correlation": false, "timestamp": "1771877358", "to_ids": true, "type": "ip-dst", "uuid": "ffff4ccb-dfd8-4dcf-9a2f-4a65c313fd8c", "value": "195.16.88.6", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "External C2 server [DEC 2016] (likely TOR node at time of attack)", "deleted": false, "disable_correlation": false, "timestamp": "1771877379", "to_ids": true, "type": "ip-dst", "uuid": "90a7e8aa-4f86-4d04-8d3e-3ea0458b0358", "value": "93.115.27.57", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "External C2 server [DEC 2016] (likely TOR node at time of attack)", "deleted": false, "disable_correlation": false, "timestamp": "1771877401", "to_ids": true, "type": "ip-dst", "uuid": "30a66ac4-d389-44dc-8114-700b124c9ce9", "value": "5.39.218.152", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1771859548", "to_ids": true, "type": "ip-dst|port", "uuid": "78f450c7-9864-4024-a930-a83f7d4640c2", "value": "5.39.218.152|443" }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1771859548", "to_ids": true, "type": "ip-dst|port", "uuid": "031b4bce-b96a-4bec-adbb-ead679b7a0f1", "value": "93.115.27.57|443" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771860128", "uuid": "a3b461e5-efe3-48e2-bed0-34eda4b7258a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771860128", "to_ids": false, "type": "text", "uuid": "5f4a7b98-52ba-42d1-8171-272dab406ef5", "value": "dragos_crashoverride_exporting_dlls" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771860128", "to_ids": false, "type": "comment", "uuid": "0663fc35-6fd3-4ef8-bfe9-b36afda7f3bf", "value": "CRASHOVERRIDE v1 Suspicious Export" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771860128", "to_ids": true, "type": "yara", "uuid": "001343fc-8d54-4861-bd12-c5dc3e1a47fb", "value": "import \u201cpe\u201d\r\nimport \u201chash\u201d\r\nrule dragos_crashoverride_exporting_dlls\r\n{\r\n\tmeta:\r\n\t\tdescription = \u201cCRASHOVERRIDE v1 Suspicious Export\u201d\r\n\t\tauthor = \u201cDragos Inc\u201d\r\n\tcondition:\r\n\t\tpe.exports(\u201cCrash\u201d) & pe.characteristics\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771860165", "uuid": "626f2f47-4d81-474f-a725-35a3af373f0e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771860165", "to_ids": false, "type": "text", "uuid": "bcc150ae-4579-4e40-82ef-c1aba050e14b", "value": "dragos_crashoverride_suspcious" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771860165", "to_ids": false, "type": "comment", "uuid": "1b6fce06-b473-4056-84ff-3b4ea996ebe8", "value": "CRASHOVERRIDE v1 Wiper" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771860165", "to_ids": true, "type": "yara", "uuid": "1a00ac0c-1f5b-40ad-826e-1f3583dfbd90", "value": "import \u201cpe\u201d\r\nrule dragos_crashoverride_suspcious\r\n{\r\n\tmeta:\r\n\t\tdescription = \u201cCRASHOVERRIDE v1 Wiper\u201d\r\n\t\tauthor = \u201cDragos Inc\u201d\r\n\tstrings:\r\n\t\t$s0 = \u201cSYS_BASCON.COM\u201d fullword nocase wide\r\n\t\t$s1 = \u201c.pcmp\u201d fullword nocase wide\r\n\t\t$s2 = \u201c.pcmi\u201d fullword nocase wide\r\n\t\t$s3 = \u201c.pcmt\u201d fullword nocase wide\r\n\t\t$s4 = \u201c.cin\u201d fullword nocase wide\r\n\tcondition:\r\n\t\tpe.exports(\u201cCrash\u201d) and any of ($s*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771860204", "uuid": "9ff3dcd6-e93c-4c20-a5fb-818e0db2a4fc", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771860204", "to_ids": false, "type": "text", "uuid": "ccb7a0db-f50b-493b-a2a4-bec6bb6541a8", "value": "dragos_crashoverride_name_search" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771860204", "to_ids": false, "type": "comment", "uuid": "c920e0cf-4026-4569-9553-d0f25ed7c01e", "value": "CRASHOVERRIDE v1 Suspicious Strings and Export" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771860204", "to_ids": true, "type": "yara", "uuid": "ae78b076-e3c9-46b9-a99f-5609252d5944", "value": "import \"pe\"\r\nrule dragos_crashoverride_name_search {\r\n\tmeta:\r\n\t\tdescription = \u201cCRASHOVERRIDE v1 Suspicious Strings and Export\u201d\r\n\t\tauthor = \u201cDragos Inc\u201d\r\n\tstrings:\r\n\t\t$s0 = \u201c101.dll\u201d fullword nocase wide\r\n\t\t$s1 = \u201cCrash101.dll\u201d fullword nocase wide\r\n\t\t$s2 = \u201c104.dll\u201d fullword nocase wide\r\n\t\t$s3 = \u201cCrash104.dll\u201d fullword nocase wide\r\n\t\t$s4 = \u201c61850.dll\u201d fullword nocase wide\r\n\t\t$s5 = \u201cCrash61850.dll\u201d fullword nocase wide\r\n\t\t$s6 = \u201cOPCClientDemo.dll\u201d fullword nocase wide\r\n\t\t$s7 = \u201cOPC\u201d fullword nocase wide\r\n\t\t$s8 = \u201cCrashOPCClientDemo.dll\u201d fullword nocase wide\r\n\t\t$s9 = \u201cD2MultiCommService.exe\u201d fullword nocase wide\r\n\t\t$s10 = \u201cCrashD2MultiCommService.exe\u201d fullword nocase wide\r\n\t\t$s11 = \u201c61850.exe\u201d fullword nocase wide\r\n\t\t$s12 = \u201cOPC.exe\u201d fullword nocase wide\r\n\t\t$s13 = \u201chaslo.exe\u201d fullword nocase wide\r\n\t\t$s14 = \u201chaslo.dat\u201d fullword nocase wide\r\n\tcondition:\r\n\t\tany of ($s*) and pe.exports(\u201cCrash\u201d)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771860237", "uuid": "c4be720e-27c8-4ee6-a742-eb5e10ba465d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771860237", "to_ids": false, "type": "text", "uuid": "576076be-e79a-4141-adca-cbe47871053d", "value": "dragos_crashoverride_hashes" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771860237", "to_ids": false, "type": "comment", "uuid": "4feebb70-a358-48af-aa2c-45c2c26bdf8f", "value": "CRASHOVERRIDE Malware Hashes" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771860237", "to_ids": true, "type": "yara", "uuid": "00003266-d434-49a2-8d9a-3cc88372f4a0", "value": "import \"hash\"\r\nrule dragos_crashoverride_hashes {\r\n\tmeta:\r\n\t\tdescription = \"CRASHOVERRIDE Malware Hashes\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\tcondition:\r\n\t\tfilesize < 1MB and\r\n\t\thash.shal (0, filesize) == \"f6c21f8189ced6ae150f9ef2e82a3a57843b587d\" or\r\n\t\thash.shal (0, filesize) == \"cccce62996d578b984984426a024d9b250237533\" or\r\n\t\thash.shal(0, filesize) == \"8e39eca1e48240c01ee570631ae8f0c9a9637187\" or\r\n\t\thash.shal (0, filesize) \"2cb8230281b86fa944d3043ae906016c8b5984d9\" or\r\n\t\thash.shal (0, filesize) == \"79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a\" or\r\n\t\thash.shal(0, filesize) == \"94488f214b165512d2fc0438a581f5c9e3bd4d4c\" or\r\n\t\thash.shal (0, filesize) == \"5a5fafbc3fec8d36fd57b075ebf34119ba3bff04\" or\r\n\t\thash.shal (0, filesize) \"b92149f046f00bb69de329b8457d32c24726ee00\" or\r\n\t\thash.shal (0, filesize) == \"b335163e6eb854df5e08e85026b2c3518891eda8\"\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771860258", "uuid": "58a5d17b-702a-4b33-8bb0-66898d9ff0d5", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771860258", "to_ids": false, "type": "text", "uuid": "6e0ae1e8-b3b1-44ee-b3ab-b9a1579c5be3", "value": "dragos_crashoverride_moduleStrings" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771860258", "to_ids": false, "type": "comment", "uuid": "b4f2e371-08a5-4105-b30c-ddc81544f865", "value": "IEC-104 Interaction Module Program Strings" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771860258", "to_ids": true, "type": "yara", "uuid": "603d26cf-dc42-43c0-a6f6-96ef7506ae78", "value": "rule dragos_crashoverride_moduleStrings {\r\n\tmeta:\r\n\t\tdescription = \u201cIEC-104 Interaction Module Program Strings\u201d\r\n\t\tauthor = \u201cDragos Inc\u201d\r\n\tstrings:\r\n\t\t$s1 = \u201cIEC-104 client: ip=%s; port=%s; ASDU=%u\u201d nocase wide ascii\r\n\t\t$s2 = \u201c MSTR ->> SLV\u201d nocase wide ascii\r\n\t\t$s3 = \u201c MSTR <<- SLV\u201d nocase wide ascii\r\n\t\t$s4 = \u201cUnknown APDU format !!!\u201d nocase wide ascii\r\n\t\t$s5 = \u201ciec104.log\u201d nocase wide ascii\r\n\tcondition:\r\n\t\tany of ($s*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771860275", "uuid": "f0e67636-a158-4b60-8a2b-4996a3bb18f4", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771860275", "to_ids": false, "type": "text", "uuid": "7abbad43-36c0-47ca-9633-86b7591b75f6", "value": "dragos_crashoverride_configReader" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771860275", "to_ids": false, "type": "comment", "uuid": "8e7de6ac-e99d-4525-b2ea-a7ff536f1967", "value": "dragos_crashoverride_configReader" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771860275", "to_ids": true, "type": "yara", "uuid": "c75c0640-26df-4957-80ce-99cc00e1ccd7", "value": "rule dragos_crashoverride_configReader\r\n{\r\n\tmeta:\r\n\t\tauthor = \u201cDragos Inc\u201d\r\n\tstrings:\r\n\t\t$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }\r\n\t\t$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }\r\n\t\t$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }\r\n\t\t$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }\r\n\tcondition:\r\n\t\tall of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771860290", "uuid": "2eefdb7d-c72e-4394-856d-2f2aadc0082a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771860290", "to_ids": false, "type": "text", "uuid": "15427f98-55c0-48d5-a0a0-f64822c18745", "value": "dragos_crashoverride_weirdMutex" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771860290", "to_ids": false, "type": "comment", "uuid": "918d27f1-b6ca-493b-b5d4-e6016db629fb", "value": "Blank mutex creation assoicated with CRASHOVERRIDE" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771860290", "to_ids": true, "type": "yara", "uuid": "0f7e0282-8c86-484b-952c-79d4ebf4c8ec", "value": "rule dragos_crashoverride_weirdMutex\r\n{\r\n\tmeta:\r\n\t\tdescription = \u201cBlank mutex creation assoicated with CRASHOVERRIDE\u201d\r\n\t\tauthor = \u201cDragos Inc\u201d\r\n\tstrings:\r\n\t\t$s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }\r\n\t\t$s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}\r\n\tcondition:\r\n\t\tall of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771860313", "uuid": "8ddd5ba5-13e7-477c-97c9-e8a94ea6dae9", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771860313", "to_ids": false, "type": "text", "uuid": "0a15b4d1-1b59-404c-9978-139564d77f7b", "value": "dragos_crashoverride_serviceStomper" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771860313", "to_ids": false, "type": "comment", "uuid": "72287be7-e17d-4848-9ae8-fae239444493", "value": "Identify service hollowing and persistence setting" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771860313", "to_ids": true, "type": "yara", "uuid": "677f1493-fed8-4fc5-b7ff-d0894d20de83", "value": "rule dragos_crashoverride_serviceStomper\r\n{\r\n\tmeta:\r\n\t\tdescription = \u201cIdentify service hollowing and persistence setting\u201d\r\n\t\tauthor = \u201cDragos Inc\u201d\r\n\tstrings:\r\n\t\t$s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }\r\n\t\t$s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }\r\n\tcondition:\r\n\t\tall of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771860332", "uuid": "e1ff46ba-d5cc-4d4b-8322-94ab00036b0a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771860332", "to_ids": false, "type": "text", "uuid": "aee23884-f5cd-4ee1-ba00-983f954b3f30", "value": "dragos_crashoverride_wiperModuleRegistry" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771860332", "to_ids": false, "type": "comment", "uuid": "58402c73-307b-47a8-a69c-44582752aafb", "value": "Registry Wiper functionality assoicated with CRASHOVERRIDE" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771860332", "to_ids": true, "type": "yara", "uuid": "00424abf-af53-49a3-ade5-f4e47ec3af40", "value": "rule dragos_crashoverride_wiperModuleRegistry\r\n{\r\n\tmeta:\r\n\t\tdescription = \u201cRegistry Wiper functionality assoicated with CRASHOVERRIDE\u201d\r\n\t\tauthor = \u201cDragos Inc\u201d\r\n\tstrings:\r\n\t\t$s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }\r\n\t\t$s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }\r\n\t\t$s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }\r\n\tcondition:\r\n\t\tall of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771860358", "uuid": "bceb1d47-b358-4112-86ce-ccfa61134026", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771860358", "to_ids": false, "type": "text", "uuid": "9e9b5186-9b0c-41de-a8e8-cf204b0fc029", "value": "dragos_crashoverride_wiperFileManipulation" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771860358", "to_ids": false, "type": "comment", "uuid": "0ac8631a-a70b-4e57-98d7-aef695ea6956", "value": "File manipulation actions associated with CRASHOVERRIDE wiper" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771860358", "to_ids": true, "type": "yara", "uuid": "a32fd333-a1c6-4302-8d09-94595e0561cb", "value": "rule dragos_crashoverride_wiperFileManipulation\r\n{\r\n\tmeta:\r\n\t\tdescription = \"File manipulation actions associated with CRASHOVERRIDE wiper\u201d\r\n\t\tauthor = \u201cDragos Inc\u201d\r\n\tstrings:\r\n\t\t$s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }\r\n\t\t$s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }\r\n\tcondition:\r\n\t\tall of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877423", "uuid": "a70cd3b6-84c7-47e6-8513-b0c1cdc357ce", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877423", "to_ids": true, "type": "md5", "uuid": "76fe2b0a-028c-4b56-9736-ef5094128201", "value": "f67b65b9346ee75a26f491b70bf6091b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877342", "to_ids": true, "type": "sha1", "uuid": "e504abd7-0560-493e-a56f-7d41c4f0a150", "value": "f6c21f8189ced6ae150f9ef2e82a3a57843b587d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877342", "to_ids": true, "type": "sha256", "uuid": "d671d434-4c37-4bb0-902b-c31abeea9084", "value": "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877082", "to_ids": true, "type": "ssdeep", "uuid": "5f225a90-e325-46bd-a5be-4f3d501b1c0f", "value": "192:7YmE5zgvM3cGfjnhDVYPp6GSDyBESi3eiKxWvJCDpFnTZ0k:7YVgk3VjnFVRJp39GWJCDpFTZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877082", "to_ids": false, "type": "size-in-bytes", "uuid": "cc8d951f-0676-4c08-8680-461303246f11", "value": "10752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877082", "to_ids": true, "type": "vhash", "uuid": "72591043-1de7-4b30-afd3-79c21ce77e85", "value": "014056551d055550d8z27hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877082", "to_ids": true, "type": "filename", "uuid": "e456da73-233f-4d52-96f9-801f0518eddd", "value": "2max4.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877082", "to_ids": false, "type": "text", "uuid": "668bba95-ed95-42ba-b753-72cca0aa6adb", "value": "Backdoor/RAT.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:62/72\nFirst Submission:2016-12-20T09:21:17.000000+00:00\nLast Submission:2025-07-20T07:34:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877445", "uuid": "1792e452-a0dc-4e90-88e4-8ae92cec5a8a", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877445", "to_ids": true, "type": "md5", "uuid": "11fdeb9e-8844-4599-a7e8-09a85632b858", "value": "fc4fe1b933183c4c613d34ffdb5fe758", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877344", "to_ids": true, "type": "sha1", "uuid": "e6d63878-eb3b-421a-a380-9cbb2a332513", "value": "cccce62996d578b984984426a024d9b250237533", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877344", "to_ids": true, "type": "sha256", "uuid": "3972e84e-9d62-467c-a27c-010848ba0d9d", "value": "6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877104", "to_ids": true, "type": "ssdeep", "uuid": "3b7f782a-3f04-4aa2-981b-30dd4122a43a", "value": "192:JYmE5zgvM3cGfjntdYOapCGSDyBE+di3eKKxWvJCDpFnTZ0k:JYVgk3VjntdfhJ+03xGWJCDpFTZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877104", "to_ids": false, "type": "size-in-bytes", "uuid": "1d7701a2-ccae-4852-817b-e7deca6b9967", "value": "10752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877104", "to_ids": true, "type": "vhash", "uuid": "f474d8a1-d1fe-44aa-95f4-cc91576af275", "value": "014056551d055550d8z27hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877104", "to_ids": true, "type": "filename", "uuid": "bfce3a1b-5825-4857-b20e-b41a3579fd37", "value": "3s3fef0.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877104", "to_ids": false, "type": "text", "uuid": "3b722841-0c2a-4239-8a51-1c53e38a7c26", "value": "Backdoor/RAT.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:53/72\nFirst Submission:2016-12-18T14:07:28.000000+00:00\nLast Submission:2024-09-26T13:11:04.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877466", "uuid": "cfaab6e7-79b5-41d3-977f-319bbca0b911", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877466", "to_ids": true, "type": "md5", "uuid": "612a4d5d-7a57-4292-85cb-dbfb689b2e5e", "value": "11a67ff9ad6006bd44f08bcc125fb61e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877344", "to_ids": true, "type": "sha1", "uuid": "3d78643c-f807-4744-a8e8-4321fafbf7e3", "value": "8e39eca1e48240c01ee570631ae8f0c9a9637187", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877345", "to_ids": true, "type": "sha256", "uuid": "edc613cf-0d4a-41d4-8865-f37b51f57ab8", "value": "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877125", "to_ids": true, "type": "ssdeep", "uuid": "2e679a8c-9b11-4487-805f-e61b44c8e20b", "value": "1536:65kQyQKkuX+tRahJBQknNpZj5OnBFAjzfNT36Akr8fMDQJ9sWm4CfcdIcNhBE1:65kQyQKkuX+tA7j5OBWHVTqJrrDwPCOu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877125", "to_ids": false, "type": "size-in-bytes", "uuid": "8531cd7f-8a43-4a50-afca-ebf75996a1c1", "value": "88576" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877125", "to_ids": true, "type": "vhash", "uuid": "57e26943-a100-4158-82d5-79dea820294f", "value": "084066655d151555619z58hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877125", "to_ids": true, "type": "filename", "uuid": "067ca237-3ea8-400b-b9c6-6d64ab4f1edc", "value": "usw4eo.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877125", "to_ids": false, "type": "text", "uuid": "28cab111-7116-4ce9-8e75-a4b9617f475c", "value": "Backdoor/RAT.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:62/72\nFirst Submission:2016-12-18T14:05:39.000000+00:00\nLast Submission:2025-06-23T02:41:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877487", "uuid": "365e2ed0-2920-4507-bdd9-567b816f7241", "Attribute": [ { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877487", "to_ids": true, "type": "md5", "uuid": "8f0412d4-4536-4120-bcdd-745ecd2f5e82", "value": "ff69615e3a8d7ddcdc4b7bf94d6c7ffb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877346", "to_ids": true, "type": "sha1", "uuid": "fb16c9bf-64bc-4ed5-981b-938ea6137c0b", "value": "2cb8230281b86fa944d3043ae906016c8b5984d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor/RAT.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877346", "to_ids": true, "type": "sha256", "uuid": "be9197c3-63a9-4c7a-9188-57b968e1724c", "value": "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877147", "to_ids": true, "type": "ssdeep", "uuid": "f2ae19cb-8720-4219-beb9-44bccd4f0762", "value": "1536:4mlzHdKCtCgl4DgBbAhSk/NOoBD+niVAjzfNT36WBrMf4QJKLsWhcdIyeGvm3VAN:4mVHdKCtCa9xCBD+iGHVTq2rPwKmIyI0" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877147", "to_ids": false, "type": "size-in-bytes", "uuid": "877ad4cd-122d-4e61-92b3-40799fcc9ff1", "value": "89088" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877147", "to_ids": true, "type": "vhash", "uuid": "d1788b3b-d8b9-47e9-824e-488ba147679e", "value": "084066655d151555619z58hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877147", "to_ids": true, "type": "filename", "uuid": "d4bf0aa5-6bb8-494c-a28f-592a0b3f14bb", "value": "cigjy0.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877147", "to_ids": false, "type": "text", "uuid": "efbc2772-7a54-4c08-9ba9-662c69e3f4e6", "value": "Backdoor/RAT.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:64/72\nFirst Submission:2016-12-18T14:08:21.000000+00:00\nLast Submission:2024-08-06T08:33:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877509", "uuid": "32639686-ec5b-4b4a-b7d4-d874a3672fe6", "Attribute": [ { "category": "Payload delivery", "comment": "Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877509", "to_ids": true, "type": "md5", "uuid": "549b6cac-c9a5-4664-8d67-50d89466af6f", "value": "f9005f8e9d9b854491eb2fbbd06a16e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877347", "to_ids": true, "type": "sha1", "uuid": "e16eceae-4051-49c4-adfc-c561df5cbb54", "value": "79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877347", "to_ids": true, "type": "sha256", "uuid": "adf05983-0ff0-42f4-b9f5-3d8e8adf59d8", "value": "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877169", "to_ids": true, "type": "ssdeep", "uuid": "1ada332e-f4c8-4afa-bf36-ae0a8efb077a", "value": "1536:1730kyqC5KnUjdA6j/WZW9UaBECv6lQJnCsW1wnLcd2AhNs6Qaw:dnUjKm+49UaCCkwvna2AhNsNT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877169", "to_ids": false, "type": "size-in-bytes", "uuid": "5df1a44b-5805-42c0-9415-13cad514a875", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877169", "to_ids": true, "type": "vhash", "uuid": "45936566-77f3-43e1-a485-f4f9620c3f4d", "value": "074066655d1515556038z51hz1lz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877169", "to_ids": true, "type": "filename", "uuid": "cca3cb93-31dc-4c36-aae2-81cb3b644bea", "value": "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877169", "to_ids": false, "type": "text", "uuid": "04ebef83-1958-4c75-a6e2-04a872842668", "value": "Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A\nVT Total Detection:60/72\nFirst Submission:2016-12-19T09:47:05.000000+00:00\nLast Submission:2025-12-15T13:19:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877530", "uuid": "8d6318b9-b9bc-4256-82ce-ed65ee442b1b", "Attribute": [ { "category": "Payload delivery", "comment": "Module for 104 effect, Export 'Crash' which is invoked by launcher. Functionality requires config file.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877530", "to_ids": true, "type": "md5", "uuid": "db41629f-a57a-45b1-88db-55b9833aa0e2", "value": "a193184e61e34e2bc36289deaafdec37", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Module for 104 effect, Export 'Crash' which is invoked by launcher. Functionality requires config file.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877349", "to_ids": true, "type": "sha1", "uuid": "ffebfca6-3153-4303-b27c-4a376fed7212", "value": "94488f214b165512d2fc0438a581f5c9e3bd4d4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Module for 104 effect, Export 'Crash' which is invoked by launcher. Functionality requires config file.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877349", "to_ids": true, "type": "sha256", "uuid": "e6cca0f6-ef78-496f-aa4d-861598bce651", "value": "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877190", "to_ids": true, "type": "ssdeep", "uuid": "8d72ba41-e234-468a-87e4-31dd2c01c44e", "value": "3072:McaprOfoaXmgD31r4VWBvRZoiTprUZNZ9VQ6s6W9:McuOJ2gD31QW51pgE6st9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877190", "to_ids": false, "type": "size-in-bytes", "uuid": "8ed79019-e6f2-403b-94dd-0bb3f1fa4852", "value": "136704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877190", "to_ids": true, "type": "vhash", "uuid": "2978f5b8-83f1-4290-99ec-70162cd3f31c", "value": "115066655d1515556az4dvza6z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877190", "to_ids": true, "type": "filename", "uuid": "f7763216-5f40-4168-97ae-c0d84d988402", "value": "fxrhgtw.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 20/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877190", "to_ids": false, "type": "text", "uuid": "864dc428-f156-4b90-9c94-24c03d1d39d0", "value": "Module for 104 effect, Export 'Crash' which is invoked by launcher. Functionality requires config file.\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/CrashOverride.A\nVT Total Detection:58/72\nFirst Submission:2016-12-19T10:06:04.000000+00:00\nLast Submission:2025-07-08T03:25:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877552", "uuid": "3a62194c-eb70-4fa5-a6a6-7a9d1ad26313", "Attribute": [ { "category": "Payload delivery", "comment": "Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877552", "to_ids": true, "type": "md5", "uuid": "e0290205-d431-4186-a90e-54a8cf69101f", "value": "ab17f2b17c57b731cb930243589ab0cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877350", "to_ids": true, "type": "sha1", "uuid": "2993ca0f-b1b1-4ac9-a349-164d231c68ca", "value": "5a5fafbc3fec8d36fd57b075ebf34119ba3bff04", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877350", "to_ids": true, "type": "sha256", "uuid": "b3c1fbf0-ea7f-4d7a-9fc9-7527a88c767a", "value": "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877212", "to_ids": true, "type": "ssdeep", "uuid": "02139719-1f42-40f6-883c-d7272a710e91", "value": "1536:ipIv8wiD3kkZZpgq8QK8mfkCwbq4QY1sWfScdAUehZfh9UQ:kwPQ6MbtF3TAUehZZ9J" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877212", "to_ids": false, "type": "size-in-bytes", "uuid": "24da9d32-bdd3-4385-bd25-e81cb55001c1", "value": "75776" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877212", "to_ids": true, "type": "vhash", "uuid": "e3d0990b-d020-40f9-816e-bd218d2b8a75", "value": "174066655d1515556048z4bbz15z21z1ez1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877212", "to_ids": true, "type": "filename", "uuid": "5ab5a387-b32f-40c8-80d3-840e83fe6242", "value": "exkko.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877212", "to_ids": false, "type": "text", "uuid": "9c9741e7-f376-472d-b31d-7cea4e41a2f5", "value": "Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot.\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:61/72\nFirst Submission:2016-12-19T11:06:32.000000+00:00\nLast Submission:2024-05-08T00:31:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877573", "uuid": "e6b64c59-a9ff-46a3-9d24-c54afb151ee0", "Attribute": [ { "category": "Payload delivery", "comment": "Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877573", "to_ids": true, "type": "md5", "uuid": "1c00b5d3-6cab-4d33-b4d2-47bead64d75e", "value": "7a7ace486dbb046f588331a08e869d58", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877352", "to_ids": true, "type": "sha1", "uuid": "04dbd4fe-0f69-4d29-ae04-7086e1058ec1", "value": "b92149f046f00bb69de329b8457d32c24726ee00", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877352", "to_ids": true, "type": "sha256", "uuid": "9f464b4c-1d7b-40e9-a65a-9ae900dd9409", "value": "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877234", "to_ids": true, "type": "ssdeep", "uuid": "3f8c6351-7b92-4423-a070-5486e7382ea4", "value": "1536:txjX3k9R4Bdde5eFN73+WmS3UJ64b69AQJRCsWmcd2jjGVjpU:jddewFVO1S3I64LwRg2jjGJK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877234", "to_ids": false, "type": "size-in-bytes", "uuid": "678b9f0d-4165-4eb9-ab19-3341570ab216", "value": "76800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877234", "to_ids": true, "type": "vhash", "uuid": "068fdebe-622e-4b55-a83f-d5b257d35f86", "value": "074066655d1515556048z49bz15z21z1ez1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877234", "to_ids": true, "type": "filename", "uuid": "88243202-3c78-4bdd-9f71-c5809f5c4c22", "value": "625yo1.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 15/09/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877234", "to_ids": false, "type": "text", "uuid": "0a77b2a6-02fa-42aa-90d2-d1c5a570aaed", "value": "Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:65/72\nFirst Submission:2016-12-19T09:58:43.000000+00:00\nLast Submission:2023-06-19T08:39:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877594", "uuid": "277ed44b-5fc8-4010-a79b-fced8afcbdf7", "Attribute": [ { "category": "Payload delivery", "comment": "Custom-built port scanner.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877594", "to_ids": true, "type": "md5", "uuid": "69a6dad8-dfd8-4cb1-8fe5-a24b5e9a7a99", "value": "497de9d388d23bf8ae7230d80652af69", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Custom-built port scanner.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877353", "to_ids": true, "type": "sha1", "uuid": "af1ecb53-e152-463b-a01c-fcc734625f45", "value": "b335163e6eb854df5e08e85026b2c3518891eda8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Custom-built port scanner.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877353", "to_ids": true, "type": "sha256", "uuid": "90a5dab3-56e2-4fec-be10-c01d74efe7f6", "value": "893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877256", "to_ids": true, "type": "ssdeep", "uuid": "01cec04f-60fa-4b7b-b6f7-b41eaa55f9dd", "value": "3072:+vEcGwRrYeqmIJ2Frd5yTutsJB8C2W+yJE608XXRh+60m6UpSe5B4:I/nRM+I0FrCBF2WFuNle5O" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877256", "to_ids": false, "type": "size-in-bytes", "uuid": "f2a6f4ae-07cd-4643-83f7-2d90c6d787da", "value": "174080" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877256", "to_ids": true, "type": "vhash", "uuid": "8abc52bb-7f40-49f0-bfd5-c6545c27bf92", "value": "01503e0f7d1019z6vz17z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877256", "to_ids": true, "type": "filename", "uuid": "4f66162a-2406-4742-9a83-3fe352284f8d", "value": "vef5dh.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 06/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877256", "to_ids": false, "type": "text", "uuid": "651cc8f9-5dc1-458d-8d88-af4f5d94268c", "value": "Custom-built port scanner.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A\nVT Total Detection:61/72\nFirst Submission:2016-12-20T21:05:22.000000+00:00\nLast Submission:2025-03-11T11:46:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877616", "uuid": "b12388f7-120a-44a6-af69-0b79867d1289", "Attribute": [ { "category": "Payload delivery", "comment": "OPC Data Access protocol enumeration of servers and addresses", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877616", "to_ids": true, "type": "md5", "uuid": "b3213597-af74-4114-861c-776faa39e0b2", "value": "36997bdef02b63d411d0bea0335c6899", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "OPC Data Access protocol enumeration of servers and addresses", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877354", "to_ids": true, "type": "sha1", "uuid": "25d471ca-34e0-4dc9-b3f2-a827da0e6664", "value": "7fac2eddf22ff692e1b4e7f99910e5dbb51295e6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "OPC Data Access protocol enumeration of servers and addresses", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877354", "to_ids": true, "type": "sha256", "uuid": "a9845f22-d6b8-4ed5-90ce-aad779b20eeb", "value": "156bd34d713d0c8419a5da040b3c2dd48c4c6b00d8a47698e412db16b1ffac0f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877278", "to_ids": true, "type": "ssdeep", "uuid": "c54ab918-e918-49c7-a644-bac402fce8b9", "value": "3072:HM35lWVEFFaup+juJH6RVVVYBTOr83GqK8vbxU+HvaAg0FujoYVzYSwn:s35Q+FFhp+eaj7Y4rXayAOASw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877278", "to_ids": false, "type": "size-in-bytes", "uuid": "7445f637-77a2-4b76-bf1d-ddaed2c5a6ed", "value": "245248" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877278", "to_ids": true, "type": "vhash", "uuid": "f42b04ad-5c7d-4138-b887-5a5d6badd5bb", "value": "025066655d1d15556028z537z802tz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877278", "to_ids": true, "type": "filename", "uuid": "ac9dd98b-ccbd-4426-9e28-69468a1dfc94", "value": "3A586EB6.vsc" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 28/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877278", "to_ids": false, "type": "text", "uuid": "6dcd9301-3c08-417f-8fc8-818a8d4e3a71", "value": "OPC Data Access protocol enumeration of servers and addresses\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:57/72\nFirst Submission:2019-03-05T15:55:44.000000+00:00\nLast Submission:2023-07-31T22:45:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771877637", "uuid": "66d7161a-ff36-491c-af51-ecad804afd59", "Attribute": [ { "category": "Payload delivery", "comment": "IEC-61850 enumeration and address manipulation", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771877637", "to_ids": true, "type": "md5", "uuid": "f51e4e25-0fe3-41de-80ef-de88a2ef2bc5", "value": "75c7e63c1389337aefe1170f7ccc1822", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IEC-61850 enumeration and address manipulation", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771877355", "to_ids": true, "type": "sha1", "uuid": "c3e30e57-7556-4036-ab3f-b1c34af37e02", "value": "ecf6adf20a7137a84a1b319ccaa97cb0809a8454", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IEC-61850 enumeration and address manipulation", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771877355", "to_ids": true, "type": "sha256", "uuid": "36f3713b-1cee-4d8d-b6a5-cfce1f7c9b4b", "value": "55e7471ad841bd8a110818760ea89af3bb456493f0798a54ce3b8e7b790afd0a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771877300", "to_ids": true, "type": "ssdeep", "uuid": "d4c871c0-6132-4ec2-8378-599f382aeee9", "value": "3072:pTZuWpPwr7jPlHA9azECvXgEHAg0FujUORYws:RZu7r7TSwHAOZYw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771877300", "to_ids": false, "type": "size-in-bytes", "uuid": "35f4a405-b6f5-4e3a-b467-4a91905df927", "value": "136704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771877300", "to_ids": true, "type": "vhash", "uuid": "be6495ed-f82b-4cb0-8111-3d6ebefc09d9", "value": "015076655d151d15556az4anz15zf7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771877300", "to_ids": true, "type": "filename", "uuid": "972f9d61-f8a5-4621-9dac-20257f21edb7", "value": "\u751f\u7522.js" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 26/06/2023", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771877300", "to_ids": false, "type": "text", "uuid": "d45582ec-6a0d-4708-9a32-99328ed747c8", "value": "IEC-61850 enumeration and address manipulation\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:48/71\nFirst Submission:2021-03-17T05:59:44.000000+00:00\nLast Submission:2021-03-17T05:59:44.000000+00:00" } ] } ] } }