{ "Event": { "analysis": "1", "date": "2014-06-23", "extends_uuid": "", "info": "[Threat Intel] Havex Hunts For ICS/SCADA Systems", "protected": false, "publish_timestamp": "1772419464", "published": true, "threat_level_id": "2", "timestamp": "1772419460", "uuid": "58a08b1b-a911-4f45-ab3d-ce9d5c1b5973", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"WithSecure\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Havex RAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"CrowdStrike\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"ENERGETIC BEAR\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Backdoor.Oldrea, Havex\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Automated Collection\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Denial of Service\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Location Identification\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Point & Tag Identification\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Remote System Discovery\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Role Identification\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Spearphishing Attachment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Supply Chain Compromise\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"User Execution\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#f6810a", "local": false, "name": "ICS-capable", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"russia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"CISA\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Trend Micro\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771735878", "to_ids": false, "type": "link", "uuid": "8c69194b-c29f-4168-a48c-6ae37822f870", "value": "https://web.archive.org/web/20250208004351/https://archive.f-secure.com/weblog/archives/00002718.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771736054", "to_ids": false, "type": "link", "uuid": "2f456b50-219a-4059-9b48-b4aacfc3a0c6", "value": "https://web.archive.org/web/20140421212722/http://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_Threat_Report_2013.pdf" }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736700", "to_ids": true, "type": "domain", "uuid": "06ced530-ee49-4742-9aa2-28054d8fb5d1", "value": "abainternationaltoursandtravel.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736722", "to_ids": true, "type": "domain", "uuid": "16dbb272-fc17-46ba-9a4b-2c27b67dafaa", "value": "adultfriendgermany.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736744", "to_ids": true, "type": "domain", "uuid": "7a1fe031-2fef-440c-8558-acdc0227f3d2", "value": "africancranesafaris.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736766", "to_ids": true, "type": "domain", "uuid": "dad5377c-51d1-4d08-b03a-033fbe95b286", "value": "alexvernigor.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736787", "to_ids": true, "type": "domain", "uuid": "d004c13b-2d9a-4d36-8fc2-426c3f4c8d2f", "value": "al-mashkoor.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736809", "to_ids": true, "type": "domain", "uuid": "f2a1b649-9f69-4f37-96c0-5886927cbf7f", "value": "alpikaclub.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736830", "to_ids": true, "type": "domain", "uuid": "50cfe764-de34-4743-9b2f-bad5bec0b71b", "value": "antibioticsdrugstore.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736852", "to_ids": true, "type": "domain", "uuid": "51a95a3d-a872-49ec-92b5-396c0708a6df", "value": "arsch-anus.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736873", "to_ids": true, "type": "hostname", "uuid": "68180c32-f30b-482f-8844-8438d2ec4863", "value": "artem.sataev.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736895", "to_ids": true, "type": "domain", "uuid": "0fc626fb-8b4c-4dbb-9bf6-a63d3e576eae", "value": "artsepid.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736916", "to_ids": true, "type": "domain", "uuid": "45bd76e7-2b6d-470e-8625-2e30c3e43675", "value": "ask.az", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736937", "to_ids": true, "type": "domain", "uuid": "26cd0880-b7d3-4f2d-96ab-1220c92d5673", "value": "atampy.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "The attackers use compromised websites, mainly blogs, as C&C servers", "deleted": false, "disable_correlation": false, "timestamp": "1771736959", "to_ids": true, "type": "domain", "uuid": "214a4838-1397-41f0-96ae-4fd0aea4d42d", "value": "aziaone.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771737027", "to_ids": false, "type": "link", "uuid": "63b6458e-43d7-4843-ac37-0850a90d6bc2", "value": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-14-176-02" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771737027", "to_ids": false, "type": "link", "uuid": "85f89de6-47e3-46a1-a58c-0c7bda5faee1", "value": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-14-176-02a" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771737027", "to_ids": false, "type": "link", "uuid": "d18604c6-f25e-4f9f-9c67-9ebb92f96eb2", "value": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-178-01" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771737162", "to_ids": false, "type": "link", "uuid": "718ad51c-c705-4e25-8ff6-989c0e1a4423", "value": "http://web.archive.org/web/20140912121123/http://www.digitalbond.com/blog/2014/07/02/havex-hype-unhelpful-mystery/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771748058", "to_ids": false, "type": "link", "uuid": "ec6b723e-68ee-425c-a55e-a8b5b17b9aed", "value": "https://web.archive.org/web/20250308114415/https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/139/havex-targets-industrial-control-systems" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771736981", "uuid": "4ad2dd47-26cc-456f-b10a-dccc2c3ea3fb", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771736981", "to_ids": true, "type": "md5", "uuid": "c41b8253-422a-4dbc-b45a-79390b76458a", "value": "1d6b11f85debdda27e873662e721289e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771736695", "to_ids": true, "type": "sha1", "uuid": "2db2994e-7dc2-4cc8-be9d-c3afa39b1a6e", "value": "7f249736efc0c31c44e96fb72c1efcc028857ac7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771736695", "to_ids": true, "type": "sha256", "uuid": "7acbd1a7-34e8-4892-af6f-f6095b154992", "value": "0b74282d9c03affb25bbecf28d5155c582e246f0ce21be27b75504f1779707f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771736528", "to_ids": true, "type": "ssdeep", "uuid": "6c7b90f9-cf5b-4c75-9eee-c5ac3861b201", "value": "24576:5g58zzwA2t2e38POXCzeaOTddd+QzTU2HktI5P1I9nDImcO6fBIJ:5gMZeGs8RO3dZQ2HAI5PG9nDImcO+M" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771736528", "to_ids": false, "type": "size-in-bytes", "uuid": "31bdade3-68ce-41a5-a268-709a0daa67d0", "value": "1141478" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771736528", "to_ids": true, "type": "vhash", "uuid": "430fb57c-0f78-43b2-b1e6-9346c71ea2fb", "value": "016056655d5c05709043z8003d7z47z62z3f03dz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771736528", "to_ids": true, "type": "filename", "uuid": "686b2f3a-261b-42cd-83a9-989fe19329a0", "value": "mbCHECK" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 27/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771736528", "to_ids": false, "type": "text", "uuid": "b79d146c-6b92-43ef-a993-91c745480652", "value": "Type Description: Win32 EXE\nMicrosoft: Backdoor:Win32/Havex.B\nVT Total Detection:55/72\nFirst Submission:2014-04-17T20:02:28.000000+00:00\nLast Submission:2025-07-16T10:42:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771737002", "uuid": "bf9900cd-b67c-4d1c-99ab-4acf6d49bd84", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771737002", "to_ids": true, "type": "md5", "uuid": "85be61da-2aa7-43c2-9ade-864607fb0bab", "value": "ba8da708b8784afd36c44bb5f1f436bc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771736695", "to_ids": true, "type": "sha1", "uuid": "20d683bf-dcf1-4fae-81fe-130ca33ba8ba", "value": "1c90ecf995a70af8f1d15e9c355b075b4800b4de", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771736696", "to_ids": true, "type": "sha256", "uuid": "a86fa0d2-be5b-4d8e-b6e8-a429d2b9ae32", "value": "7933809aecb1a9d2110a6fd8a18009f2d9c58b3c7dbda770251096d4fcc18849", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771736549", "to_ids": true, "type": "ssdeep", "uuid": "15bebc17-380a-4763-ae51-4518e1f5ac8f", "value": "3072:e4XrKHxtu7gi1BlZQfSEKkPEdjgeP3wz9aZHi2UVL5nUXKcRoC:LORtu7gi/p7P3sQHPiVr" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771736549", "to_ids": false, "type": "size-in-bytes", "uuid": "1846c8cb-787d-46e5-afe1-4cb1ede5a788", "value": "251392" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771736549", "to_ids": true, "type": "vhash", "uuid": "1a39ef23-3936-4d95-b844-00e881e454d9", "value": "125056655d55655023z12z5f7z504sz1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771736549", "to_ids": true, "type": "filename", "uuid": "3e92c32a-15d9-4215-bd27-515dcb867f15", "value": "VTDL1C90ECF995A70AF8F1D15E9C355B075B4800B4DE.danger" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 12/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771736549", "to_ids": false, "type": "text", "uuid": "7b7f15d1-f844-435a-9bf0-fef668e2ef7c", "value": "Type Description: Win32 DLL\nMicrosoft: Backdoor:Win32/Havex.A\nVT Total Detection:56/72\nFirst Submission:2014-06-23T10:38:35.000000+00:00\nLast Submission:2024-05-23T08:26:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771737024", "uuid": "75dd3e1f-ab63-4356-8d62-ffff258b3265", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771737024", "to_ids": true, "type": "md5", "uuid": "bd74fa4a-f1a0-451d-ab4b-dcd41ce0a82f", "value": "6bfc42f7cb1364ef0bfd749776ac6d38", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771736697", "to_ids": true, "type": "sha1", "uuid": "3613411e-2a8d-4612-a2aa-619b795195ca", "value": "db8ed2922ba5f81a4d25edb7331ea8c0f0f349ae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771736697", "to_ids": true, "type": "sha256", "uuid": "a0dbbb66-8c59-4287-b417-e46709887607", "value": "6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771736571", "to_ids": true, "type": "ssdeep", "uuid": "b5fcc6c7-2cfd-4d5f-b2f3-1948ebb77284", "value": "3072:A4XrKHxtu7gi1BlZQfSEKkPEdjgeP3wz9aZHi2UVL53UXDcRoC:dORtu7gi/p7P3sQHPidS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771736571", "to_ids": false, "type": "size-in-bytes", "uuid": "e8c5ebc5-7cf2-47b5-99af-69820f569468", "value": "251392" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771736571", "to_ids": true, "type": "vhash", "uuid": "8f4bcdd5-ec4d-4c05-a97b-22b559eadcc0", "value": "125056655d55655023z12z5f7z504sz1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771736571", "to_ids": true, "type": "filename", "uuid": "02f5d533-6f45-420e-a324-4fced2f60168", "value": "6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82.exe" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 20/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771736571", "to_ids": false, "type": "text", "uuid": "ee505bcc-e943-490f-9985-c10aa51d3326", "value": "Type Description: Win32 DLL\nMicrosoft: Backdoor:Win32/Havex.A\nVT Total Detection:62/72\nFirst Submission:2014-06-23T10:39:04.000000+00:00\nLast Submission:2024-09-29T20:02:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771737046", "uuid": "cc17425a-4364-4b3c-8e4b-fd130ad8348a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771737046", "to_ids": true, "type": "md5", "uuid": "9bf9df6e-69e1-43a3-a335-72981d4b18dd", "value": "4102f370aaf46629575daffbd5a0b3c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771736698", "to_ids": true, "type": "sha1", "uuid": "691c2d7b-6711-4c82-97b2-8619b20221db", "value": "efe9462bfa3564fe031b5ff0f2e4f8db8ef22882", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771736698", "to_ids": true, "type": "sha256", "uuid": "e672472b-13f8-41b5-8553-bdd8d1316e33", "value": "004c99be0c355e1265b783aae557c198bcc92ee84ed49df70db927a726c842f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771736593", "to_ids": true, "type": "ssdeep", "uuid": "163d32ae-54d0-4b4f-a27c-a1df39446c04", "value": "3072:c4XrKHxtu7gi1BlZQfSEKkPEdjgeP3wz9aZHi2UVL53UXPcRoC:BORtu7gi/p7P3sQHPidu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771736593", "to_ids": false, "type": "size-in-bytes", "uuid": "7a025274-6544-4048-9893-8790d0d9133d", "value": "251392" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771736593", "to_ids": true, "type": "vhash", "uuid": "d373e9a3-fb52-463c-b7c2-2badd8c3108c", "value": "125056655d55655023z12z5f7z504sz1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771736593", "to_ids": true, "type": "filename", "uuid": "4e65ccb4-c235-47b5-a5a7-54c63c9783bc", "value": "1.dll" }, { "category": "Other", "comment": "Checked: 22/02/2026\nLast-scan\t: 21/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771736593", "to_ids": false, "type": "text", "uuid": "207114ff-ba77-4b0e-a0b4-778f21a9e8b4", "value": "Type Description: Win32 DLL\nMicrosoft: Backdoor:Win32/Havex.A\nVT Total Detection:62/72\nFirst Submission:2014-06-23T10:40:22.000000+00:00\nLast Submission:2025-07-16T10:41:12.000000+00:00" } ] } ] } }