{ "Event": { "analysis": "1", "date": "2018-03-16", "extends_uuid": "", "info": "[Threat Intel] Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors", "protected": false, "publish_timestamp": "1772418917", "published": true, "threat_level_id": "1", "timestamp": "1772418915", "uuid": "5f1bc9f7-fc74-407e-bff2-c40ed39e129d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"CISA\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"russia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#3600cf", "local": false, "name": "rectifyq:detection-rules=\"snort-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-assets=\"Human-Machine Interface\"", "relationship_type": "" }, { "colour": "#dff146", "local": false, "name": "IT-impact-ICS", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772230719", "to_ids": false, "type": "link", "uuid": "3c15f2bd-ca61-47b4-b2fa-9d04d926a8c1", "value": "https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772252196", "to_ids": true, "type": "md5", "uuid": "392a2f47-e621-4619-b988-e8139f4c3ef5", "value": "a07aa521e7cafb360294e56969eda5d6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772252198", "to_ids": true, "type": "md5", "uuid": "b9e6c00c-ebd3-4a47-8701-a5b833d39358", "value": "ba756dd64c1147515ba2298b6a760260", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772252198", "to_ids": true, "type": "md5", "uuid": "43943fb7-a96d-4af7-8b7d-8743954aba2c", "value": "04738ca02f59a5cd394998a99fcd9613", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772252199", "to_ids": true, "type": "md5", "uuid": "0e8d1cbb-6b89-45db-b3c2-2b9455a66d8f", "value": "038a97b4e2f37f34b255f0643e49fc9d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772252200", "to_ids": true, "type": "md5", "uuid": "616cf890-16fe-4782-8346-8bf6a1622ae3", "value": "65a1a73253f04354886f375b59550b46", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772252202", "to_ids": true, "type": "md5", "uuid": "d5ac24e7-98a7-407b-8dda-ee59b14b8eca", "value": "4595dbe00a538df127e0079294c87da0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772252203", "to_ids": true, "type": "md5", "uuid": "da15bf08-0f5b-4a45-a449-f8822264ece2", "value": "2c9095c965a55efc46e16b86f9b7d6c6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772231028", "to_ids": false, "type": "snort", "uuid": "69d132ce-f6af-4115-b152-497003f87755", "value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI contains '/aspnet_client/system_web/4_0_30319/update/' (Beacon)\"; sid:42000000; rev:1; flow:established,to_server; content:\"/aspnet_client/system_web/4_0_30319/update/\"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772231028", "to_ids": false, "type": "snort", "uuid": "1885b87e-83da-4735-97a6-29beb2ecc5bb", "value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI contains '/img/bson021.dat'\"; sid:42000001; rev:1; flow:established,to_server; content:\"/img/bson021.dat\"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772231028", "to_ids": false, "type": "snort", "uuid": "e49cbc56-6096-4afa-aee5-0fcb63d2647c", "value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI contains '/A56WY' (Callback)\"; sid:42000002; rev:1; flow:established,to_server; content:\"/A56WY\"; http_uri; fast_pattern; classtype:bad-unknown; metadata:service http;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772231028", "to_ids": false, "type": "snort", "uuid": "cae4ddd7-bc0e-45fd-bbab-0b327b2654ec", "value": "alert tcp any any -> any 445 (msg:\"SMB Client Request contains 'AME_ICON.PNG' (SMB credential harvesting)\"; sid:42000003; rev:1; flow:established,to_server; content:\"|FF|SMB|75 00 00 00 00|\"; offset:4; depth:9; content:\"|08 00 01 00|\"; distance:3; content:\"|00 5c 5c|\"; distance:2; within:3; content:\"|5c|AME_ICON.PNG\"; distance:7; fast_pattern; classtype:bad-unknown; metadata:service netbios-ssn;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772231028", "to_ids": false, "type": "snort", "uuid": "dc80c3c0-96ed-4c7d-a465-048a617d39e1", "value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI OPTIONS contains '/ame_icon.png' (SMB credential harvesting)\"; sid:42000004; rev:1; flow:established,to_server; content:\"/ame_icon.png\"; http_uri; fast_pattern:only; content:\"OPTIONS\"; nocase; http_method; classtype:bad-unknown; metadata:service http;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772231028", "to_ids": false, "type": "snort", "uuid": "b679f883-452a-46dd-8ba4-6b20ee0dbdb0", "value": "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP Client Header contains 'User-Agent|3a 20|Go-http-client/1.1'\"; sid:42000005; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip\"; http_header; fast_pattern:only; pcre:\"/\\.(?:aspx|txt)\\?[a-z0-9]{3}=[a-z0-9]{32}&/U\"; classtype:bad-unknown; metadata:service http;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772231028", "to_ids": false, "type": "snort", "uuid": "06aca53b-5d6f-416c-b741-3b4f9a95e63c", "value": "alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:\"SMB Server Traffic contains NTLM-Authenticated SMBv1 Session\"; sid:42000006; rev:1; flow:established,to_client; content:\"|ff 53 4d 42 72 00 00 00 00 80|\"; fast_pattern:only; content:\"|05 00|\"; distance:23; classtype:bad-unknown; metadata:service netbios-ssn;)" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772231145", "to_ids": false, "type": "link", "uuid": "6d8cb28d-94cd-4c3a-bcdf-50d5caba6eb0", "value": "https://www.cisa.gov/news-events/alerts/2017/10/20/advanced-persistent-threat-activity-targeting-energy-and-other-critical-infrastructure-sectors" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772230843", "uuid": "c8993384-88b8-4286-ac9b-2d3f5efdc439", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772230843", "to_ids": false, "type": "text", "uuid": "7e06a29a-7e3a-43a1-bfa8-43b1add6a713", "value": "APT_malware_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772230843", "to_ids": false, "type": "comment", "uuid": "4c28b356-730d-4fac-ad86-f6173dbcb85d", "value": "inveigh pen testing tools & related artifacts" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772230843", "to_ids": true, "type": "yara", "uuid": "ccb2aba6-6375-4ec1-8a6c-57c7e53d3a17", "value": "rule APT_malware_1\r\n{\r\nmeta:\r\n description = \"inveigh pen testing tools & related artifacts\"\r\n author = \"DHS | NCCIC Code Analysis Team\" \r\n date = \"2017/07/17\"\r\n hash0 = \"61C909D2F625223DB2FB858BBDF42A76\"\r\n hash1 = \"A07AA521E7CAFB360294E56969EDA5D6\"\r\n hash2 = \"BA756DD64C1147515BA2298B6A760260\"\r\n hash3 = \"8943E71A8C73B5E343AA9D2E19002373\"\r\n hash4 = \"04738CA02F59A5CD394998A99FCD9613\"\r\n hash5 = \"038A97B4E2F37F34B255F0643E49FC9D\"\r\n hash6 = \"65A1A73253F04354886F375B59550B46\"\r\n hash7 = \"AA905A3508D9309A93AD5C0EC26EBC9B\"\r\n hash8 = \"5DBEF7BDDAF50624E840CCBCE2816594\"\r\n hash9 = \"722154A36F32BA10E98020A8AD758A7A\"\r\n hash10 = \"4595DBE00A538DF127E0079294C87DA0\"\r\nstrings:\r\n $s0 = \"file://\"\r\n $s1 = \"/ame_icon.png\"\r\n $s2 = \"184.154.150.66\"\r\n $s3 = { 87D081F60C67F5086A003315D49A4000F7D6E8EB12000081F7F01BDD21F7DE }\r\n $s4 = { 33C42BCB333DC0AD400043C1C61A33C3F7DE33F042C705B5AC400026AF2102 }\r\n $s5 = \"(g.charCodeAt(c)^l[(l[b]+l[e])%256])\"\r\n $s6 = \"for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)\"\r\n $s7 = \"VXNESWJfSjY3grKEkEkRuZeSvkE=\"\r\n $s8 = \"NlZzSZk=\"\r\n $s9 = \"WlJTb1q5kaxqZaRnser3sw==\"\r\n $s10 = \"for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)\"\r\n $s11 = \"fromCharCode(d.charCodeAt(e)^k[(k[b]+k[h])%256])\"\r\n $s12 = \"ps.exe -accepteula \\\\%ws% -u %user% -p %pass% -s cmd /c netstat\"\r\n $s13 = { 22546F6B656E733D312064656C696D733D5C5C222025254920494E20286C6973742E74787429 }\r\n $s14 = { 68656C6C2E657865202D6E6F65786974202D657865637574696F6E706F6C69637920627970617373202D636F6D6D616E6420222E202E5C496E76656967682E70 }\r\n $s15 = { 476F206275696C642049443A202266626433373937623163313465306531 }\r\n//inveigh pentesting tools\r\n $s16 = { 24696E76656967682E7374617475735F71756575652E4164642822507265737320616E79206B657920746F2073746F70207265616C2074696D65 }\r\n//specific malicious word document PK archive\r\n $s17 = { 2F73657474696E67732E786D6CB456616FDB3613FEFE02EF7F10F4798E64C54D06A14ED125F19A225E87C9FD0194485B }\r\n $s18 = { 6C732F73657474696E67732E786D6C2E72656C7355540500010076A41275780B0001040000000004000000008D90B94E03311086EBF014D6F4D87B48214471D2 }\r\n $s19 = { 8D90B94E03311086EBF014D6F4D87B48214471D210A41450A0E50146EBD943F8923D41C9DBE3A54A240ACA394A240ACA39 }\r\n $s20 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }\r\n $s21 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }\r\n $s22 = \"5.153.58.45\"\r\n $s23 = \"62.8.193.206\"\r\n $s24 = \"/1/ree_stat/p\"\r\n $s25 = \"/icon.png\"\r\n $s26 = \"/pshare1/icon\"\r\n $s27 = \"/notepad.png\"\r\n $s28 = \"/pic.png\"\r\n $s29 = \"http://bit.ly/2m0x8IH\"\r\ncondition:\r\n ($s0 and $s1 or $s2) or ($s3 or $s4) or ($s5 and $s6 or $s7 and $s8 and $s9) or ($s10 and $s11) or ($s12 and $s13) or ($s14) or ($s15) or ($s16) or ($s17) or ($s18) or ($s19) or ($s20) or ($s21) or ($s0 and $s22 or $s24) or ($s0 and $s22 or $s25) or ($s0 and $s23 or $s26) or ($s0 and $s22 or $s27) or ($s0 and $s23 or $s28) or ($s29)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772230862", "uuid": "91b42142-bf37-461a-b564-dbf222b18542", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772230862", "to_ids": false, "type": "text", "uuid": "0412be32-0dd5-4ce4-bbf8-d7661fc2f940", "value": "APT_malware_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772230862", "to_ids": false, "type": "comment", "uuid": "0741f7f7-c6a9-47a8-b24f-bc985439336c", "value": "rule detects malware" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772230863", "to_ids": true, "type": "yara", "uuid": "4a946796-c940-4425-8214-896e8f32a2dd", "value": "rule APT_malware_2\r\n{\r\nmeta:\r\n description = \"rule detects malware\"\r\n author = \"other\"\r\nstrings:\r\n $api_hash = { 8A 08 84 C9 74 0D 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }\r\n $http_push = \"X-mode: push\" nocase\r\n $http_pop = \"X-mode: pop\" nocase\r\ncondition:\r\n any of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772230881", "uuid": "d0ca5183-1f54-40f4-8306-b8a3a779c1a6", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772230881", "to_ids": false, "type": "text", "uuid": "3b6c8c83-6642-4875-8def-a41f94ac3f8c", "value": "Query_XML_Code_MAL_DOC_PT_2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772230881", "to_ids": false, "type": "comment", "uuid": "3d9455ad-feb9-4f4f-8ab8-95bccec7c3e1", "value": "Query_XML_Code_MAL_DOC_PT_2" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772230881", "to_ids": true, "type": "yara", "uuid": "10ec581d-75f0-48b3-ad91-4aa97d54e378", "value": "rule Query_XML_Code_MAL_DOC_PT_2\r\n{\r\nmeta:\r\n name= \"Query_XML_Code_MAL_DOC_PT_2\"\r\n author = \"other\"\r\nstrings:\r\n $zip_magic = { 50 4b 03 04 }\r\n $dir1 = \"word/_rels/settings.xml.rels\"\r\n $bytes = {8c 90 cd 4e eb 30 10 85 d7}\r\ncondition:\r\n $zip_magic at 0 and $dir1 and $bytes\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772230898", "uuid": "cb993271-cc7e-4937-982b-e68950498e50", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772230898", "to_ids": false, "type": "text", "uuid": "91526558-9dc9-4832-afa8-b5f3b6dd04e5", "value": "Query_Javascript_Decode_Function" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772230898", "to_ids": false, "type": "comment", "uuid": "7802b53f-6a53-4cb7-b7fd-a3a83ac1d6f2", "value": "Query_Javascript_Decode_Function" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772230898", "to_ids": true, "type": "yara", "uuid": "42b5b86e-4040-4150-9e51-ff175df7f310", "value": "rule Query_Javascript_Decode_Function\r\n{\r\nmeta:\r\n name= \"Query_Javascript_Decode_Function\"\r\n author = \"other\"\r\nstrings:\r\n $decode1 = {72 65 70 6C 61 63 65 28 2F 5B 5E 41 2D 5A 61 2D 7A 30 2D 39 5C 2B 5C 2F 5C 3D 5D 2F 67 2C 22 22 29 3B}\r\n $decode2 = {22 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F 3D 22 2E 69 6E 64 65 78 4F 66 28 ?? 2E 63 68 61 72 41 74 28 ?? 2B 2B 29 29}\r\n $decode3 = {3D ?? 3C 3C 32 7C ?? 3E 3E 34 2C ?? 3D 28 ?? 26 31 35 29 3C 3C 34 7C ?? 3E 3E 32 2C ?? 3D 28 ?? 26 33 29 3C 3C 36 7C ?? 2C ?? 2B 3D [1-2] 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29 2C 36 34 21 3D ?? 26 26 28 ?? 2B 3D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29}\r\n $decode4 = {73 75 62 73 74 72 69 6E 67 28 34 2C ?? 2E 6C 65 6E 67 74 68 29}\r\n $func_call=\"a(\\\"\"\r\ncondition:\r\n filesize < 20KB and #func_call > 20 and all of ($decode*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772230912", "uuid": "452eefd5-4ad9-4fe7-8be9-32546b6e40b0", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772230912", "to_ids": false, "type": "text", "uuid": "77606ca1-62b0-4b30-86ff-e06cf538dc2d", "value": "Query_XML_Code_MAL_DOC" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772230912", "to_ids": false, "type": "comment", "uuid": "15f80be8-b67c-47cb-a01b-866f69d8a9c1", "value": "Query_XML_Code_MAL_DOC" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772230912", "to_ids": true, "type": "yara", "uuid": "6e188c6e-8b42-4f1f-916f-77e4e2766af4", "value": "rule Query_XML_Code_MAL_DOC\r\n{\r\nmeta:\r\n name= \"Query_XML_Code_MAL_DOC\"\r\n author = \"other\"\r\nstrings:\r\n $zip_magic = { 50 4b 03 04 }\r\n $dir = \"word/_rels/\" ascii\r\n $dir2 = \"word/theme/theme1.xml\" ascii\r\n $style = \"word/styles.xml\" ascii\r\ncondition:\r\n $zip_magic at 0 and $dir at 0x0145 and $dir2 at 0x02b7 and $style at 0x08fd\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772230927", "uuid": "0fba4122-3044-4bb0-b441-ee49c9745e53", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772230927", "to_ids": false, "type": "text", "uuid": "49724881-9347-41ff-aa2d-5ba5db85c946", "value": "z_webshell" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772230927", "to_ids": false, "type": "comment", "uuid": "5e48bcfd-6911-4b7a-a906-4967ab7b8a93", "value": "z_webshell" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772230927", "to_ids": true, "type": "yara", "uuid": "5513b015-78be-4e78-9714-b8015982dc71", "value": "rule z_webshell\r\n{\r\nmeta:\r\n description = \"Detection for the z_webshell\"\r\n author = \"DHS NCCIC Hunt and Incident Response Team\"\r\n date = \"2018/01/25\"\r\n md5 = \"2C9095C965A55EFC46E16B86F9B7D6C6\"\r\nstrings:\r\n $aspx_identifier1 = \"<%@ \" nocase ascii wide\r\n $aspx_identifier2 = \" 10\r\n and #case_string > 7\r\n and 2 of ($webshell_*)\r\n and filesize < 100KB\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772252205", "uuid": "26e1e426-2ae3-4a6c-b687-0d9ec5674b01", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772252205", "to_ids": true, "type": "md5", "uuid": "796bdfac-59f7-4473-952b-92f6bdcf7014", "value": "61c909d2f625223db2fb858bbdf42a76", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772252190", "to_ids": true, "type": "sha1", "uuid": "f2c64a27-d36a-403f-8dd6-373f1318496f", "value": "b45d63d4d952e9a0715583f97a2d9edeb45ae74e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772252190", "to_ids": true, "type": "sha256", "uuid": "6eda22f3-2a32-439e-87fc-269f40ed62b8", "value": "0a6b1b29496d4514f6485e78680ec4cd0296ef4d21862d8bf363900a4f8e3fd2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772251915", "to_ids": true, "type": "ssdeep", "uuid": "47ea6bc6-8fe0-47f6-8fbb-aa2d3e464d4f", "value": "3:HjVygSSJJLNyLm/sRIm+ZCRrFquLLTzOSX36I41uF:HjssnyLmURcZCdtTzOw3b41uF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772251915", "to_ids": false, "type": "size-in-bytes", "uuid": "3a919be9-9611-4f71-8391-f33c716302b0", "value": "146" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772251915", "to_ids": true, "type": "filename", "uuid": "0b9bd53c-72b8-4442-b528-0420f6ea7c17", "value": ".bat" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 27/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772251915", "to_ids": false, "type": "text", "uuid": "ea2412a7-493b-4d34-86c6-3cdb67ab7e0d", "value": "Type Description: DOS batch file\nMicrosoft: TrojanDownloader:PowerShell/Ploprolo.B\nVT Total Detection:27/63\nFirst Submission:2018-03-23T08:13:03.000000+00:00\nLast Submission:2018-10-04T21:55:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772252226", "uuid": "212d1827-6fad-4a59-a869-19edd4773533", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772252226", "to_ids": true, "type": "md5", "uuid": "6f2d08af-1aed-4416-8279-eed700af4584", "value": "8943e71a8c73b5e343aa9d2e19002373", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772252192", "to_ids": true, "type": "sha1", "uuid": "028ab71c-ae55-4ac3-867b-92bd03fa56b4", "value": "092de09e2f346b81a84113734964ad10284f142d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772252192", "to_ids": true, "type": "sha256", "uuid": "f8a5da1b-9147-4bd6-ae9b-63de0f20055a", "value": "a278256fbf2f061cfded7fdd58feded6765fade730374c508adad89282f67d77", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772251979", "to_ids": true, "type": "ssdeep", "uuid": "2ac4decc-8956-4bda-9fd8-8115d04aaa43", "value": "24576:8ehp+MLzB2M6ewgsKR2/sNl+BNsjJX34grzNkHAgjZgC4bGB9qsY:Hh7LwoR9Nl+irygoYbGB9qs" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772251979", "to_ids": false, "type": "size-in-bytes", "uuid": "4073d979-dae6-4a6e-80de-fe7e0e4cb4f7", "value": "1138176" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772251979", "to_ids": true, "type": "vhash", "uuid": "c5c43541-25ee-4868-8e7b-d304602b2dc7", "value": "01603e0f7d1bz6tz1017z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772251979", "to_ids": true, "type": "filename", "uuid": "cc34993a-2ccf-465c-8f0d-18062a3bf304", "value": "36oh68o0.exe" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 27/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772251979", "to_ids": false, "type": "text", "uuid": "b9a54154-f96c-454f-a6ad-81b22fceac5a", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Groooboor\nVT Total Detection:61/72\nFirst Submission:2017-05-10T08:37:18.000000+00:00\nLast Submission:2018-05-15T00:00:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772252247", "uuid": "5385bb58-987d-4764-b271-a8d9310151ac", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772252247", "to_ids": true, "type": "md5", "uuid": "b7e0f3d8-2522-482d-9349-d80ac23ee5bd", "value": "aa905a3508d9309a93ad5c0ec26ebc9b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772252193", "to_ids": true, "type": "sha1", "uuid": "676874ff-a3c4-4ade-ab9e-138cf2089642", "value": "c8791bcebaea85e9129e706b22e3bda43f762e4a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772252193", "to_ids": true, "type": "sha256", "uuid": "fe9af18f-dde3-41c3-8bf6-586042dcdfaa", "value": "6401abe9b6e90411dc48ffc863c40c9d9b073590a8014fe1b0e6c2ecab2f7e18", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772252064", "to_ids": true, "type": "ssdeep", "uuid": "f6283e3c-9d49-4067-b73d-a67e8c31d960", "value": "1536:+2ShI15AJLhZpaaOoMeX+sK+9rThT8JqRl+dQ:RShI15AJLhZpaaOy+89rThT8JqRYdQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772252064", "to_ids": false, "type": "size-in-bytes", "uuid": "423fa677-6379-4de3-9d5e-a2a34315a022", "value": "202957" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772252064", "to_ids": true, "type": "vhash", "uuid": "160e3b9d-757d-4072-9813-f08ce93b8ad5", "value": "518a8ab5d760aa7be341b87b38f98827" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772252064", "to_ids": true, "type": "filename", "uuid": "8ae3ac24-a7e4-47be-86b3-a463470af3fb", "value": "Inveigh.ps1" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 27/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772252064", "to_ids": false, "type": "text", "uuid": "d98b58a2-7a99-4edf-a0da-df0b6cdcb614", "value": "Type Description: Powershell\nMicrosoft: HackTool:Win32/Inveigh\nVT Total Detection:35/62\nFirst Submission:2017-04-18T16:20:35.000000+00:00\nLast Submission:2022-12-19T18:47:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772252269", "uuid": "588a8ccb-3588-4112-a99b-66680c066f4c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772252269", "to_ids": true, "type": "md5", "uuid": "4ad89e39-4488-4c85-a870-9733d4a3afc6", "value": "5dbef7bddaf50624e840ccbce2816594", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772252194", "to_ids": true, "type": "sha1", "uuid": "b0524dbc-2b3a-4bc6-a033-93bb6745a856", "value": "f9b72a2802d2a7ff33fd2d4bbcf41188724fcaa8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772252194", "to_ids": true, "type": "sha256", "uuid": "75db8b5d-ffb8-4488-b98e-3c161827c442", "value": "154494f819831f928301e39b66cd91bbdbf7d6445f178cbe4f5fe17f68c0faae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772252085", "to_ids": true, "type": "ssdeep", "uuid": "ac50e335-4cb3-4f37-9c63-12463c791881", "value": "6144:dqtii3p3p3Y3V363F3/3HOXCZiZVZkZ0ZCZyZMZqZ+ZqZXVyRMjP:X" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772252085", "to_ids": false, "type": "size-in-bytes", "uuid": "a297152e-93f6-4e56-b752-d0e1801bf875", "value": "227407" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772252085", "to_ids": true, "type": "vhash", "uuid": "83c55594-64bc-4e46-b01a-d2b0ecdfe3ab", "value": "8bdd8e88f102859f89c651507932060b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772252085", "to_ids": true, "type": "filename", "uuid": "7b8a3b38-d938-4b33-8a7e-113939352fee", "value": ".bat" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 10/03/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772252085", "to_ids": false, "type": "text", "uuid": "832a44bc-8a81-43a9-a4ec-e91e2e731f77", "value": "Type Description: Powershell\nMicrosoft: HackTool:PowerShell/Inveigh\nVT Total Detection:30/61\nFirst Submission:2018-06-20T03:18:08.000000+00:00\nLast Submission:2022-12-18T12:10:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772252290", "uuid": "6009a32c-5986-4b38-b4db-aa243484593e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772252290", "to_ids": true, "type": "md5", "uuid": "4014b4ab-fe14-42ce-9510-b6f468502d86", "value": "722154a36f32ba10e98020a8ad758a7a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772252195", "to_ids": true, "type": "sha1", "uuid": "5a354a3f-0973-49cd-b165-d211b1f40b86", "value": "2872dcdf108563d16b6cf2ed383626861fc541d2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772252195", "to_ids": true, "type": "sha256", "uuid": "ae68c7c9-8c15-486a-a8e3-630d10b1f252", "value": "ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772252107", "to_ids": true, "type": "ssdeep", "uuid": "c6279647-7809-4dec-b415-032b4faeaa66", "value": "384:Dk5kSg2bPvHjd1coguI38aI2TUGThYGBUvolkGDJ4LMwa7nXp:DkGMjjOn8yTUQzuw7VB37n5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772252107", "to_ids": false, "type": "size-in-bytes", "uuid": "0b3de2f6-bb0b-4065-af0e-8b6ad3d8e313", "value": "19261" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772252107", "to_ids": true, "type": "vhash", "uuid": "4cca493a-f7e9-4b27-a67f-3111a177f77d", "value": "9484d88fc80d487ed6d255e4f676bed3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772252107", "to_ids": true, "type": "filename", "uuid": "224a84f5-4f31-41f1-8e85-9e0881468fed", "value": "%5cCVcontrolEngineer(1).docx" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772252107", "to_ids": false, "type": "text", "uuid": "86afc8d5-6547-44ca-a0a6-d423794cab48", "value": "Type Description: Office Open XML Document\nMicrosoft: Trojan:O97M/Inoff.A\nVT Total Detection:34/67\nFirst Submission:2017-05-19T13:11:04.000000+00:00\nLast Submission:2024-11-13T12:59:40.000000+00:00" } ] } ] } }