{ "Event": { "analysis": "1", "date": "2026-01-30", "extends_uuid": "", "info": "[Threat Intel] DynoWiper update: Technical analysis and attribution", "protected": false, "publish_timestamp": "1772398937", "published": true, "threat_level_id": "2", "timestamp": "1772398928", "uuid": "70ba5689-caa8-4938-9e4e-d3944ad01c1d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"ESET\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Poland\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sandworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disk Content Wipe - T1561.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Proxy - T1090.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Storage Discovery - T1680\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server - T1584.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Time Discovery - T1124\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#f6810a", "local": false, "name": "ICS-capable", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772392816", "to_ids": false, "type": "link", "uuid": "f1a1ec7d-6a9b-495f-b2a5-f10560102ebd", "value": "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/" }, { "category": "Payload delivery", "comment": "ZOV wiper. No sample in VT\r\nLast check:02/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772394193", "to_ids": true, "type": "sha1", "uuid": "a78d0685-4c0b-44d5-85e6-60b85f39f091", "value": "4f8e9336a784a196353023133e0f8fa54f6a92e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SOCKS5 server.", "deleted": false, "disable_correlation": false, "timestamp": "1772395407", "to_ids": true, "type": "ip-dst", "uuid": "3bf0d08f-6e89-490b-ab86-c9181ef2973d", "value": "31.172.71.5", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395429", "uuid": "d5a395a7-0bb6-438a-a2f8-7d631122ac6f", "Attribute": [ { "category": "Payload delivery", "comment": "ZOV wiper.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395429", "to_ids": true, "type": "md5", "uuid": "c29b4785-b1f5-4251-9eb1-b7b3556fa4e6", "value": "9d896e0e3e369c2edf1c8fb070f49c22", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZOV wiper.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394187", "to_ids": true, "type": "sha1", "uuid": "7454b102-32ae-4282-a4bd-2f65aeb67766", "value": "472ca448f82a7ff6f373a32fdb9586fd7c38b631", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZOV wiper.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394187", "to_ids": true, "type": "sha256", "uuid": "5a9da3fa-252f-4ace-ad44-a131e75f690d", "value": "bfda142bc5c44913eed9ef1cf2a8ad07b7a71312a26e4c7c519bf1a3fedeb6a0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393894", "to_ids": true, "type": "ssdeep", "uuid": "88c47f1d-288c-4d14-86b3-ded476b781a6", "value": "768:rzk/JAH3NOpcPIjz3r8hrZPfoIIp01PkECEDjnmlxm//Tl7P6q:k/2dOp4Oz3g5fiqPlScTJP6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393894", "to_ids": false, "type": "size-in-bytes", "uuid": "44b63d3a-0555-4e92-b0c7-40800b4af71c", "value": "51200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393894", "to_ids": true, "type": "vhash", "uuid": "552fbba1-858a-4504-be8c-bb195478cf03", "value": "054056655d15751038z52hz23z4fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393894", "to_ids": true, "type": "filename", "uuid": "8b42ed83-6053-4454-bf09-a378b426fb55", "value": "bfda142bc5c44913eed9ef1cf2a8ad07b7a71312a26e4c7c519bf1a3fedeb6a0.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 15/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393894", "to_ids": false, "type": "text", "uuid": "13942236-4296-496b-9cd5-2ce6e6b29557", "value": "ZOV wiper.\r\nType Description: Win32 EXE\nMicrosoft: Ransom:Win32/DynoWiper.ADY!MTB\nVT Total Detection:53/72\nFirst Submission:2025-11-28T20:19:48.000000+00:00\nLast Submission:2026-02-01T06:44:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395451", "uuid": "cff5653f-3346-4d20-9e19-72adf0fe38c4", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395451", "to_ids": true, "type": "md5", "uuid": "24743753-7cac-491c-8102-a841bbeef7c1", "value": "a727362416834fa63672b87820ff7f27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394187", "to_ids": true, "type": "sha1", "uuid": "e5cc6a2d-34b9-408f-8908-d910035748c4", "value": "4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394188", "to_ids": true, "type": "sha256", "uuid": "fe9504fe-c7db-439f-a298-620804b9aebb", "value": "835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393937", "to_ids": true, "type": "ssdeep", "uuid": "5699a8f4-f7e5-4300-b246-c641cb2d351d", "value": "3072:fT4SpKtaWp+id2jJgc43l4l2tgQyRUJWXBVDhDq2:r4SMtaz0l1fHyaoThDR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393937", "to_ids": false, "type": "size-in-bytes", "uuid": "15fb5988-e14e-444e-b2e6-ba6f1bee63b4", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393937", "to_ids": true, "type": "vhash", "uuid": "0c611b40-608d-48c0-9303-78494f7fb1d1", "value": "015056651d15556038z4enz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393937", "to_ids": true, "type": "filename", "uuid": "bf1a0522-0b29-4d11-8bc6-05f1b9df1881", "value": "tmp57r4q6it" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393937", "to_ids": false, "type": "text", "uuid": "2c637f0a-fbcb-4582-8961-f37fdd55ce46", "value": "DynoWiper.\r\nType Description: Win32 EXE\nMicrosoft: Ransom:Win32/DynoWiper!rfn\nVT Total Detection:51/72\nFirst Submission:2026-01-30T10:35:33.000000+00:00\nLast Submission:2026-02-23T02:28:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395473", "uuid": "66d88862-9597-4851-bc88-41f795f0f8f1", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395473", "to_ids": true, "type": "md5", "uuid": "6d9727af-333a-4553-a09c-166c082489ac", "value": "75fec5afb2deebab6dd9c16d9de35032", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394188", "to_ids": true, "type": "sha1", "uuid": "dddee378-b38c-414d-9a5e-4a852448f796", "value": "86596a5c5b05a8bfbd14876de7404702f7d0d61b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394188", "to_ids": true, "type": "sha256", "uuid": "16985b13-f618-4d56-8588-f83e0eea62a1", "value": "60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393959", "to_ids": true, "type": "ssdeep", "uuid": "bf4da764-6a3b-4079-b303-15666c711a70", "value": "1536:RI5x+cpS8+c48t3UjpGyAgGsu0X55l1tSsHGVIdWQe7AtaCxc2BGywukCbg+DjcX:R2Sz8tkNn9/Nc3mECxd8iD9yUS7vV8E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393959", "to_ids": false, "type": "size-in-bytes", "uuid": "848194ef-1435-4c92-9073-916bafe592c7", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393959", "to_ids": true, "type": "vhash", "uuid": "4957b62a-5dc5-4d2d-aebf-8312d85ae1d4", "value": "015056651d15556az4e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393959", "to_ids": true, "type": "filename", "uuid": "e9a221cc-00ca-4177-9503-f5ac3e08ef41", "value": "60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393959", "to_ids": false, "type": "text", "uuid": "75c6e3fd-848b-4e7f-bc47-e6f41bedbbe6", "value": "DynoWiper.\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/WprLandblan.C!dha\nVT Total Detection:52/72\nFirst Submission:2026-01-30T10:36:02.000000+00:00\nLast Submission:2026-01-31T07:38:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395495", "uuid": "340a299b-e755-4737-ac08-d29d60b7830e", "Attribute": [ { "category": "Payload delivery", "comment": "DynoWiper.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395495", "to_ids": true, "type": "md5", "uuid": "43e9dbf5-2ac6-4761-968a-be35ec8a8bcc", "value": "c4379da51e8b9e86ec3de934f9373f4a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394189", "to_ids": true, "type": "sha1", "uuid": "694a7f54-76c5-4ce7-a2d0-854a8264a43e", "value": "69ede7e341fd26fa0577692b601d80cb44778d93", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DynoWiper.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394189", "to_ids": true, "type": "sha256", "uuid": "e42c3a81-35f0-4132-ac2c-772381048f08", "value": "d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393980", "to_ids": true, "type": "ssdeep", "uuid": "c3b4769a-8fe4-4c80-a927-8101b0cb8385", "value": "1536:AIlx+cpS8+c48t3UjpGyAgGsu0X55l1tSsHGVIdWQe7AtaCxc2BGywukCbg6DjcA:AaSz8tkNn9/Nc3mECxd8eD9yUS70V8E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393980", "to_ids": false, "type": "size-in-bytes", "uuid": "d696dfd9-b567-42e8-8f64-b11d47de1eaa", "value": "167424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393980", "to_ids": true, "type": "vhash", "uuid": "728bf0ff-9154-4e63-b871-5c9e6aede007", "value": "015056651d15556az4e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393980", "to_ids": true, "type": "filename", "uuid": "73194372-b183-48cd-b139-a2bedcccd4b9", "value": "d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 28/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393980", "to_ids": false, "type": "text", "uuid": "0ba9e4cf-db96-465b-9a2a-5f694de96ae1", "value": "DynoWiper.\r\nType Description: Win32 EXE\nMicrosoft: DoS:Win32/WprLandblan.B!dha\nVT Total Detection:53/72\nFirst Submission:2026-01-30T10:35:54.000000+00:00\nLast Submission:2026-02-07T16:25:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395516", "uuid": "db618be4-f7fc-4e64-a184-8422e48e3d7b", "Attribute": [ { "category": "Payload delivery", "comment": "rsocx SOCKS5 proxy tool.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395516", "to_ids": true, "type": "md5", "uuid": "4a232b6a-e8d5-4968-b9f0-0324e8c09b4c", "value": "f5271a6d909091527ed9f30eafa0ded6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "rsocx SOCKS5 proxy tool.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394190", "to_ids": true, "type": "sha1", "uuid": "09e1aece-b33c-4005-8c08-72e8a34fd499", "value": "9ec4c38394ea2048ca81d48b1bd66de48d8bd4e8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "rsocx SOCKS5 proxy tool.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394190", "to_ids": true, "type": "sha256", "uuid": "6b30a033-c050-4c9f-b3a6-8b17d9df84ef", "value": "648c2067ef3d59eb94b54c43e798707b030e0383b3651bcc6840dae41808d3a9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772394002", "to_ids": true, "type": "ssdeep", "uuid": "6783b01d-9fc7-48d0-afe5-658c024a1663", "value": "6144:qmX5EsKQpVx8YTVvW16emzegNlOlF9U4LqVuW0C8ZD78nSHkh:pJEsKUVxlvW1yzPNglvUeAuW0COInIU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772394002", "to_ids": false, "type": "size-in-bytes", "uuid": "4e22219f-0c34-4823-8ecf-ec13371839b8", "value": "307200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772394002", "to_ids": true, "type": "vhash", "uuid": "a11a373a-9cb9-4d58-8162-cc1e5dff545f", "value": "03503e0f7d1019z43z1pz17z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772394002", "to_ids": true, "type": "filename", "uuid": "14b3a546-cb69-4f1b-bd50-3499f2ea5f26", "value": "parser.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772394002", "to_ids": false, "type": "text", "uuid": "175d1f88-4d95-4cc9-a68d-195c32740c7c", "value": "rsocx SOCKS5 proxy tool.\r\nType Description: Win32 EXE\nMicrosoft: HackTool:Win32/Malgent!MSR\nVT Total Detection:40/72\nFirst Submission:2022-07-16T16:47:36.000000+00:00\nLast Submission:2025-11-21T09:58:21.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772395538", "uuid": "d522921b-16d3-4567-8b16-ff951e8f8234", "Attribute": [ { "category": "Payload delivery", "comment": "Rubeus toolset for Kerberos attacks.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772395538", "to_ids": true, "type": "md5", "uuid": "83f335f5-e8ec-4488-8a43-d8aa36f11e46", "value": "5249503900c735425130477649872dfb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Rubeus toolset for Kerberos attacks.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394192", "to_ids": true, "type": "sha1", "uuid": "925c4255-8378-4bb2-9c11-7584cbd40d09", "value": "410c8a57fe6e09edbfebaba7d5d3e4797ca80a19", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Rubeus toolset for Kerberos attacks.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394192", "to_ids": true, "type": "sha256", "uuid": "32524b77-2644-47c4-8ecb-592a35bbea40", "value": "40a4b5e54fecce52c9d8ef5b2fa3973a3dd748c5bcedd7bde1154aa4a936c2e1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772394024", "to_ids": true, "type": "ssdeep", "uuid": "e41400b5-93d4-4fae-83ff-f4e408918036", "value": "12288:LmK9Wcy9bjMDPD1tyigCTW6OYycAqgGIOHH+B+gJItvs2qAaomD:LmW8fMDPD1tyigCTW6OYycAqgGIOHH+P" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772394024", "to_ids": false, "type": "size-in-bytes", "uuid": "8dcbd753-8f00-4d28-8bd4-5fdf9b01671f", "value": "462848" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772394024", "to_ids": true, "type": "vhash", "uuid": "63c2821f-26c9-4f8c-b2b7-3481a286474b", "value": "245036551512a08dffb6001aff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772394024", "to_ids": true, "type": "filename", "uuid": "2218a682-fb30-4891-87b3-5187e345c651", "value": "Rubeus.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 03/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772394024", "to_ids": false, "type": "text", "uuid": "37f72c0a-6af4-45e2-bf65-fb664d254367", "value": "Rubeus toolset for Kerberos attacks.\r\nType Description: Win32 EXE\nMicrosoft: VirTool:Win32/Kekeo.A!MTB\nVT Total Detection:55/72\nFirst Submission:2024-11-11T20:07:14.000000+00:00\nLast Submission:2025-12-18T11:38:33.000000+00:00" } ] } ] } }