{ "Event": { "analysis": "1", "date": "2017-07-25", "extends_uuid": "3552e71b-675c-4291-afbf-8399ac6af719", "info": "[Threat Intel] CRASHOVERRIDE Malware", "protected": false, "publish_timestamp": "1772419181", "published": true, "threat_level_id": "1", "timestamp": "1772419178", "uuid": "c8cd9765-2ca6-4118-9b2a-42baa8bade7c", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"CISA\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Industroyer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Industroyer\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"russia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Electric\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Denial of Service\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Device Restart/Shutdown\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Manipulation of Control\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Network Connection Enumeration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Network Service Scanning\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771877465", "to_ids": false, "type": "link", "uuid": "e08ce6ce-1d07-45ec-aa0a-633f4817931e", "value": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-17-206-01" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771877465", "to_ids": false, "type": "link", "uuid": "4bce804f-8a01-460b-bf66-cc71dc037b3f", "value": "https://www.cisa.gov/news-events/alerts/2017/06/12/crashoverride-malware" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771878508", "to_ids": true, "type": "ip-dst", "uuid": "8dab7ef1-d13f-4d62-9474-7c8c26cdd8b7", "value": "195.16.88.6", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771878529", "to_ids": true, "type": "ip-dst", "uuid": "aeca2a5c-ca71-4bad-9d06-4e2536fedd02", "value": "46.28.200.132", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771878551", "to_ids": true, "type": "ip-dst", "uuid": "e06dd4b4-6c06-409e-8983-df1babee8bb6", "value": "188.42.253.43", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771878572", "to_ids": true, "type": "ip-dst", "uuid": "7618687e-a599-40e2-b1cd-9c535d15dd10", "value": "5.39.218.152", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771878594", "to_ids": true, "type": "ip-dst", "uuid": "041d49a2-761e-45f0-a68f-465e8e4853fe", "value": "93.115.27.57", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772404197", "to_ids": false, "type": "link", "uuid": "48fc9b9e-f8eb-4903-9510-bffab9f86940", "value": "https://www.first.org/conference/2020/recordings" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877716", "uuid": "7fd29d6d-8026-4327-b75c-aa7989f08e32", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877716", "to_ids": false, "type": "text", "uuid": "5be377c0-93fb-4eb4-8637-759f0658ade8", "value": "coi_backdoor" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877716", "to_ids": false, "type": "comment", "uuid": "99736d64-6f37-473e-8bf6-508b5bd77fe2", "value": "Detect CRASHOVERRIDE/Industroyer backdoors" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877716", "to_ids": true, "type": "yara", "uuid": "ebd46725-c9ba-4935-abbe-6e66de41087c", "value": "rule coi_backdoor \r\n{\r\n meta:\r\n description = \"Detect CRASHOVERRIDE/Industroyer backdoors\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n\r\n strings:\r\n $co0 = {6a 43 ff 15}\r\n $co1 = {50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00}\r\n $co2 = {5? 5? 5? 5? 5? 5? FF ?? ?? 6a ff 6a ff 6a ff 5? ff 15 ?? ?? ?? 00}\r\n\r\n $st1 = {4f 62 74 61 69 6e 55 73 65 72 41 67 65 6e 74 53 74 72 69 6e 67 00}\r\n $st2 = \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)\" wide fullword\r\n\r\n condition:\r\n filesize < 1MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877740", "uuid": "ecd20978-2d4f-474d-9a49-ad176963aab5", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877740", "to_ids": false, "type": "text", "uuid": "c7efc016-1738-4d1a-8846-283114564238", "value": "coi_dos" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877740", "to_ids": false, "type": "comment", "uuid": "66a739c1-8940-4210-9d3b-2df1f1049ee1", "value": "Detect CRASHOVERRIDE/Industroyer DoS modules" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877740", "to_ids": true, "type": "yara", "uuid": "87f876eb-a90b-4d96-857f-38d0a46efac6", "value": "rule coi_dos\r\n{\r\n meta:\r\n description = \"Detect CRASHOVERRIDE/Industroyer DoS modules\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n\r\n strings:\r\n $p1 = {6a 02 6a 02 ff 15}\r\n $p2 = {5? 6a 00 6a 12 68 [4] 5? ff 15 [4] 50 68 [4] e8 ?? ?? FF FF 83 c4 08}\r\n\r\n $s0 = \"WS2_32.dll\" ascii nocase fullword\r\n $s1 = \"point\" ascii fullword\r\n\r\n condition:\r\n filesize < 500KB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877766", "uuid": "cf4fd941-cbfd-4975-8c7b-5fedf78c29ca", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877766", "to_ids": false, "type": "text", "uuid": "9dde9377-de64-4c6b-b4d3-1633a45196cc", "value": "coi_opc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877766", "to_ids": false, "type": "comment", "uuid": "17173549-f4c7-438c-8bd1-6bba3418edcf", "value": "Detect CRASHOVERRIDE/Industroyer OPC modules" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877766", "to_ids": true, "type": "yara", "uuid": "886acdbf-7f83-44df-acc5-66df47090a76", "value": "rule coi_opc\r\n{\r\n meta:\r\n description = \"Detect CRASHOVERRIDE/Industroyer OPC modules\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n\r\n strings:\r\n $iid0 = {4F 3A C1 39 1E 01 D0 11 96 75 00 20 AF D8 AD B3}\r\n $iid1 = {54 3A C1 39 1E 01 D0 11 96 75 00 20 AF D8 AD B3}\r\n\r\n $co0 = {6a 00 6a 00 6a 00 6a 03 6a 01 6a 00 6a 00 6a ff 6a 00 ff 15}\r\n $co1 = {c7 45 ?? 00 00 00 00 c7 45 ?? 00 00 00 00 c7 45 ?? 00 00 00 00 c7 45 ?? 01 00 00 00 e8 ?? ?? ?? ff}\r\n\r\n $str0 = {63 74 6c 53 65 6c 4f 6e 00}\r\n $str1 = {73 74 56 61 6c 00}\r\n\r\n condition:\r\n filesize < 1MB and 1 of ($co*) and all of ($iid*,$str*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877785", "uuid": "a8420820-4847-4082-a16e-bbb4cb9ecd3f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877785", "to_ids": false, "type": "text", "uuid": "eefff020-1a42-46cb-bb07-d645f14d16b4", "value": "coi_61850" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877785", "to_ids": false, "type": "comment", "uuid": "42c1ba83-032c-493c-9b5d-a7670a821a07", "value": "Detect CRASHOVERRIDE/Industroyer 61850 modules" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877785", "to_ids": true, "type": "yara", "uuid": "ca006bb9-5b0e-4485-96a2-e6de11273965", "value": "rule coi_61850\r\n{\r\n meta:\r\n description = \"Detect CRASHOVERRIDE/Industroyer 61850 modules\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n\r\n strings:\r\n $hcp0 = {03 00 00 16 11 e0 00 00 00 01 00 c1 02 00 00 c2 02 00 01 c0 01 0a 00 00}\r\n $hcp1 = {03 00 00 24 02 f0 80 01 00 01 00 61 17 30 15 02 01 03 a0 10 a0 0e 02 01 01 a1 09 a0 03 80 01 09 a1 02 80 00}\r\n\r\n $iat0 = {47 65 74 41 64 61 70 74 65 72 73 49 6e 66 6f 00}\r\n\r\n $st0 = {73 74 56 61 6c 00}\r\n $st1 = {31 30 32 00}\r\n\r\n condition:\r\n filesize < 1MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877803", "uuid": "d058e680-198f-4c12-8b0e-ebdc3091ed8a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877803", "to_ids": false, "type": "text", "uuid": "713849f6-270c-435b-8021-9576b9e68be0", "value": "coi_notepad_heur" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877803", "to_ids": false, "type": "comment", "uuid": "0f39991f-03ca-4095-82d0-e77be1b11196", "value": "Heuristics to try to identify the CRASHOVERRIDE/Industroyer alternate backdoor (trojanized notepad)." }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877803", "to_ids": true, "type": "yara", "uuid": "c4240335-24fb-4c8d-aade-1f249aa9d197", "value": "rule coi_notepad_heur\r\n{\r\n meta:\r\n description = \"Heuristics to try to identify the CRASHOVERRIDE/Industroyer alternate backdoor (trojanized notepad).\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n\r\n strings:\r\n $s0 = \"Software\\\\Microsoft\\\\Notepad\" wide fullword\r\n $s1 = \"notepad.chm\" ascii fullword\r\n $s2 = \"CLSID\\\\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\\\\InprocServer32\" ascii fullword\r\n\r\n $c0 = {F3 A4}\r\n $c1 = {60 9c}\r\n $c2 = {33 f0}\r\n $c3 = {83 e? 04 0f 85 ?? ?? ff ff}\r\n\r\n condition:\r\n filesize < 500KB and all of them and #c2 >= 10\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877820", "uuid": "37537ca6-efb2-4229-99d2-cbd99ea33843", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877820", "to_ids": false, "type": "text", "uuid": "c8350550-3a85-40aa-9910-fdad454983b4", "value": "coi_104" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877820", "to_ids": false, "type": "comment", "uuid": "43522dcd-9695-4c0c-8a14-b5f247e011a3", "value": "Detect CRASHOVERRIDE/Industroyer IEC 104 modules" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877820", "to_ids": true, "type": "yara", "uuid": "cba746b8-a699-44cc-9c55-dd7867cc35b4", "value": "rule coi_104\r\n{\r\n meta:\r\n description = \"Detect CRASHOVERRIDE/Industroyer IEC 104 modules\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n\r\n strings:\r\n $co0 = {2E 2E 00 00 68 0E 00 00 00 00 64 01 06 00 01 00 00 00 00 14}\r\n $co1 = {c6 ?? 2d 8b 46 04 c6 ?? 01 01 8b 46 04 c6 ?? 02 06 8b 46 04 c6 ?? 03 00}\r\n $co2 = {c7 ?? [4] c7 ?? 04 68 04 03 00 c7 ?? 08 00 00 00 00 c7 ?? 0c 00 00 00 00}\r\n $co3 = {80 78 04 68}\r\n\r\n condition:\r\n filesize < 1MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877849", "uuid": "2fc686f7-e2a7-4b55-8e15-e3411dfc8d14", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877849", "to_ids": false, "type": "text", "uuid": "53498fbd-739d-4f20-977d-95ca409d250f", "value": "coi_launcher" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877849", "to_ids": false, "type": "comment", "uuid": "7678d365-8848-4418-ab01-12ba0e5f9786", "value": "Detect CRASHOVERRIDE/Industroyer launchers" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877849", "to_ids": true, "type": "yara", "uuid": "18329e8a-bd47-447c-8f27-4a9dfefb0ce7", "value": "rule coi_launcher\r\n{\r\n meta:\r\n description = \"Detect CRASHOVERRIDE/Industroyer launchers\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n\r\n strings:\r\n $co0 = {6A 00 6A 00 6A 00 68 ?? ?? ?? 00 6A 00 6A 00 FF 15}\r\n $co1 = {6a 01 6a 00 6a 00 6a 00}\r\n $co2 = {6a 00 6a 01 6a 00 ff 15 ?? ?? ?? 00}\r\n \r\n $st0 = {68 00 61 00 73 00 6c 00 6f 00}\r\n $st1 = \"Crash\" ascii fullword\r\n\r\n condition:\r\n filesize < 1MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877870", "uuid": "05c2cabc-2459-4dd9-bb1a-c9d487638f6a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877870", "to_ids": false, "type": "text", "uuid": "17b21eaa-df38-4246-a121-43b741f66a12", "value": "coi_wiper" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877870", "to_ids": false, "type": "comment", "uuid": "b8f34a35-7898-4802-930c-e30dc4d6e5dc", "value": "Detect CRASHOVERRIDE/Industroyer wiper modules" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877870", "to_ids": true, "type": "yara", "uuid": "2dde80e7-4b06-450f-9700-716bdba647f4", "value": "rule coi_wiper\r\n{\r\n meta:\r\n description = \"Detect CRASHOVERRIDE/Industroyer wiper modules\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n\r\n strings:\r\n $st1 = \"SYS_BASCON.COM\" wide nocase fullword\r\n $st2 = {43 72 61 73 68 00}\r\n\r\n $co0 = {6a 02 68 [4] 6a 02 5? 68 [4] ff b5 [4] ff 15}\r\n $co1 = {6a 00 68 80 00 00 00 6a 03 6a 00 6a 02}\r\n $co2 = {0f 1f 84 00 00 00 00 00}\r\n $co3 = {5? 6a 00 6a 01 ff 15 [4] [1-2] 6a 01 5? ff 15}\r\n\r\n condition:\r\n filesize < 1MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877892", "uuid": "c5757700-7708-4907-b490-d4c7f7d8dc5e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877892", "to_ids": false, "type": "text", "uuid": "a8ba9353-d658-4ea2-b9a0-74e21dfbe09f", "value": "coi_port_scanner_heur" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877892", "to_ids": false, "type": "comment", "uuid": "e5153231-31fb-4ef0-8b6b-f94fde7f52c7", "value": "Heuristics to detect packed and unpacked versions of the custom port scanner" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877892", "to_ids": true, "type": "yara", "uuid": "25e9264e-0d10-4eef-9acb-01d0c214f5e7", "value": "rule coi_port_scanner_heur\r\n{\r\n meta:\r\n description = \"Heuristics to detect packed and unpacked versions of the custom port scanner\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n\r\n strings:\r\n $st = \"SystemFunction036\" ascii fullword\r\n\r\n $unp0 = \"^(.+?.exe).*\\\\s+-ip\\\\s*=\\\\s*(.+)\\\\s+-ports\\\\s*=\\\\s*(.+)$\" wide fullword\r\n $unp1 = {d1 e8 49 3d ff 7f 00 00}\r\n $unp2 = {ff 15 ?? ?? ?? 00 b9 45 27 00 00 3b c1 7f 45}\r\n\r\n $pk0 = \"UPX0\"\r\n $pk1 = {4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 41 44 56 41 50 49 33 32 2E 64 6C 6C 00 57 53 32 5F 33 32 2E 64 6C 6C 00 00}\r\n $pk2 = {56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 53 79 73 74 65 6D 46 75 6E 63 74 69 6F 6E 30 33 36 00 00 40 06 00 18 00}\r\n \r\n condition:\r\n filesize < 1MB and $st and (all of ($unp*) or all of ($pk*))\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877912", "uuid": "4f97dead-bc82-4f21-9e75-62a7a6f5c521", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877912", "to_ids": false, "type": "text", "uuid": "4a06ef61-52dc-4bdf-96cc-29c442361258", "value": "coi_cred_dump_heur" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877912", "to_ids": false, "type": "comment", "uuid": "9ffd7e61-d76b-4c89-ba12-3926b963647d", "value": "Heuristics to detect packed and unpacked versions of the credential dumper" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877912", "to_ids": true, "type": "yara", "uuid": "2e5dd394-2181-47e5-b2af-708ad8460de9", "value": "rule coi_cred_dump_heur\r\n{\r\n meta:\r\n description = \"Heuristics to detect packed and unpacked versions of the credential dumper\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n\r\n strings:\r\n $st0 = \"UPX0\" ascii fullword\r\n $st1 = \"SCardConnectW\" ascii fullword\r\n $st2 = \"DsGetDcNameW\" ascii fullword\r\n $st3 = \"CopySid\" ascii fullword\r\n $st4 = \"cmd.exe /C ping 1.1.1.1 -n 1 -w 2000 > Nul & Del \\\"%s\\\"\" wide fullword\r\n $st5 = \"036\" ascii\r\n\r\n $iat0 = {00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 41 44 56 41 50 49 33 32 2E 64 6C 6C 00 43 52 59 50 54 33 32 2E 64 6C 6C 00 63 72 79 70 74 64 6C 6C 2E 64 6C 6C 00}\r\n $iat1 = {45 78 69 74 50 72 6F 63 65 73 73 00 00 00 43 6F 70 79 53 69 64 00 00 00 43 65 72 74 4F 70 65 6E 53 74 6F 72 65 00 00 00 4D 44 35 49 6E 69 74 00 00 00 44 73 47 65 74 44 63 4E 61 6D 65 57 00 00 52 74 6C 45 71 75 61 6C 53 74 72 69 6E 67 00 00 43 6F 55 6E 69 6E 69 74 69 61 6C 69 7A 65}\r\n\r\n condition:\r\n filesize < 2MB and 5 of ($st*) and all of ($iat*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771877942", "uuid": "1c86e6d2-987e-471a-aee6-55587558c3f7", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771877942", "to_ids": false, "type": "text", "uuid": "082d4233-b0b3-4e8a-874e-ca182b09bfee", "value": "coi_mod_heur" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771877942", "to_ids": false, "type": "comment", "uuid": "a4662354-7842-44df-a69e-a1d6ed1f6995", "value": "Heuristics for modules" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771877942", "to_ids": true, "type": "yara", "uuid": "f079c6e4-0e79-4bc8-afb3-8639082a1059", "value": "import \"pe\"\r\nrule coi_mod_heur\r\n{\r\n meta:\r\n description = \"Heuristics for modules\"\r\n\t\tauthor = \"NCCIC ICS-CERT\"\r\n \r\n condition:\r\n filesize < 2MB and pe.exports(\"Crash\") and pe.number_of_exports < 5\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878615", "uuid": "e276b208-9c40-45c3-b99f-42008613a65d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878615", "to_ids": true, "type": "md5", "uuid": "8c7b4ad7-51d0-4b84-a249-580bbefd2ae0", "value": "f67b65b9346ee75a26f491b70bf6091b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878491", "to_ids": true, "type": "sha1", "uuid": "ebb48706-1f9f-442d-b51d-342bd3714f5f", "value": "f6c21f8189ced6ae150f9ef2e82a3a57843b587d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878491", "to_ids": true, "type": "sha256", "uuid": "5cd61498-145e-4f89-8521-8ab984a4fd6d", "value": "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878184", "to_ids": true, "type": "ssdeep", "uuid": "cc6570ae-34a7-40f4-976d-5f7ecb4b46c4", "value": "192:7YmE5zgvM3cGfjnhDVYPp6GSDyBESi3eiKxWvJCDpFnTZ0k:7YVgk3VjnFVRJp39GWJCDpFTZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878184", "to_ids": false, "type": "size-in-bytes", "uuid": "8884d0a7-2709-40a8-95df-afc606864223", "value": "10752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878184", "to_ids": true, "type": "vhash", "uuid": "86e88e63-4473-433e-9729-d211fdf53f36", "value": "014056551d055550d8z27hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878184", "to_ids": true, "type": "filename", "uuid": "a755e4f9-0e7c-40f4-bb8e-889b23a357a5", "value": "2max4.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878184", "to_ids": false, "type": "text", "uuid": "221add45-0995-4f78-bef0-5fe5e2815d54", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:62/72\nFirst Submission:2016-12-20T09:21:17.000000+00:00\nLast Submission:2025-07-20T07:34:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878636", "uuid": "4e30ffb3-cfca-45b7-a88e-2fbe72d9e58a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878636", "to_ids": true, "type": "md5", "uuid": "cbda7df7-2f9e-4d2a-82fb-20d4f0cd9ae9", "value": "fc4fe1b933183c4c613d34ffdb5fe758", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878493", "to_ids": true, "type": "sha1", "uuid": "c6943f7a-f802-4419-9c4d-5fdebaa012c9", "value": "cccce62996d578b984984426a024d9b250237533", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878493", "to_ids": true, "type": "sha256", "uuid": "c92ac55c-34cc-4c87-824a-009c99418bde", "value": "6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878206", "to_ids": true, "type": "ssdeep", "uuid": "083d0799-b0a9-4ddc-a33a-9643688b6154", "value": "192:JYmE5zgvM3cGfjntdYOapCGSDyBE+di3eKKxWvJCDpFnTZ0k:JYVgk3VjntdfhJ+03xGWJCDpFTZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878206", "to_ids": false, "type": "size-in-bytes", "uuid": "c0754ee7-e820-408c-be6c-8f9c445fdf0b", "value": "10752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878206", "to_ids": true, "type": "vhash", "uuid": "cb3c427a-ce7a-4e8a-b828-39ad97f6ebfd", "value": "014056551d055550d8z27hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878206", "to_ids": true, "type": "filename", "uuid": "cd8eb006-91e8-41c0-9866-c1c173d3fd0f", "value": "3s3fef0.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878206", "to_ids": false, "type": "text", "uuid": "b4f8f80d-1ff4-4d9d-a90a-d1c17a37e68f", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:53/72\nFirst Submission:2016-12-18T14:07:28.000000+00:00\nLast Submission:2024-09-26T13:11:04.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878657", "uuid": "081edf29-2553-499c-b437-2a3e47ce5f89", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878657", "to_ids": true, "type": "md5", "uuid": "1e16651e-3aef-4288-b43a-830b58bd5440", "value": "11a67ff9ad6006bd44f08bcc125fb61e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878493", "to_ids": true, "type": "sha1", "uuid": "42e69aeb-4b2b-4979-9e24-15fcaf4d0ce1", "value": "8e39eca1e48240c01ee570631ae8f0c9a9637187", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878494", "to_ids": true, "type": "sha256", "uuid": "05355499-cc28-43b1-9169-462419c3b83a", "value": "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878227", "to_ids": true, "type": "ssdeep", "uuid": "d2c6e5e5-32d6-42dc-a11c-83ef1a6096a2", "value": "1536:65kQyQKkuX+tRahJBQknNpZj5OnBFAjzfNT36Akr8fMDQJ9sWm4CfcdIcNhBE1:65kQyQKkuX+tA7j5OBWHVTqJrrDwPCOu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878227", "to_ids": false, "type": "size-in-bytes", "uuid": "26ab780a-a491-442b-9bc8-4a235a62ae2a", "value": "88576" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878227", "to_ids": true, "type": "vhash", "uuid": "86c7ec42-92fc-4d3e-af5e-730ccaddd783", "value": "084066655d151555619z58hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878227", "to_ids": true, "type": "filename", "uuid": "73db7f48-fd63-49b5-a931-86e34cd5294a", "value": "usw4eo.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878227", "to_ids": false, "type": "text", "uuid": "8bb45783-b017-4960-a839-66e3f9df18aa", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:62/72\nFirst Submission:2016-12-18T14:05:39.000000+00:00\nLast Submission:2025-06-23T02:41:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878679", "uuid": "095288a9-0968-4653-a582-37124dac4d71", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878679", "to_ids": true, "type": "md5", "uuid": "fdbb2995-581c-4a09-afff-8e3f714b41a7", "value": "ff69615e3a8d7ddcdc4b7bf94d6c7ffb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878495", "to_ids": true, "type": "sha1", "uuid": "f32a3249-1d43-4214-8fb3-54c0a5643ca1", "value": "2cb8230281b86fa944d3043ae906016c8b5984d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878495", "to_ids": true, "type": "sha256", "uuid": "7b192395-335a-41e7-b20d-a6bab93a2b4c", "value": "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878249", "to_ids": true, "type": "ssdeep", "uuid": "5901ea99-c06e-49c0-bf55-7f1baa7145f6", "value": "1536:4mlzHdKCtCgl4DgBbAhSk/NOoBD+niVAjzfNT36WBrMf4QJKLsWhcdIyeGvm3VAN:4mVHdKCtCa9xCBD+iGHVTq2rPwKmIyI0" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878249", "to_ids": false, "type": "size-in-bytes", "uuid": "b0fee9cc-8253-498a-84cb-2481d6a46986", "value": "89088" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878249", "to_ids": true, "type": "vhash", "uuid": "fb060782-1a1b-4141-8b74-9a36a224c103", "value": "084066655d151555619z58hz2020102fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878249", "to_ids": true, "type": "filename", "uuid": "fb2f202f-a755-4a98-b85f-71fb998bab0a", "value": "cigjy0.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878249", "to_ids": false, "type": "text", "uuid": "8d726ebe-c1fe-40c0-b1fd-3b2b5bc9f86b", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:64/72\nFirst Submission:2016-12-18T14:08:21.000000+00:00\nLast Submission:2024-08-06T08:33:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878701", "uuid": "5882209c-1431-4fd1-8ce3-7dd2d770ce85", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878701", "to_ids": true, "type": "md5", "uuid": "9521c99d-4f65-4a74-9a9e-53c5770464fe", "value": "f9005f8e9d9b854491eb2fbbd06a16e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878496", "to_ids": true, "type": "sha1", "uuid": "66478aa7-55be-4cd5-9209-bd8a35e23d8b", "value": "79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878496", "to_ids": true, "type": "sha256", "uuid": "7c9d5990-3260-4336-af63-afd323dd7ac5", "value": "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878271", "to_ids": true, "type": "ssdeep", "uuid": "d30e5d85-9a26-42e8-acf1-5deb18f9c0a4", "value": "1536:1730kyqC5KnUjdA6j/WZW9UaBECv6lQJnCsW1wnLcd2AhNs6Qaw:dnUjKm+49UaCCkwvna2AhNsNT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878271", "to_ids": false, "type": "size-in-bytes", "uuid": "ef53ec1a-85a7-412c-98cc-34ed507c839a", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878271", "to_ids": true, "type": "vhash", "uuid": "ee23b3a1-e394-441c-a9d2-bcd4fc2711d7", "value": "074066655d1515556038z51hz1lz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878271", "to_ids": true, "type": "filename", "uuid": "c83a900a-bdb0-4e96-897e-fffc0167cb9c", "value": "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878271", "to_ids": false, "type": "text", "uuid": "8984887a-4fa3-49ec-aa90-1d0e4fa771a5", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A\nVT Total Detection:60/72\nFirst Submission:2016-12-19T09:47:05.000000+00:00\nLast Submission:2025-12-15T13:19:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878722", "uuid": "c303773f-b152-425b-be59-3caf7146351a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878722", "to_ids": true, "type": "md5", "uuid": "350d08bd-5ace-497f-9136-e40deb7ab213", "value": "a193184e61e34e2bc36289deaafdec37", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878497", "to_ids": true, "type": "sha1", "uuid": "7b83e5b3-acd1-41b9-895c-7e28c6fdf0ef", "value": "94488f214b165512d2fc0438a581f5c9e3bd4d4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878497", "to_ids": true, "type": "sha256", "uuid": "9d71a595-b9b7-4a63-8916-e8b8f60763d2", "value": "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878292", "to_ids": true, "type": "ssdeep", "uuid": "778d04ea-eff2-4c06-bea1-e8cba74f84ae", "value": "3072:McaprOfoaXmgD31r4VWBvRZoiTprUZNZ9VQ6s6W9:McuOJ2gD31QW51pgE6st9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878292", "to_ids": false, "type": "size-in-bytes", "uuid": "016c1e62-c7ce-4ced-837a-138af2fee2f8", "value": "136704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878292", "to_ids": true, "type": "vhash", "uuid": "efdbe627-ef28-4b2a-a978-f160a5307ac1", "value": "115066655d1515556az4dvza6z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878292", "to_ids": true, "type": "filename", "uuid": "5046e477-eab6-41ae-83e6-d91e3a5a93d5", "value": "fxrhgtw.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 20/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878292", "to_ids": false, "type": "text", "uuid": "1c3a9fed-cd33-4751-9df4-c75f5744bfea", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/CrashOverride.A\nVT Total Detection:58/72\nFirst Submission:2016-12-19T10:06:04.000000+00:00\nLast Submission:2025-07-08T03:25:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878744", "uuid": "93a17bea-a894-41e5-86c2-97c56ccf621c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878744", "to_ids": true, "type": "md5", "uuid": "d3197f46-403d-40d9-baec-00418b02b74b", "value": "ab17f2b17c57b731cb930243589ab0cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878498", "to_ids": true, "type": "sha1", "uuid": "498cef48-c83a-4e1f-b37d-dbc28a5139bb", "value": "5a5fafbc3fec8d36fd57b075ebf34119ba3bff04", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878499", "to_ids": true, "type": "sha256", "uuid": "a1d3d0ef-c11a-4af1-b66a-3dcf2f4a60d0", "value": "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878314", "to_ids": true, "type": "ssdeep", "uuid": "3a69f772-2594-4b2f-a611-084af46703c2", "value": "1536:ipIv8wiD3kkZZpgq8QK8mfkCwbq4QY1sWfScdAUehZfh9UQ:kwPQ6MbtF3TAUehZZ9J" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878314", "to_ids": false, "type": "size-in-bytes", "uuid": "fff11955-25db-41e0-b627-70d02f00b815", "value": "75776" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878314", "to_ids": true, "type": "vhash", "uuid": "cfd3da45-247f-41ca-bdb5-28699078d199", "value": "174066655d1515556048z4bbz15z21z1ez1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878314", "to_ids": true, "type": "filename", "uuid": "8dedb31d-c5d5-42b5-82e2-0b3a63ee91d6", "value": "exkko.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878314", "to_ids": false, "type": "text", "uuid": "ee9d6bdc-50f8-4472-a691-2b0a0f810907", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:61/72\nFirst Submission:2016-12-19T11:06:32.000000+00:00\nLast Submission:2024-05-08T00:31:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878765", "uuid": "2a55d058-8c2f-4df2-bb06-904b2e1b02c6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878765", "to_ids": true, "type": "md5", "uuid": "46df96ad-c7df-43eb-92bc-62652412c009", "value": "7a7ace486dbb046f588331a08e869d58", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878500", "to_ids": true, "type": "sha1", "uuid": "937bba0c-1b58-47b4-a56b-7c35470c7bb5", "value": "b92149f046f00bb69de329b8457d32c24726ee00", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878500", "to_ids": true, "type": "sha256", "uuid": "299b7e03-a4af-44d2-a458-3b9fdc067c20", "value": "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878336", "to_ids": true, "type": "ssdeep", "uuid": "72f39f90-0b95-4ef2-b98e-761790a0a6d6", "value": "1536:txjX3k9R4Bdde5eFN73+WmS3UJ64b69AQJRCsWmcd2jjGVjpU:jddewFVO1S3I64LwRg2jjGJK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878336", "to_ids": false, "type": "size-in-bytes", "uuid": "bd249107-72c0-4af1-ac1e-4810b5aab9ef", "value": "76800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878336", "to_ids": true, "type": "vhash", "uuid": "078d8c32-b5ef-42fd-bb43-3df64f24c946", "value": "074066655d1515556048z49bz15z21z1ez1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878336", "to_ids": true, "type": "filename", "uuid": "76f627db-1726-4fe7-8e1a-f443b4582d58", "value": "625yo1.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 15/09/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878336", "to_ids": false, "type": "text", "uuid": "7820e26e-f654-43ea-852a-86a9479a6838", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A!dha\nVT Total Detection:65/72\nFirst Submission:2016-12-19T09:58:43.000000+00:00\nLast Submission:2023-06-19T08:39:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878786", "uuid": "9a207fc8-93d4-42e7-b93d-332b7b3643ce", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878786", "to_ids": true, "type": "md5", "uuid": "e18b0bea-95fe-47cf-98fa-f729056f1bf3", "value": "497de9d388d23bf8ae7230d80652af69", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878501", "to_ids": true, "type": "sha1", "uuid": "e61a3114-f2e8-484b-853d-941d874b223e", "value": "b335163e6eb854df5e08e85026b2c3518891eda8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878501", "to_ids": true, "type": "sha256", "uuid": "db872671-b8de-4018-b60b-c9691bdb5351", "value": "893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878358", "to_ids": true, "type": "ssdeep", "uuid": "6c439c55-8186-4c39-b3cc-14c09cd89a56", "value": "3072:+vEcGwRrYeqmIJ2Frd5yTutsJB8C2W+yJE608XXRh+60m6UpSe5B4:I/nRM+I0FrCBF2WFuNle5O" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878358", "to_ids": false, "type": "size-in-bytes", "uuid": "c4b59b0e-4284-4a45-8b00-402ff001729a", "value": "174080" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878358", "to_ids": true, "type": "vhash", "uuid": "bf19e316-33b2-4871-bf48-99b022b1a318", "value": "01503e0f7d1019z6vz17z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878358", "to_ids": true, "type": "filename", "uuid": "426c7789-7968-41c3-9993-f6aefad6c9f7", "value": "vef5dh.exe" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 06/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878358", "to_ids": false, "type": "text", "uuid": "a299d592-709c-4278-8a85-39bd62f18827", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride.A\nVT Total Detection:61/72\nFirst Submission:2016-12-20T21:05:22.000000+00:00\nLast Submission:2025-03-11T11:46:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878808", "uuid": "b190cf40-e9dd-455c-9a85-22dffeb3c65b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878808", "to_ids": true, "type": "md5", "uuid": "956c7ec5-777e-49d3-9351-577f5fe29462", "value": "a06bc585d1c6e24d837d0198490da575", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878502", "to_ids": true, "type": "sha1", "uuid": "6a7c2636-33f8-4d89-8275-33bf873f0ce7", "value": "a71fabd764a3b0116fefb14433ffb2c51629b2c6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878502", "to_ids": true, "type": "sha256", "uuid": "3ddbadc9-8da8-4a54-a716-3b48df3dd294", "value": "dcb7d2fc46f61d5522e005ac66f3f0661e2d5284d5a3f8b3a0c8b4050d8397a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878380", "to_ids": true, "type": "ssdeep", "uuid": "bd2334e9-e3b7-4238-9224-6532bd8505d0", "value": "1536:/730kyqC5KnUjdA6j/WZW9UaBECv6lQJnCsW1wnLcd27hNs6Qaw:bnUjKm+49UaCCkwvna27hNsNT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878380", "to_ids": false, "type": "size-in-bytes", "uuid": "8b5d4fb5-0115-4468-abd2-a6ce08fcc38a", "value": "74240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878380", "to_ids": true, "type": "vhash", "uuid": "0f9805e2-8556-4b3d-ae6b-9e56858ba717", "value": "074066655d1515556038z51hz1lz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878380", "to_ids": true, "type": "filename", "uuid": "da897014-1c0d-4660-8cfa-4e328a60beed", "value": "a06bc585d1c6e24d837d0198490da575.virus" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 29/09/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878380", "to_ids": false, "type": "text", "uuid": "1a36b1a3-241a-4dc2-8b48-e9c0715dfac0", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:51/72\nFirst Submission:2021-05-04T04:30:30.000000+00:00\nLast Submission:2021-05-04T04:30:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878829", "uuid": "21ab8d3c-b676-4d37-b869-3ca379faaf4b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878829", "to_ids": true, "type": "md5", "uuid": "8d93bd96-cb5b-4d31-b689-9c773f545013", "value": "5dd4dacb7aea5ff182ea0d7eb8ee035d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878503", "to_ids": true, "type": "sha1", "uuid": "7edfc827-fe79-48df-93d8-a5e88eee1b77", "value": "82d96268c6679f30b40d0eaade50efc4e15a63a4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878503", "to_ids": true, "type": "sha256", "uuid": "35ca65ad-e5a3-4a19-9185-bf9de6b916ed", "value": "4587ccfecc9a1ff5c5538a3475409ca1687d304bcde252077a119c436296857b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878401", "to_ids": true, "type": "ssdeep", "uuid": "673741af-e52e-4028-b61c-949f6033ed7d", "value": "3072:pY7F8YDhOIq4xJpHXTHSwVnZXYkQedAFjK2rWV:pinQ+vpHXT7pUDaV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878401", "to_ids": false, "type": "size-in-bytes", "uuid": "8481b491-ded4-4225-85a3-a46471540e83", "value": "99328" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878401", "to_ids": true, "type": "vhash", "uuid": "f4960fa7-0c69-4e12-a85c-eaf670d1d327", "value": "094066655d1515556az3fvz97z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878401", "to_ids": true, "type": "filename", "uuid": "50480787-11cc-4a84-90b7-74f355058892", "value": "3A570AE7.vsc" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 16/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878401", "to_ids": false, "type": "text", "uuid": "24094264-ca83-47c8-b9ff-64a48ca8b120", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:55/72\nFirst Submission:2019-03-05T16:00:37.000000+00:00\nLast Submission:2023-07-31T22:44:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878851", "uuid": "91fc05bf-356b-4a10-b701-a33572bd64a9", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878851", "to_ids": true, "type": "md5", "uuid": "a8591bef-dc65-4814-a1a4-976fb8ee08ad", "value": "36997bdef02b63d411d0bea0335c6899", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878504", "to_ids": true, "type": "sha1", "uuid": "12048d81-75c9-4e10-b612-c5a0486d2fc8", "value": "7fac2eddf22ff692e1b4e7f99910e5dbb51295e6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878504", "to_ids": true, "type": "sha256", "uuid": "ec7039de-d872-4400-be4d-ae6c41ddefa7", "value": "156bd34d713d0c8419a5da040b3c2dd48c4c6b00d8a47698e412db16b1ffac0f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878423", "to_ids": true, "type": "ssdeep", "uuid": "63e2a3ee-538d-44bf-879f-9154dfef5254", "value": "3072:HM35lWVEFFaup+juJH6RVVVYBTOr83GqK8vbxU+HvaAg0FujoYVzYSwn:s35Q+FFhp+eaj7Y4rXayAOASw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878423", "to_ids": false, "type": "size-in-bytes", "uuid": "ed177e25-f90e-442f-b373-6c39a7efba8d", "value": "245248" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878423", "to_ids": true, "type": "vhash", "uuid": "5430a48e-9a12-4583-8238-13bbb3e8ca46", "value": "025066655d1d15556028z537z802tz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878423", "to_ids": true, "type": "filename", "uuid": "6b689cfd-c7fc-4807-9744-3d98688deca5", "value": "3A586EB6.vsc" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 28/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878423", "to_ids": false, "type": "text", "uuid": "604b3af3-c9e5-4cab-ad8b-24d88dc96fb4", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:57/72\nFirst Submission:2019-03-05T15:55:44.000000+00:00\nLast Submission:2023-07-31T22:45:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1771878873", "uuid": "734bea7b-aaba-4e4e-b3e1-9c6975bb3b33", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1771878873", "to_ids": true, "type": "md5", "uuid": "c8ee2fb0-061b-4ff6-b6f4-4140b203ad5c", "value": "75c7e63c1389337aefe1170f7ccc1822", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1771878506", "to_ids": true, "type": "sha1", "uuid": "cac26f33-2c8a-4d36-8dde-7240ccb4030e", "value": "ecf6adf20a7137a84a1b319ccaa97cb0809a8454", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1771878506", "to_ids": true, "type": "sha256", "uuid": "b77b367c-729d-416e-924c-4c05797ff8c8", "value": "55e7471ad841bd8a110818760ea89af3bb456493f0798a54ce3b8e7b790afd0a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1771878445", "to_ids": true, "type": "ssdeep", "uuid": "e921c09f-4315-456b-9f14-3d9caca94a32", "value": "3072:pTZuWpPwr7jPlHA9azECvXgEHAg0FujUORYws:RZu7r7TSwHAOZYw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1771878445", "to_ids": false, "type": "size-in-bytes", "uuid": "b5b1b934-e17f-41b7-826e-6a3c00e86054", "value": "136704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1771878445", "to_ids": true, "type": "vhash", "uuid": "7a356ac4-aaac-4915-acf7-4d4e8473db87", "value": "015076655d151d15556az4anz15zf7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1771878445", "to_ids": true, "type": "filename", "uuid": "f725c823-913f-4237-8138-1078b3abe445", "value": "\u751f\u7522.js" }, { "category": "Other", "comment": "Checked: 24/02/2026\nLast-scan\t: 26/06/2023", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1771878445", "to_ids": false, "type": "text", "uuid": "1a3ee422-9677-4e59-a13f-91fa29a6db6c", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CrashOverride!dha\nVT Total Detection:48/71\nFirst Submission:2021-03-17T05:59:44.000000+00:00\nLast Submission:2021-03-17T05:59:44.000000+00:00" } ] } ] } }