{ "Event": { "analysis": "1", "date": "2017-12-13", "extends_uuid": "", "info": "[Threat Intel] Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure", "protected": false, "publish_timestamp": "1772419004", "published": true, "threat_level_id": "1", "timestamp": "1772419001", "uuid": "8fc6d517-39ba-4bf9-b526-503705f47fc9", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Dragos\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Triton\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Triton\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Acquire and/or use 3rd party infrastructure services - T1329\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic DNS - T1311\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Image File Execution Options Injection - T1183\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1076\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Timestomp - T1099\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Uncommonly Used Port - T1065\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772219153", "to_ids": false, "type": "link", "uuid": "c28af02f-1208-4431-9812-855117bf9b1e", "value": "https://web.archive.org/web/20190306134002/https://dragos.com/wp-content/uploads/TRISIS-01.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772219346", "to_ids": false, "type": "link", "uuid": "422d5a26-b219-42c9-ba58-ff90668e3589", "value": "https://cloud.google.com/blog/topics/threat-intelligence/attackers-deploy-new-ics-attack-framework-triton/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772221377", "to_ids": false, "type": "link", "uuid": "79c9a10c-4a20-4336-9929-7de353460ea6", "value": "https://www.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772221550", "to_ids": false, "type": "link", "uuid": "75b88678-9fe3-445e-b5ee-b0df29c148e4", "value": "https://www.midnightblue.nl/blog/analyzing-the-triton-industrial-malware" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772221563", "to_ids": false, "type": "link", "uuid": "f539fe3a-5930-40b0-ae69-1be285520570", "value": "https://github.com/samvartaka/triton_analysis" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772221585", "to_ids": false, "type": "link", "uuid": "22d4a6e9-c641-42a4-8da8-a3b5d2fabba0", "value": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772221669", "to_ids": false, "type": "link", "uuid": "d42e3537-de9e-4e6d-8940-80f38850a475", "value": "https://www.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772221688", "to_ids": false, "type": "link", "uuid": "d3659278-b03b-4581-86cd-8f2e36d10e57", "value": "https://www.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772221813", "to_ids": false, "type": "link", "uuid": "520db6bd-6fff-40db-addb-5d2609d168e7", "value": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN?tab=readme-ov-file" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772244947", "to_ids": false, "type": "link", "uuid": "34fce63a-0118-410e-a2c3-0fd3062c9ac7", "value": "https://cloud.google.com/blog/topics/threat-intelligence/triton-attribution-russian-government-owned-lab-most-likely-built-tools/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772245511", "to_ids": false, "type": "link", "uuid": "3fb6bf22-ee17-4d44-85ca-4f06322435ef", "value": "https://cloud.google.com/blog/topics/threat-intelligence/totally-tubular-treatise-triton-and-tristation" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772245511", "to_ids": false, "type": "link", "uuid": "5d1cf444-320f-4712-a21d-ed7b04a0ad40", "value": "https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections/" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772219411", "uuid": "e379d8c2-cbc0-474c-85a7-8d6ea071c3dd", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772219411", "to_ids": false, "type": "text", "uuid": "f399d9ea-4a04-4c72-a5a1-7d06c2810190", "value": "TRITON_ICS_FRAMEWORK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772219411", "to_ids": false, "type": "comment", "uuid": "ebccfd06-0c76-4aeb-a061-d00a40131f0f", "value": "TRITON framework recovered during Mandiant ICS incident response" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772219411", "to_ids": true, "type": "yara", "uuid": "2fb5f5de-36ff-443e-8e34-30fa21c65a62", "value": "rule TRITON_ICS_FRAMEWORK\r\n{\r\n meta:\r\n author = \"nicholas.carr @itsreallynick\"\r\n md5 = \"0face841f7b2953e7c29c064d6886523\"\r\n description = \"TRITON framework recovered during Mandiant ICS incident response\"\r\n strings:\r\n $python_compiled = \".pyc\" nocase ascii wide\r\n $python_module_01 = \"__module__\" nocase ascii wide\r\n $python_module_02 = \"\" nocase ascii wide\r\n $python_script_01 = \"import Ts\" nocase ascii wide\r\n $python_script_02 = \"def ts_\" nocase ascii wide \r\n\r\n $py_cnames_01 = \"TS_cnames.py\" nocase ascii wide\r\n $py_cnames_02 = \"TRICON\" nocase ascii wide\r\n $py_cnames_03 = \"TriStation \" nocase ascii wide\r\n $py_cnames_04 = \" chassis \" nocase ascii wide \r\n\r\n $py_tslibs_01 = \"GetCpStatus\" nocase ascii wide\r\n $py_tslibs_02 = \"ts_\" ascii wide\r\n $py_tslibs_03 = \" sequence\" nocase ascii wide\r\n $py_tslibs_04 = /import Ts(Hi|Low|Base)/ nocase ascii wide\r\n $py_tslibs_05 = /module\\s?version/ nocase ascii wide\r\n $py_tslibs_06 = \"bad \" nocase ascii wide\r\n $py_tslibs_07 = \"prog_cnt\" nocase ascii wide \r\n\r\n $py_tsbase_01 = \"TsBase.py\" nocase ascii wide\r\n $py_tsbase_02 = \".TsBase(\" nocase ascii wide \r\n \r\n $py_tshi_01 = \"TsHi.py\" nocase ascii wide\r\n $py_tshi_02 = \"keystate\" nocase ascii wide\r\n $py_tshi_03 = \"GetProjectInfo\" nocase ascii wide\r\n $py_tshi_04 = \"GetProgramTable\" nocase ascii wide\r\n $py_tshi_05 = \"SafeAppendProgramMod\" nocase ascii wide\r\n $py_tshi_06 = \".TsHi(\" ascii nocase wide \r\n\r\n $py_tslow_01 = \"TsLow.py\" nocase ascii wide\r\n $py_tslow_02 = \"print_last_error\" ascii nocase wide\r\n $py_tslow_03 = \".TsLow(\" ascii nocase wide\r\n $py_tslow_04 = \"tcm_\" ascii wide\r\n $py_tslow_05 = \" TCM found\" nocase ascii wide \r\n\r\n $py_crc_01 = \"crc.pyc\" nocase ascii wide\r\n $py_crc_02 = \"CRC16_MODBUS\" ascii wide\r\n $py_crc_03 = \"Kotov Alaxander\" nocase ascii wide\r\n $py_crc_04 = \"CRC_CCITT_XMODEM\" ascii wide\r\n $py_crc_05 = \"crc16ret\" ascii wide\r\n $py_crc_06 = \"CRC16_CCITT_x1D0F\" ascii wide\r\n $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide \r\n\r\n $py_sh_01 = \"sh.pyc\" nocase ascii wide \r\n\r\n $py_keyword_01 = \" FAILURE\" ascii wide\r\n $py_keyword_02 = \"symbol table\" nocase ascii wide \r\n\r\n $py_TRIDENT_01 = \"inject.bin\" ascii nocase wide\r\n $py_TRIDENT_02 = \"imain.bin\" ascii nocase wide \r\n\r\n condition:\r\n 2 of ($python_*) and 7 of ($py_*) and filesize < 3MB\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772221446", "uuid": "ca754018-bf12-4e03-8fda-74712004c982", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772221446", "to_ids": false, "type": "text", "uuid": "d0239204-39a3-41c1-b870-389d28448a86", "value": "hatman : hatman" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772221446", "to_ids": false, "type": "comment", "uuid": "70044f20-7af1-4181-b51c-1c9a37854be1", "value": "Yara rules to match the known binary components of the HatMan" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772221446", "to_ids": true, "type": "yara", "uuid": "5fce224a-1ecb-44f7-b415-12243279421d", "value": "/*\r\n * DESCRIPTION: Yara rules to match the known binary components of the HatMan\r\n * malware targeting Triconex safety controllers. Any matching\r\n * components should hit using the \"hatman\" rule in addition to a\r\n * more specific \"hatman_*\" rule.\r\n * AUTHOR: DHS/NCCIC/ICS-CERT\r\n */\r\n\r\n/* Globally only look at small files. */\r\n\r\nprivate global rule hatman_filesize : hatman {\r\n condition:\r\n filesize < 100KB\r\n}\r\n\r\n/* Private rules that are used at the end in the public rules. */\r\n\r\nprivate rule hatman_setstatus : hatman {\r\n strings:\r\n $preset = { 80 00 40 3c 00 00 62 80 40 00 80 3c 40 20 03 7c \r\n ?? ?? 82 40 04 00 62 80 60 00 80 3c 40 20 03 7c \r\n ?? ?? 82 40 ?? ?? 42 38 }\r\n condition:\r\n $preset\r\n}\r\nprivate rule hatman_memcpy : hatman {\r\n strings:\r\n $memcpy_be = { 7c a9 03 a6 38 84 ff ff 38 63 ff ff 8c a4 00 01 \r\n 9c a3 00 01 42 00 ff f8 4e 80 00 20 }\r\n $memcpy_le = { a6 03 a9 7c ff ff 84 38 ff ff 63 38 01 00 a4 8c\r\n 01 00 a3 9c f8 ff 00 42 20 00 80 4e }\r\n condition:\r\n $memcpy_be or $memcpy_le\r\n}\r\nprivate rule hatman_dividers : hatman {\r\n strings:\r\n $div1 = { 9a 78 56 00 }\r\n $div2 = { 34 12 00 00 }\r\n condition:\r\n $div1 and $div2\r\n}\r\nprivate rule hatman_nullsub : hatman {\r\n strings:\r\n $nullsub = { ff ff 60 38 02 00 00 44 20 00 80 4e }\r\n condition:\r\n $nullsub\r\n}\r\nprivate rule hatman_origaddr : hatman {\r\n strings:\r\n $oaddr_be = { 3c 60 00 03 60 63 96 f4 4e 80 00 20 }\r\n $oaddr_le = { 03 00 60 3c f4 96 63 60 20 00 80 4e }\r\n condition:\r\n $oaddr_be or $oaddr_le\r\n}\r\nprivate rule hatman_origcode : hatman {\r\n strings:\r\n $ocode_be = { 3c 00 00 03 60 00 a0 b0 7c 09 03 a6 4e 80 04 20 }\r\n $ocode_le = { 03 00 00 3c b0 a0 00 60 a6 03 09 7c 20 04 80 4e }\r\n condition:\r\n $ocode_be or $ocode_le\r\n}\r\nprivate rule hatman_mftmsr : hatman {\r\n strings:\r\n $mfmsr_be = { 7c 63 00 a6 }\r\n $mfmsr_le = { a6 00 63 7c }\r\n $mtmsr_be = { 7c 63 01 24 }\r\n $mtmsr_le = { 24 01 63 7c }\r\n condition:\r\n ($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)\r\n}\r\nprivate rule hatman_loadoff : hatman {\r\n strings:\r\n $loadoff_be = { 80 60 00 04 48 00 ?? ?? 70 60 ff ff 28 00 00 00\r\n 40 82 ?? ?? 28 03 00 00 41 82 ?? ?? }\r\n $loadoff_le = { 04 00 60 80 ?? ?? 00 48 ff ff 60 70 00 00 00 28 \r\n ?? ?? 82 40 00 00 03 28 ?? ?? 82 41 }\r\n condition:\r\n $loadoff_be or $loadoff_le\r\n}\r\nprivate rule hatman_injector_int : hatman {\r\n condition:\r\n hatman_memcpy and hatman_origaddr and hatman_loadoff\r\n}\r\nprivate rule hatman_payload_int : hatman {\r\n condition:\r\n hatman_memcpy and hatman_origcode and hatman_mftmsr\r\n}\r\n\r\n/* Actual public rules to match using the private rules. */\r\n\r\nrule hatman_compiled_python : hatman {\r\n condition:\r\n hatman_nullsub and hatman_setstatus and hatman_dividers\r\n}\r\nrule hatman_injector : hatman {\r\n condition:\r\n hatman_injector_int and not hatman_payload_int\r\n}\r\nrule hatman_payload : hatman {\r\n condition:\r\n hatman_payload_int and not hatman_injector_int\r\n}\r\nrule hatman_combined : hatman {\r\n condition:\r\n hatman_injector_int and hatman_payload_int and hatman_dividers\r\n}\r\nrule hatman : hatman {\r\n meta:\r\n author = \"DHS/NCCIC/ICS-CERT\"\r\n description = \"Matches the known samples of the HatMan malware.\"\r\n condition:\r\n hatman_compiled_python or hatman_injector or hatman_payload\r\n or hatman_combined\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772248992", "uuid": "3f832bbd-7092-4614-b9fc-49f2e868e499", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772248992", "to_ids": true, "type": "md5", "uuid": "a4645240-6003-474f-9a59-4bb6d7eaffa4", "value": "6c39c3f4a08d3d78f2eb973a94bd7718", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248975", "to_ids": true, "type": "sha1", "uuid": "9bc6619a-77e5-4949-9df1-9a225d51b248", "value": "dc81f383624955e0c0441734f9f1dabfe03f373c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248975", "to_ids": true, "type": "sha256", "uuid": "aacd0c2d-ee7d-437c-86ea-80d665cc8c25", "value": "e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248643", "to_ids": true, "type": "ssdeep", "uuid": "2cd7d50a-67d0-43b9-a25f-2c6f0a108a02", "value": "384:eIn2vPeqUfmEZ+nUn0fJCfMdXWgugoL2RrXdUWJCXXtB:eBPeqYmEb0kUX9XdUzXv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248643", "to_ids": false, "type": "size-in-bytes", "uuid": "018a099d-ca70-497e-a1fc-e7f56b8958fb", "value": "21504" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772248643", "to_ids": true, "type": "vhash", "uuid": "5a9355d4-aed8-4957-b328-600c5852b2c1", "value": "024046655d155az28#z2c1z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248643", "to_ids": true, "type": "filename", "uuid": "7126e128-bf34-4d58-b111-d7d608d18cff", "value": "e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230.exe" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248643", "to_ids": false, "type": "text", "uuid": "d0fd4b52-7e98-4ec3-b6f2-e187a626f704", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrystalDoom.A!dha\nVT Total Detection:55/72\nFirst Submission:2017-08-29T18:21:39.000000+00:00\nLast Submission:2026-02-27T01:03:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249013", "uuid": "2b59f7de-6266-4461-95f6-8d3812748c7e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249013", "to_ids": true, "type": "md5", "uuid": "84f771ed-6ea2-4947-a3d6-d8fb4b8a2c14", "value": "437f135ba179959a580412e564d3107f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248976", "to_ids": true, "type": "sha1", "uuid": "41976b47-d445-4c52-af2d-852a7202c3f5", "value": "b47ad4840089247b058121e95732beb82e6311d0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248976", "to_ids": true, "type": "sha256", "uuid": "21d72908-4532-45af-b044-5ceca31d0557", "value": "08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248665", "to_ids": true, "type": "ssdeep", "uuid": "1a86a020-3dc2-45c2-90c2-c118d151545c", "value": "12:7s5q/29Vdb5t+JuqqNvIlUBrlf+X9tZaf:Qg/0B5titsvIaBrlf+X9tkf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248665", "to_ids": false, "type": "size-in-bytes", "uuid": "b733c58a-1463-4ad0-a1a6-042a459af01d", "value": "436" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248665", "to_ids": true, "type": "filename", "uuid": "194dc779-019d-47b6-8c42-6cf96c707a35", "value": "BK (3237)" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 05/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248665", "to_ids": false, "type": "text", "uuid": "8cbb6051-f159-47e7-88ee-1e73067dd8dc", "value": "Type Description: unknown\nMicrosoft: Trojan:Win32/CrystalDoom.C!dha\nVT Total Detection:35/62\nFirst Submission:2017-12-22T12:37:36.000000+00:00\nLast Submission:2026-02-26T01:53:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249034", "uuid": "b2c93622-8e55-43ba-90ae-d2543015c730", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249034", "to_ids": true, "type": "md5", "uuid": "518ab8df-372e-4ec1-9d95-fa337a48cc86", "value": "0544d425c7555dc4e9d76b571f31f500", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248977", "to_ids": true, "type": "sha1", "uuid": "31827cc2-1992-481d-81ab-d1554811bb1c", "value": "f403292f6cb315c84f84f6c51490e2e8cd03c686", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248978", "to_ids": true, "type": "sha256", "uuid": "08f50095-d9d9-4b1b-988d-5d1dd59302f3", "value": "5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248687", "to_ids": true, "type": "ssdeep", "uuid": "8ccddf7b-0e4d-4c66-b689-a3713b3d0488", "value": "48:qn0Tc9pFbfcED8ZscEOGXcE+XcyAGs8ocyt1BcSdiKPtkOcyPkENdORgXHgF:qn0+Fb7IA1bPqMcYsg3gF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248687", "to_ids": false, "type": "size-in-bytes", "uuid": "ad7fc7e1-faea-439b-92c5-cd9538cf7d46", "value": "2104" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248687", "to_ids": true, "type": "filename", "uuid": "9c0c38c6-4feb-4b89-9003-e2008c31499f", "value": "ntdll.dll" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248687", "to_ids": false, "type": "text", "uuid": "61439bd3-2ccc-42df-94d7-477843f89cff", "value": "Type Description: unknown\nMicrosoft: Trojan:Win32/CrystalDoom.D!dha\nVT Total Detection:11/62\nFirst Submission:2017-12-22T12:38:09.000000+00:00\nLast Submission:2026-02-26T01:52:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249056", "uuid": "44453c27-04bd-4cb4-b782-a26942e974d2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249056", "to_ids": true, "type": "md5", "uuid": "ff89e20b-0e90-46e4-8306-1a3218f77f52", "value": "0face841f7b2953e7c29c064d6886523", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248978", "to_ids": true, "type": "sha1", "uuid": "7d1e7ee4-b000-4479-ac16-7620543a8ae6", "value": "1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248978", "to_ids": true, "type": "sha256", "uuid": "8c95db9a-73be-4100-94a7-cb4fd17d49a1", "value": "bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248708", "to_ids": true, "type": "ssdeep", "uuid": "13915518-8c0b-45db-8043-a4b56a820bac", "value": "12288:z4tCV9Jybp/AX2Ng4TBDHbowjbVMdX4lMBydixDoCbs+oKRpT1gLhcFAsLc4z0DL:xkAJ4TB6XIM/70txaYB57ATltTlHu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248708", "to_ids": false, "type": "size-in-bytes", "uuid": "107183a5-e9b0-478a-91c6-44c3df4445e1", "value": "1708616" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772248708", "to_ids": true, "type": "vhash", "uuid": "2e957500-0ac4-49b1-8cf5-5b616f16d317", "value": "47b963c6b91184c6e1f2bafde575b3b5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248708", "to_ids": true, "type": "filename", "uuid": "ea1d1d36-5508-4822-9990-71b716b5cc69", "value": "test" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 21/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248708", "to_ids": false, "type": "text", "uuid": "0075bb83-c989-4f4a-9d64-a5c1cfdcc1a1", "value": "Type Description: ZIP\nMicrosoft: Trojan:Win32/CrystalDoom.F!dha\nVT Total Detection:39/66\nFirst Submission:2017-12-22T12:53:22.000000+00:00\nLast Submission:2026-02-26T08:35:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249077", "uuid": "c0ce2255-2133-4449-aa0b-fc55258f1385", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249077", "to_ids": true, "type": "md5", "uuid": "331f21aa-3a3e-4da1-a6f7-fb499d9d93e4", "value": "e98f4f3505f05bf90e17554fbc97bba9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248979", "to_ids": true, "type": "sha1", "uuid": "01bf1b38-5c69-4086-af6b-b58113729e49", "value": "97e785e92b416638c3a584ffbfce9f8f0434a5fd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248979", "to_ids": true, "type": "sha256", "uuid": "e9c684b3-ed5b-4bcc-a02e-6a52b73c7234", "value": "2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248730", "to_ids": true, "type": "ssdeep", "uuid": "1bfbe341-5f52-4aee-a798-974c3afeccf4", "value": "192:K8vxkD3nbLL3anx3MzraW/97kxQ7g+O/MEQVI4dAQ9i3:FxkD37qnBoa2oxQOf4r6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248730", "to_ids": false, "type": "size-in-bytes", "uuid": "714b818d-3c0a-4f1a-a899-3b8366464e6e", "value": "8693" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248730", "to_ids": true, "type": "filename", "uuid": "fdeae56f-ef37-4592-b2c0-a826ceb4bd1a", "value": "TS_cnames.pyc" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 05/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248730", "to_ids": false, "type": "text", "uuid": "676d571a-822c-4f91-a273-2d17606bd575", "value": "Type Description: Python byte-compiled\nMicrosoft: Trojan:Win32/CrystalDoom.G!dha\nVT Total Detection:24/62\nFirst Submission:2018-01-26T00:43:10.000000+00:00\nLast Submission:2026-02-26T01:49:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249098", "uuid": "bfd716fd-a57c-43cf-92e8-59db76069c59", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249098", "to_ids": true, "type": "md5", "uuid": "4f63a000-fdeb-414e-b81a-3be24f15c202", "value": "288166952f934146be172f6353e9a1f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248980", "to_ids": true, "type": "sha1", "uuid": "8efb40d8-89de-4a83-b367-a8be52032704", "value": "d6e997a4b6a54d1aeedb646731f3b0893aee4b82", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248980", "to_ids": true, "type": "sha256", "uuid": "41dab266-7c10-4d7b-9fd4-c37457399359", "value": "1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248752", "to_ids": true, "type": "ssdeep", "uuid": "d17db354-056d-44e0-bd21-33b87414cf1d", "value": "96:pYcmMvHgPyhzhThiTjhidWFT/lhCvJkumKLTC2CnhuJ9:pHmMvgqhzhThiTjhi4FTDCvJkummC2Ck" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248752", "to_ids": false, "type": "size-in-bytes", "uuid": "32b34923-bad3-48a4-9046-bbe9afef1e29", "value": "5059" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248752", "to_ids": true, "type": "filename", "uuid": "67f2ad6d-0585-4d34-8883-dd55403308bd", "value": "TsBase.pyc" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 20/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248752", "to_ids": false, "type": "text", "uuid": "130c46bb-a831-4750-a57e-b23c8ec8121b", "value": "Type Description: Python byte-compiled\nMicrosoft: Trojan:Win32/CrystalDoom.H!dha\nVT Total Detection:35/62\nFirst Submission:2018-01-25T21:39:00.000000+00:00\nLast Submission:2026-02-26T01:50:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249120", "uuid": "fef030e1-78d6-45b5-a17d-c76a86f4f842", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249120", "to_ids": true, "type": "md5", "uuid": "e143c87b-7c06-4b98-bc52-e2d25b82005e", "value": "27c69aa39024d21ea109cc9c9d944a04", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248982", "to_ids": true, "type": "sha1", "uuid": "85bc1455-36b0-46b9-a34e-1ae777f9a26a", "value": "66d39af5d61507cf7ea29e4b213f8d7dc9598bed", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248982", "to_ids": true, "type": "sha256", "uuid": "6ac07173-fc7a-4e68-8bda-9e8d13c7f972", "value": "758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248774", "to_ids": true, "type": "ssdeep", "uuid": "8a75373a-c33a-4c87-baba-a4cf0c7507ae", "value": "192:Q2bVZKjrQyOmaNJ5zYzz3OXfSYKNuZOIVvcU8GwjSdPd3LDvMVaSeaqnQK:PbjWDmJ5B04ZOyvUGdGVaSeaCQK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248774", "to_ids": false, "type": "size-in-bytes", "uuid": "9ece8e77-0a3c-4609-a5f1-3ba6b79f7210", "value": "10867" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248774", "to_ids": true, "type": "filename", "uuid": "e36b7e54-9301-40fc-8caa-941b241b80b2", "value": "TsHi.pyc" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248774", "to_ids": false, "type": "text", "uuid": "f9395fa2-87a1-4ee6-a7dc-3b002351eee5", "value": "Type Description: Python byte-compiled\nMicrosoft: Trojan:Win32/CrystalDoom!dha\nVT Total Detection:37/62\nFirst Submission:2018-01-25T22:52:15.000000+00:00\nLast Submission:2026-02-27T01:03:54.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249141", "uuid": "026e0501-0b18-486a-a5b4-9b610cfb19e8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249141", "to_ids": true, "type": "md5", "uuid": "7f425a28-88d1-4f78-9be9-b60bd65735d0", "value": "f6b3a73c8c87506acda430671360ce15", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248983", "to_ids": true, "type": "sha1", "uuid": "319c9d6b-ab64-4ce5-b907-c2921ce63221", "value": "a6357a8792e68b05690a9736bc3051cba4b43227", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248983", "to_ids": true, "type": "sha256", "uuid": "166e82f9-a571-45b1-9139-a22ca96e22d3", "value": "5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248795", "to_ids": true, "type": "ssdeep", "uuid": "decbda34-62c6-445a-8e60-dafe5806f4d1", "value": "192:1dDqL+G9fM1bVaaFjUQoDA+BWXuyvTrUjOAAfXpBrtB:1dDq6ZaaFgQoDFBWXPTrUD8Xz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248795", "to_ids": false, "type": "size-in-bytes", "uuid": "b70de893-8cb1-4f86-bacb-7fe492a66cf0", "value": "9728" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248795", "to_ids": true, "type": "filename", "uuid": "e2ced6f1-75fb-40bd-b090-6896e0b93203", "value": "TsLow.pyc" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248795", "to_ids": false, "type": "text", "uuid": "cb4e9eec-4dd4-4f73-84ed-b17aa7c1b309", "value": "Type Description: Python byte-compiled\nMicrosoft: Trojan:Win32/CrystalDoom!dha\nVT Total Detection:37/62\nFirst Submission:2018-01-26T00:43:10.000000+00:00\nLast Submission:2026-02-26T01:49:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249163", "uuid": "9185f71c-46ed-4c20-9f00-9c205f305b35", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249163", "to_ids": true, "type": "md5", "uuid": "fedf7313-592e-433e-ada6-4ab75617ec42", "value": "8b675db417cc8b23f4c43f3de5c83438", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248984", "to_ids": true, "type": "sha1", "uuid": "47927af7-3ef9-448e-9a11-ef722b26bf42", "value": "25dd6785b941ffe6085dd5b4dbded37e1077e222", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248984", "to_ids": true, "type": "sha256", "uuid": "0d3d082f-9c56-42b9-b7de-3d4f3be4d197", "value": "c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248817", "to_ids": true, "type": "ssdeep", "uuid": "adbc0549-2345-46c6-b636-e1ececf218f5", "value": "24:CCUhYkup46cAuijWV5qzbMzEa+JNlYufGYyRF/2G8sUk2OXAUc+CZTBPhsHbGm3:CPUq6cLijOqHMzEbf3MF92O4Nh6Hz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248817", "to_ids": false, "type": "size-in-bytes", "uuid": "eabfb92f-da19-4d74-b87a-6d77ad2062f8", "value": "1429" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248817", "to_ids": true, "type": "filename", "uuid": "73999d9d-45b3-4c26-82e7-bd47e3676832", "value": "sh.pyc" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248817", "to_ids": false, "type": "text", "uuid": "4b6b541a-04a5-4098-87af-a43e9e336400", "value": "Type Description: Python byte-compiled\nMicrosoft: Trojan:Win32/CrystalDoom!dha\nVT Total Detection:32/62\nFirst Submission:2018-09-28T05:32:58.000000+00:00\nLast Submission:2026-02-26T08:35:43.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249184", "uuid": "2d229568-d683-42de-b772-49bf27d58e4d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249184", "to_ids": true, "type": "md5", "uuid": "84233317-9774-404d-b919-0c4e57bf6550", "value": "0b4e76e84fa4d6a9716d89107626da9b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248985", "to_ids": true, "type": "sha1", "uuid": "556d2c62-9e62-4d94-8066-f42c541f8ad5", "value": "1994098be85f9822d33337f772e89deeea615504", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248985", "to_ids": true, "type": "sha256", "uuid": "43fbc22e-3f43-4832-bd9a-dfeac879eedf", "value": "f9549051966581ceac7d9772103db4c7b3f00504d07b92de4500e5460c334d96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248839", "to_ids": true, "type": "ssdeep", "uuid": "96c0261e-dff2-43ee-8b31-113cb5a69f0a", "value": "192:oe2hnEwYR1KrxwG5DfNdzmuJ9dMT3yWWAqmm6hZivo+4aBh7Gsw:oe2hEwYTK1wGJ3jWF9rWKsw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248839", "to_ids": false, "type": "size-in-bytes", "uuid": "3393abe3-29b7-4722-837c-dcf76bc6eb28", "value": "10043" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248839", "to_ids": true, "type": "filename", "uuid": "dc199f24-6c5d-4d68-b61f-ddbe112e857b", "value": "trilog.7z" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 21/06/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248839", "to_ids": false, "type": "text", "uuid": "55b452d7-3c4e-4fb9-aafc-8bbfbcac7bdb", "value": "Type Description: 7ZIP\nMicrosoft: None\nVT Total Detection:4/64\nFirst Submission:2018-05-14T10:40:27.000000+00:00\nLast Submission:2025-08-03T19:39:39.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249205", "uuid": "8841198f-3be0-4a56-ab93-0bbae92d766c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249205", "to_ids": true, "type": "md5", "uuid": "23018110-4cc4-4418-a37a-ac7a2055555b", "value": "76f84d3aee53b2856575c9f55a9487e7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248986", "to_ids": true, "type": "sha1", "uuid": "3f19a851-ceb9-4e73-9a82-f7ebec115349", "value": "510ef7427a1dfa8a0fdc481653c398a7fe37ace6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248986", "to_ids": true, "type": "sha256", "uuid": "f406faed-9932-4d6a-a3ea-8e094a3eb965", "value": "893d039b03a09f8b91b8a3681e1d4b96ee963d0563875c1a17792316ff2a5498", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248861", "to_ids": true, "type": "ssdeep", "uuid": "24634a14-3158-43bf-921e-a3a3076b2b79", "value": "6144:0A9fix9+P2uOrtX/jH8/iJJyKtyGgCklgBV3ugrTFKD23p/rfHg19J+nyCMSPXAy:0ieuOrtz1yKbkQV3VrTFKD23dYbJqphd" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248861", "to_ids": false, "type": "size-in-bytes", "uuid": "7fd02cd1-7777-45c9-9f58-6275cc8dd05f", "value": "390335" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248861", "to_ids": true, "type": "filename", "uuid": "aa77dc55-ff18-4f22-93bd-a3e5437eef52", "value": "library.7z" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 19/06/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248861", "to_ids": false, "type": "text", "uuid": "f61c6d8e-85b3-49b4-a5ae-b1829725ff0b", "value": "Type Description: 7ZIP\nMicrosoft: None\nVT Total Detection:0/65\nFirst Submission:2018-10-23T17:54:44.000000+00:00\nLast Submission:2023-09-23T13:20:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249226", "uuid": "4693d652-57c9-478c-9ea9-9b05bbfbedf5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249226", "to_ids": true, "type": "md5", "uuid": "9002b2d9-508d-4fad-b09b-3ec2b511a7c9", "value": "d173e8016e73f0f2c17b5217a31153be", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248987", "to_ids": true, "type": "sha1", "uuid": "401fe49e-8fb5-4703-8704-4ddf9e9aba4f", "value": "e7872adbefbd8dcf5f3b01116cd040ca3982a42c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248987", "to_ids": true, "type": "sha256", "uuid": "780d8513-88d7-4608-9324-41e4c383860f", "value": "0a594adab279580217b2a1fe0e07e5219cc6ea304b81998e2c02ee269e6877a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248883", "to_ids": true, "type": "ssdeep", "uuid": "63b47ee4-ce9c-441f-8de3-cb0e7fba182d", "value": "12:9eV2WjE0r3ID4d8EL1niy89nw+cX4WkmFLm7vU:u2WjE01d8EViBNJPCL1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248883", "to_ids": false, "type": "size-in-bytes", "uuid": "fd45b4e2-aa70-4ccd-b719-417656de9fac", "value": "488" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248883", "to_ids": true, "type": "filename", "uuid": "150d8c21-ec58-45fc-8bab-4b998e478cc1", "value": "imain.7z" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 19/06/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248883", "to_ids": false, "type": "text", "uuid": "48f0fb47-dad4-4092-ba9e-fe9fd81c0511", "value": "Type Description: 7ZIP\nMicrosoft: None\nVT Total Detection:0/64\nFirst Submission:2018-01-17T11:00:44.000000+00:00\nLast Submission:2023-09-23T13:19:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249248", "uuid": "b69e8e98-c2f4-4473-8c78-62348785b23a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249248", "to_ids": true, "type": "md5", "uuid": "555baba4-5db8-4785-98f9-a05fd6298b24", "value": "80fdda5ea7eec98bfdd07fec8f644c2d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248988", "to_ids": true, "type": "sha1", "uuid": "0ed661bb-410f-44e2-957f-3526191706c8", "value": "c3459bdd8a134166f464f9a17761ac5591cc73bd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248988", "to_ids": true, "type": "sha256", "uuid": "0cd6d275-8744-4486-99d4-811faa58c088", "value": "2a2092efb0c943d71f7a5f473cbcded452c1f4d4cbbc168c4f5d67bf6679cd6a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248905", "to_ids": true, "type": "ssdeep", "uuid": "08ac0a47-a006-4dfc-9900-10aad4a61b41", "value": "24:cLB/gjvo9dSsmpU9UP2cjbnTZ4E96FxDB02wLA0C:lTimpUZc/nTZ58tZ0C" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248905", "to_ids": false, "type": "size-in-bytes", "uuid": "3dfb961f-05b9-4422-b52b-5ae0f2460bc0", "value": "1162" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248905", "to_ids": true, "type": "filename", "uuid": "ffa72970-9a83-43f5-bb1c-d5af466dffea", "value": "inject.7z" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 23/09/2023", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248905", "to_ids": false, "type": "text", "uuid": "7ffe01db-36ef-473b-97fd-072bf5a2b757", "value": "Type Description: 7ZIP\nMicrosoft: None\nVT Total Detection:0/59\nFirst Submission:2022-12-18T17:20:48.000000+00:00\nLast Submission:2023-09-23T13:20:05.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772249269", "uuid": "b6ba91f2-69f5-47a2-a7b6-c3ebb1feb770", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772249269", "to_ids": true, "type": "md5", "uuid": "cdbcd96d-d71a-459c-ab92-12a86b9086b4", "value": "c382f242f62a3c5f4aab2093f6e0fb2f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772248989", "to_ids": true, "type": "sha1", "uuid": "8178f837-126c-46f9-ac64-fa7ecb94d41c", "value": "0226284935aae4a9260be9b0659855497d42377f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772248990", "to_ids": true, "type": "sha256", "uuid": "7e69754c-8c8f-4a0b-abc8-781bde731035", "value": "c461e425ccb81ff4a1cf945a2839a0180ce31938d96477a86adfdbd01e5553de", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772248927", "to_ids": true, "type": "ssdeep", "uuid": "067c60c6-6036-4b4d-b0d5-cdbcd631c151", "value": "6144:ps0rB4CH7VIrUhNsOCO8V2nA/jKG9Kg5DT3wj9TYAvAIURQb+:eQrbVIrUhNdGVWG9K6DTAj9TYblQ+" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772248927", "to_ids": false, "type": "size-in-bytes", "uuid": "a1e2408d-87ae-4278-b25f-1365342e1414", "value": "399155" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772248927", "to_ids": true, "type": "filename", "uuid": "928fabc9-a058-430c-9131-b5f5fe76a595", "value": "all (1).7z" }, { "category": "Other", "comment": "Checked: 28/02/2026\nLast-scan\t: 16/11/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772248927", "to_ids": false, "type": "text", "uuid": "cfefc6dc-ebb1-4c15-a6a8-8feb188d770f", "value": "Type Description: 7ZIP\nMicrosoft: None\nVT Total Detection:1/61\nFirst Submission:2022-11-15T16:13:05.000000+00:00\nLast Submission:2025-12-03T13:17:52.000000+00:00" } ] } ] } }