{ "Event": { "analysis": "1", "date": "2016-01-28", "extends_uuid": "", "info": "[Threat Intel] BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents", "protected": false, "publish_timestamp": "1772419872", "published": true, "threat_level_id": "2", "timestamp": "1772419870", "uuid": "c7d9bc60-0375-43b2-9d52-2e3b930ec32b", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"BlackEnergy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771811233", "to_ids": false, "type": "link", "uuid": "8bc0228f-1055-4b9d-a0b2-aa9da523f95d", "value": "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/" }, { "category": "Network activity", "comment": "BlackEnergy C&C Server", "deleted": false, "disable_correlation": false, "timestamp": "1771811595", "to_ids": true, "type": "ip-dst", "uuid": "f0ce8906-49ec-4500-91bd-e1654d9f4a66", "value": "5.149.254.114", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771811616", "uuid": "454ed018-11ba-4af3-b992-3393372bdaa4", "Attribute": [ { "category": "Payload delivery", "comment": "Word document with macros (Trojan-Downloader.Script.Generic)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771811616", "to_ids": true, "type": "md5", "uuid": "68e0aaa5-1f72-4a5d-b6b8-dfa40247a7a4", "value": "e15b36c2e394d599a8ab352159089dd2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Word document with macros (Trojan-Downloader.Script.Generic)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771811590", "to_ids": true, "type": "sha1", "uuid": "e8a1557c-f4cb-437f-93da-e0f392779dcd", "value": "28719979d7ac8038f24ee0c15114c4a463be85fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Word document with macros (Trojan-Downloader.Script.Generic)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771811591", "to_ids": true, "type": "sha256", "uuid": "9b74eccb-9711-48ba-9817-71f344e4b42f", "value": "39d04828ab0bba42a0e4cdd53fe1c04e4eef6d7b26d0008bd0d88b06cc316a81", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771811518", "to_ids": true, "type": "ssdeep", "uuid": "2c398af6-3640-4c48-8f34-c993b2ec451e", "value": "24576:QWa4kgsv/30DkRkkRbRjwwM6IfS1Uu6OduwW:Q83I/32kSkTjwwM6IfS1Uu6OduwW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771811518", "to_ids": false, "type": "size-in-bytes", "uuid": "0527ebaa-6bc0-4b71-ad64-fe3f6515c80f", "value": "1194496" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771811518", "to_ids": true, "type": "vhash", "uuid": "7383c1ab-5f3b-42f5-bf33-ee47b80eda25", "value": "850225048f1c6dd021739dace14c0b8f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771811518", "to_ids": true, "type": "filename", "uuid": "e1de2803-cdf5-4dbb-9cc7-6da9f3f242a6", "value": "doc.doc" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 04/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771811518", "to_ids": false, "type": "text", "uuid": "4d6fd5ff-7c85-44fc-8f71-4a2cf36a0c1d", "value": "Word document with macros (Trojan-Downloader.Script.Generic)\r\nType Description: MS Word Document\nMicrosoft: TrojanDropper:O97M/Aptdrop.H\nVT Total Detection:41/64\nFirst Submission:2016-01-20T08:03:52.000000+00:00\nLast Submission:2024-06-11T10:06:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771811638", "uuid": "30b0d6f8-6b7e-41b2-a6f6-23ac2ab1cce9", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper from Word document (Backdoor.Win32.Fonten.y)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771811638", "to_ids": true, "type": "md5", "uuid": "0646370d-504c-441c-b0a0-f7d9252c652c", "value": "ac2d7f21c826ce0c449481f79138aebd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper from Word document (Backdoor.Win32.Fonten.y)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771811591", "to_ids": true, "type": "sha1", "uuid": "0004801d-9734-441b-bd83-6a4df9df7a8d", "value": "4184888c26778f5596d6e8d83624512ed2f045dd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper from Word document (Backdoor.Win32.Fonten.y)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771811591", "to_ids": true, "type": "sha256", "uuid": "26b5ffd6-9a8c-4721-9400-5632c75c338f", "value": "ca7a8180996a98e718f427837f9d52453b78d0a307e06e1866db4d4ce969d525", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771811539", "to_ids": true, "type": "ssdeep", "uuid": "e1f3e2cc-d15a-4961-b3bb-2208117f5838", "value": "1536:40QMVvRZ+U09VjVOztGUL4RuXBYNrgMHvdlTCgXUpkOFA7UBMK1tk:4BMdyfzUBxYNrPdlTXe2K1tk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771811539", "to_ids": false, "type": "size-in-bytes", "uuid": "98b28592-00c6-4352-8e79-7122da167ab8", "value": "110592" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771811539", "to_ids": true, "type": "vhash", "uuid": "8125ad14-726e-44ac-9ebb-bef7b7999827", "value": "015046755d15119z3anz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771811539", "to_ids": true, "type": "filename", "uuid": "72992940-ea42-44eb-ad15-424d9ed75f04", "value": "CPLEXE.EXE" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 25/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771811539", "to_ids": false, "type": "text", "uuid": "3991791e-746c-4924-ba94-d0ed78fac03e", "value": "Dropper from Word document (Backdoor.Win32.Fonten.y)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Aptdrop\nVT Total Detection:61/72\nFirst Submission:2016-01-29T01:59:28.000000+00:00\nLast Submission:2024-06-11T10:06:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771811659", "uuid": "7cad86fb-f52c-4bf6-92b0-f6ea4b0391b6", "Attribute": [ { "category": "Payload delivery", "comment": "Final payload from Word document (Backdoor.Win32.Fonten.o)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771811659", "to_ids": true, "type": "md5", "uuid": "bb02df16-0779-402c-809d-ea47cc4efb35", "value": "3fa9130c9ec44e36e52142f3688313ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Final payload from Word document (Backdoor.Win32.Fonten.o)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771811593", "to_ids": true, "type": "sha1", "uuid": "6cbf9a90-817d-4f49-8a41-4ed0e982c7db", "value": "899baab61f32c68cde98db9d980cd4fe39edd572", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Final payload from Word document (Backdoor.Win32.Fonten.o)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771811593", "to_ids": true, "type": "sha256", "uuid": "eaee744a-e646-4329-bdef-902cc9ea2821", "value": "ef380e33a854ef9d9052c93fc68d133cfeaae3493683547c2f081dc220beb1b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771811561", "to_ids": true, "type": "ssdeep", "uuid": "529cfca0-479a-47e3-b4b8-1eee3ceb9bc7", "value": "1536:udeKxHXH7KgTK81tXvArWtQ4ZME5jlIKtx3:ceKBKTWIr9jklIKtx3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771811561", "to_ids": false, "type": "size-in-bytes", "uuid": "42a868a6-953d-4cb7-89d5-6521be2223be", "value": "56832" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771811561", "to_ids": true, "type": "vhash", "uuid": "7473fdfe-8e5e-4fe8-bec7-173a425c7afc", "value": "154056755d151510d8z58pz33z15z20" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771811561", "to_ids": true, "type": "filename", "uuid": "4b48f530-85c3-467d-b6c3-860befe95219", "value": "packet.dll" }, { "category": "Other", "comment": "Checked: 23/02/2026\nLast-scan\t: 04/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771811561", "to_ids": false, "type": "text", "uuid": "cbbbc4fd-63dc-452c-9ef1-e573f2d67a3c", "value": "Final payload from Word document (Backdoor.Win32.Fonten.o)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Aptdrop\nVT Total Detection:56/72\nFirst Submission:2016-01-11T10:19:07.000000+00:00\nLast Submission:2024-06-11T10:06:52.000000+00:00" } ] } ] } }