{ "Event": { "analysis": "1", "date": "2023-05-25", "extends_uuid": "", "info": "[Threat Intel] COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises", "protected": false, "publish_timestamp": "1772424353", "published": true, "threat_level_id": "2", "timestamp": "1772424334", "uuid": "9d46d493-55c4-44f2-a025-6cc58d58f6dd", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"LIGHTWORK\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"PIEHOP\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Command-Line Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Data Destruction\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Manipulation of Control\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Unauthorized Command Message\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772363403", "to_ids": false, "type": "link", "uuid": "178201f4-7b9d-4138-84ea-cc3f8f0908d6", "value": "https://cloud.google.com/blog/topics/threat-intelligence/cosmicenergy-ot-malware-russian-response/" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772363504", "uuid": "c9325f06-5f7e-4bc2-aa8b-b2409c43e4ea", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772363504", "to_ids": false, "type": "text", "uuid": "5a5aeacc-fa45-41b7-8b0e-44fa14b25181", "value": "M_Hunting_PyInstaller_PIEHOP_Module_Strings" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772363504", "to_ids": false, "type": "comment", "uuid": "c1da81bd-cfa9-482a-ae3a-b4478e79d1a2", "value": "Searching for PyInstaller files with a custom Python script/module associated with PIEHOP" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772363504", "to_ids": true, "type": "yara", "uuid": "ee2e304b-34d8-440e-b3a5-616443acc509", "value": "rule M_Hunting_PyInstaller_PIEHOP_Module_Strings \r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"2023-04-11\"\r\n description = \"Searching for PyInstaller files with a custom Python script/module associated with PIEHOP.\"\r\n \r\n strings:\r\n $lib = \"iec104_mssql_lib\" ascii\r\n\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and \r\n $lib\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772363519", "uuid": "013b5e0e-1da1-4e12-ba42-2f48623d2234", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772363519", "to_ids": false, "type": "text", "uuid": "d720a6a6-6a62-49fc-b666-a6856b9682e5", "value": "M_Hunting_Disrupt_LIGHTWORK_Strings" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772363519", "to_ids": false, "type": "comment", "uuid": "af130472-17b0-4966-8fa2-e5ed5dc51f41", "value": "Searching for strings associated with IEC-104 used in LIGHTWORK" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772363519", "to_ids": true, "type": "yara", "uuid": "d84854c7-bace-454d-922d-708a2d965135", "value": "rule M_Hunting_Disrupt_LIGHTWORK_Strings \r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Searching for strings associated with IEC-104 used in LIGHTWORK.\"\r\n date = \"2023-04-19\"\r\n \r\n strings:\r\n $s1 = \"Connecting to: %s:%i\\n\" ascii wide nocase\r\n $s2 = \"Connected!\" ascii wide nocase\r\n $s3 = \"Send control command C_SC_NA_1\" ascii wide nocase\r\n $s4 = \"Connect failed!\" ascii wide nocase\r\n $s5 = \"Send time sync command\" ascii wide nocase\r\n $s6 = \"Wait ...\" ascii wide nocase\r\n $s7 = \"exit 0\" ascii wide nocase\r\n \r\n condition:\r\n filesize < 5MB and\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368888", "uuid": "58bbe28f-5f1a-4e8a-912f-db65e9ad7f4e", "Attribute": [ { "category": "Payload delivery", "comment": "PIEHOP PyInstaller executable", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368888", "to_ids": true, "type": "md5", "uuid": "258a094c-bf8f-4ab2-9513-54b92f2b5245", "value": "cd8f394652db3d0376ba24a990403d20", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PIEHOP PyInstaller executable", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367776", "to_ids": true, "type": "sha1", "uuid": "aa423f59-cdba-4706-b4b8-e1838f0784c7", "value": "bc07686b422aa0dd01c87ccf557863ee62f6a435", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PIEHOP PyInstaller executable", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367776", "to_ids": true, "type": "sha256", "uuid": "968cb436-3286-46a9-bc7a-98d7b7c30e56", "value": "358f0f8c23acea82c5f75d6a2de37b6bea7785ed0e32c41109c217c48bf16010", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367182", "to_ids": true, "type": "ssdeep", "uuid": "512f41e2-8d9a-4c23-a923-fa7d7dda3003", "value": "98304:GU0gZ283zwMNolxsHJ3q3UkLPMN+S9DDpOtyu2It/800sBr/KzUFqmWjgGcd+vGR:GoEGzEAJEUkLPgNs2It/V1m2q7jgbdua" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367182", "to_ids": false, "type": "size-in-bytes", "uuid": "6104ffab-5b6c-4b57-9bb3-bd859ee0a0a5", "value": "5431207" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772367182", "to_ids": true, "type": "vhash", "uuid": "6ff31d05-a7ea-4b3d-bf31-1de2866529a2", "value": "056056656d15756048z5d!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772367182", "to_ids": true, "type": "filename", "uuid": "9058b595-6ff7-4e25-9e7a-272af9c66067", "value": "r3_iec104_control.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 25/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367182", "to_ids": false, "type": "text", "uuid": "85b7d252-8109-49c8-b370-c854a531dc00", "value": "PIEHOP PyInstaller executable\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:39/72\nFirst Submission:2021-12-08T11:27:46.000000+00:00\nLast Submission:2023-07-06T09:12:54.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368909", "uuid": "c12e6641-d431-4cb1-ab60-57c07818c51f", "Attribute": [ { "category": "Payload delivery", "comment": "PIEHOP Python compiled bytecode entry point", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368909", "to_ids": true, "type": "md5", "uuid": "90ab590e-43ed-4c89-b1d5-1fa2e537ef90", "value": "f716b30fc3d71d5e8678cc6b81811db4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PIEHOP Python compiled bytecode entry point", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367777", "to_ids": true, "type": "sha1", "uuid": "ac58ad51-4842-4362-bcd6-c66534f1ab53", "value": "e91e4df49afa628fba1691b7c668af64ed6b0e1d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PIEHOP Python compiled bytecode entry point", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367777", "to_ids": true, "type": "sha256", "uuid": "b762657f-0525-453a-8117-9ad810398347", "value": "7dc25602983f7c5c3c4e81eeb1f2426587b6c1dc6627f20d51007beac840ea2b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367204", "to_ids": true, "type": "ssdeep", "uuid": "a48fb4fd-3fd3-4b3c-ad7e-c2d2621a5a41", "value": "6:CvmBZDtFADJLg9cVT4gFK0W/toH4I//bwKWrXPOM6bDIeXg7:CvmBZ5Fw3cAeVo13bEXwbDIes" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367204", "to_ids": false, "type": "size-in-bytes", "uuid": "7f2d3f78-0a09-4491-8eae-fe6ee66d3602", "value": "265" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 12/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367204", "to_ids": false, "type": "text", "uuid": "70bbed47-37a3-4113-82ad-cae14eb13833", "value": "PIEHOP Python compiled bytecode entry point\r\nType Description: Python byte-compiled\nMicrosoft: None\nVT Total Detection:1/62\nFirst Submission:2023-07-03T07:44:54.000000+00:00\nLast Submission:2023-07-03T07:44:54.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368930", "uuid": "bfcc8ccf-2a17-49e5-aff7-44c77dc7513e", "Attribute": [ { "category": "Payload delivery", "comment": "PIEHOP Python compiled bytecode", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368930", "to_ids": true, "type": "md5", "uuid": "303f0c7f-203d-47bb-b15e-6508afd040df", "value": "adfa40d44a58e1bc909abca444f7f616", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PIEHOP Python compiled bytecode", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367777", "to_ids": true, "type": "sha1", "uuid": "78123c9e-09a9-4118-b021-49104f0e347b", "value": "a9b5b16769f604947b9d8262841aa3082f7d71a2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PIEHOP Python compiled bytecode", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367778", "to_ids": true, "type": "sha256", "uuid": "710c9856-9d77-49f5-8a97-dae415701aa9", "value": "182d6f5821a04028fe4b603984b4d33574b7824105142b722e318717a688969e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367289", "to_ids": true, "type": "ssdeep", "uuid": "9b5c9373-498a-4530-b18e-8784c58f1ec6", "value": "96:2/sjGUlZ9l/SN4LYQNc1w/H/0CC6Dj+laGjFgbLSu1JlIlRAmwvvfT3kwBm79ETm:d5paNA3NC8zCBfj2SuKfzwvv7MxETm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367289", "to_ids": false, "type": "size-in-bytes", "uuid": "3797dde9-509a-4db1-b93e-f48caea9b9bf", "value": "6675" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772367289", "to_ids": true, "type": "vhash", "uuid": "baf572a3-0025-49df-aea9-4d174a0160f7", "value": "4323215ed90aec1440246f342c1c0131" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772367289", "to_ids": true, "type": "filename", "uuid": "b243ebf6-7dde-4f38-99e9-27ced89337e7", "value": "unknown" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 27/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367289", "to_ids": false, "type": "text", "uuid": "d8811b16-7da9-400f-9537-bcdf99998277", "value": "PIEHOP Python compiled bytecode\r\nType Description: VBA\nMicrosoft: None\nVT Total Detection:21/62\nFirst Submission:2023-06-19T13:12:55.000000+00:00\nLast Submission:2025-03-29T03:54:48.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368951", "uuid": "2e359bd7-53f0-4429-aac9-e06271560484", "Attribute": [ { "category": "Payload delivery", "comment": "LIGHTWORK executable", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368951", "to_ids": true, "type": "md5", "uuid": "a28647ab-aaac-4342-a19f-baa77d299137", "value": "7b6678a1c0000344f4faf975c0cfc43d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LIGHTWORK executable", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367779", "to_ids": true, "type": "sha1", "uuid": "0a577845-7936-49f4-be05-16d9a04d6365", "value": "6eceb78acd1066294d72fe86ed57bf43bc6de6eb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LIGHTWORK executable", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367779", "to_ids": true, "type": "sha256", "uuid": "efa02687-87c7-4636-a535-749b92612662", "value": "740e0d2fba550308344b2fb0e5ecfebdd09329bdcfaa909d3357ad4fe5552532", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367374", "to_ids": true, "type": "ssdeep", "uuid": "e868e49e-4a39-4128-8dc5-a87f9875d6f8", "value": "6144:8qWmZxqq8D8NTeP5D6O9df6h/1MWfWqEhmz3mW96BacA2y/iXWuNCTVto+Mid9:vW+zRaDl9AhqtHkLF0QSHGpTvDLd9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367374", "to_ids": false, "type": "size-in-bytes", "uuid": "a8daf054-ba58-4145-bb65-1d6a10254eed", "value": "607569" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772367374", "to_ids": true, "type": "vhash", "uuid": "e1f67aef-a1a5-4a38-8add-ee8c8ea8666b", "value": "0650f75d155c0d5d1d051az1b22sz157z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772367374", "to_ids": true, "type": "filename", "uuid": "6ea0a287-9e42-4d38-b948-71cea6901de3", "value": "740e0d2fba550308344b2fb0e5ecfebdd09329bdcfaa909d3357ad4fe5552532.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 13/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367374", "to_ids": false, "type": "text", "uuid": "bd0e1c2f-7418-424c-b574-e9a88a4e772b", "value": "LIGHTWORK executable\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Smokeloader!ic\nVT Total Detection:53/72\nFirst Submission:2021-12-08T11:35:59.000000+00:00\nLast Submission:2025-12-21T06:07:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772424310", "uuid": "ec9a55db-e9df-48e3-8eb0-7a91556e1ae5", "Attribute": [ { "category": "Payload delivery", "comment": "Decompiled PIEHOP Python script No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772424310", "to_ids": true, "type": "md5", "uuid": "8a33261a-e91c-4770-b8c5-8f4a2a2499c9", "value": "2b86adb6afdfa9216ef8ec2ff4fd2558", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decompiled PIEHOP Python script No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772424310", "to_ids": true, "type": "sha1", "uuid": "cd7bc81a-134a-497e-9d8c-00d64019ee12", "value": "20c9c04a6f8b95d2f0ce596dac226d56be519571", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decompiled PIEHOP Python script No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772424310", "to_ids": true, "type": "sha256", "uuid": "891bf0ac-0747-463d-8e7f-20302e16761f", "value": "90d96bb2aa2414a0262d38cc805122776a9405efece70beeebf3f0bcfc364c2d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772424334", "uuid": "1008bbcc-6f4a-489e-930f-5200cb96ae47", "Attribute": [ { "category": "Payload delivery", "comment": "Decompiled PIEHOP entry point Python script No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772424334", "to_ids": true, "type": "md5", "uuid": "39b53069-e585-4ba0-a010-5a546f244907", "value": "c018c54eff8fd0b9be50b5d419d80f21", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decompiled PIEHOP entry point Python script No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772424334", "to_ids": true, "type": "sha1", "uuid": "35ef1523-6ecc-443e-aa25-71e37e2ed0cf", "value": "4d7c4bc20e8c392ede2cb0cef787fe007265973b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decompiled PIEHOP entry point Python script No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772424334", "to_ids": true, "type": "sha256", "uuid": "fb371e30-8019-453e-bda3-fef03a3782b7", "value": "8933477e82202de97fb41f4cbbe6af32596cec70b5b47da022046981c01506a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ] } ] } }