{ "Event": { "analysis": "1", "date": "2025-06-16", "extends_uuid": "", "info": "[Threat Intel] BERT RANSOMWARE - THE RAVEN FILE", "protected": false, "publish_timestamp": "1780383650", "published": true, "threat_level_id": "2", "timestamp": "1780041179", "uuid": "171b845f-fdc7-47f8-b3c0-2e8cd408612d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#423494", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify System Firewall - T1562.004\"", "relationship_type": "" }, { "colour": "#eb2300", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Defacement - T1491\"", "relationship_type": "" }, { "colour": "#b24806", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#732009", "local": false, "name": "misp-galaxy:target-information=\"Colombia\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"bert\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#3a00e0", "local": false, "name": "rectifyq:action-taken=\"x\"", "relationship_type": "" }, { "colour": "#3b00e2", "local": false, "name": "rectifyq:action-taken=\"linkedin\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1750489233", "to_ids": false, "type": "link", "uuid": "ea4970db-fcbd-4210-91d9-4f6df7d1a4ff", "value": "https://theravenfile.com/2025/06/16/bert-ransomware" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1750489233", "to_ids": false, "type": "text", "uuid": "176768c1-0d9a-496c-b5ef-309348e5379c", "value": "BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufacturing sectors. The Windows variant employs multiple file extensions and RSA encryption, while the Linux version shares code with Sodinokibi/REvil ransomware. A weaponized PowerShell script is used to disable security features before payload execution. The ransomware's infrastructure is linked to a Russian firm, suggesting potential ties to the region." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1750489233", "to_ids": false, "type": "text", "uuid": "4e00556e-63b7-46f2-bd82-eafcdd947793", "value": "Name: BERT RANSOMWARE - THE RAVEN FILE\nAuthor: AlienVault\nAdversary: BERT Ransomware\nTags: [\"dark web\", \"encryption\", \"sodinokibi\", \"phishing\", \"windows\", \"revil\", \"bert ransomware\", \"ransomware\", \"powershell\", \"linux\"]\nTgtd countries: [\"United States of America\", \"Colombia\", \"Malaysia\", \"Taiwan\", \"United Kingdom of Great Britain and Northern Ireland\"]\nMlwr families: []\nAttack_ids: [\"T1548.002\", \"T1489\", \"T1573.001\", \"T1082\", \"T1055\", \"T1562.004\", \"T1491\", \"T1070\", \"T1083\", \"T1057\", \"T1059.001\", \"T1547.001\", \"T1566\", \"T1562.001\", \"T1027\", \"T1486\", \"T1573.002\", \"T1012\", \"T1490\"]\nIndustries: [\"Manufacturing\", \"Service\", \"Logistics\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1750489233", "to_ids": false, "type": "threat-actor", "uuid": "85f9bd10-4b16-4df8-9f29-2b265099e0a9", "value": "BERT Ransomware" }, { "category": "Network activity", "comment": "DLS", "deleted": false, "disable_correlation": false, "timestamp": "1750805897", "to_ids": true, "type": "domain", "uuid": "6ff56cda-0bda-4933-ad09-25c7dfd138cf", "value": "bertblogsoqmm4ow7nqyh5ik7etsmefdbf25stauecytvwy7tkgizhad.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Data Server", "deleted": false, "disable_correlation": false, "timestamp": "1750805918", "to_ids": true, "type": "domain", "uuid": "b781bcda-c96a-4a10-8842-2340f33fe1ae", "value": "wtwdv3ss4d637dka7iafl7737ucykei7pluzc7is3mgo2vl5nmq7eeid.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1750805940", "to_ids": true, "type": "url", "uuid": "2c9cf01a-9b76-4465-a82f-dbc5f581d0b1", "value": "http://185.100.157.74/payload.exe", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041179", "to_ids": true, "type": "ip-dst", "uuid": "19841122-771d-428d-9008-a5d1fdaeb5ec", "value": "185.100.157.74", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#1e9433", "local": false, "name": "asn:asn=\"215826\"", "relationship_type": "" }, { "colour": "#04c4b8", "local": false, "name": "asn:as-owner=\"PARTNER-HOSTING-LTD\"", "relationship_type": "" }, { "colour": "#e1449b", "local": false, "name": "asn:as-country=\"GB\"", "relationship_type": "" }, { "colour": "#b7c1b9", "local": false, "name": "misp-galaxy:country=\"united kingdom\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1750805982", "to_ids": true, "type": "url", "uuid": "a3de4b38-6be3-49dc-81b7-1f55ced12d2e", "value": "http://169.254.169.254/latest/meta-data/ami-id", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1750806003", "to_ids": true, "type": "ip-dst", "uuid": "b45ae6f0-2f7c-49a6-bea8-bc5b91a6ac44", "value": "169.254.169.254", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1750806880", "uuid": "14eeaa20-263a-44b7-8786-4210b1052b6f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1750806024", "to_ids": true, "type": "md5", "uuid": "e3be3219-30e1-49bc-bd77-cba3c1d37e21", "value": "003291d904b89142bada57a9db732ae7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1750805861", "to_ids": true, "type": "sha1", "uuid": "e52e4d12-0fc8-4301-b713-064d4fcd2420", "value": "284678fd046682fe5e6cab7e83a2cbe000bb140e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1750805861", "to_ids": true, "type": "sha256", "uuid": "9d441a58-02f1-4988-8dd8-77a6bc7f340c", "value": "5bba035c4cb3c2e09a355d9356b3397184af4bf1ac1ff1df99ae9c15edee9f2b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1750805043", "to_ids": true, "type": "ssdeep", "uuid": "4f65ad81-d580-4ce2-962a-e5138cc6ce94", "value": "3072:Lb+XxBHGVJgggwgggwgggwgggwggggmOrIl:LrIl" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1750805043", "to_ids": false, "type": "size-in-bytes", "uuid": "25dcd024-5cda-4c62-b903-98933657eacf", "value": "105320" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1750805043", "to_ids": true, "type": "vhash", "uuid": "0c58f542-c786-4349-ae94-1ebbc0c39abf", "value": "bee038c27338338ba807b26285dea4f8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1750805043", "to_ids": true, "type": "filename", "uuid": "476ca739-2ceb-4897-92d6-042059a2c41d", "value": "5bba035c4cb3c2e09a355d9356b3397184af4bf1ac1ff1df99ae9c15edee9f2b.elf" }, { "category": "Other", "comment": "Checked: 25/06/2025\nLast-scan\t: 22/06/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1750805043", "to_ids": false, "type": "text", "uuid": "bf655f26-def9-4763-8b02-136187ed9330", "value": "Type Description: ELF\nMicrosoft: Ransom:Linux/MoneyMessage.K!MTB\nVT Total Detection:38/65\nFirst Submission:2025-05-15T01:56:08.000000+00:00\nLast Submission:2025-06-18T14:47:29.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1750806902", "uuid": "fc3b0100-7bcf-4a16-b60f-5e970173e3a5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1750806045", "to_ids": true, "type": "md5", "uuid": "d9b2f89a-7277-4900-9fff-39f4d1352d30", "value": "00fdc504be1788231aa7b7d2d1335893", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1750805862", "to_ids": true, "type": "sha1", "uuid": "017e53ec-b644-407d-8349-70474760c382", "value": "434f6d0cc7d074c3215981edca4de89a4bf1b7ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1750805862", "to_ids": true, "type": "sha256", "uuid": "2c71ce86-e9c8-4f16-86c3-44e18893cb18", "value": "6182df9c60f9069094fb353c4b3294d13130a71f3e677566267d4419f281ef02", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1750805065", "to_ids": true, "type": "ssdeep", "uuid": "e3705944-cd8b-4430-bd18-f6b83d200b5d", "value": "384:qwp/VHh5iL61kGtwaHw+lBIiyBcVDv8O:q4Hh5iL6FhlSiyBcVp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1750805065", "to_ids": false, "type": "size-in-bytes", "uuid": "cd4894fd-cfaa-4e67-aec4-65c46789cfb7", "value": "16384" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1750805065", "to_ids": true, "type": "vhash", "uuid": "280c2686-f522-4a31-b8e2-ef97cfb071d2", "value": "0140365d1d5bz503=z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1750805065", "to_ids": true, "type": "filename", "uuid": "fc6e4f32-1ec7-4c16-9725-b49410a28527", "value": "6182df9c60f9069094fb353c4b3294d13130a71f3e677566267d4419f281ef02.exe" }, { "category": "Other", "comment": "Checked: 25/06/2025\nLast-scan\t: 22/06/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1750805065", "to_ids": false, "type": "text", "uuid": "275ee6c1-2e9e-41a1-9b14-bbf92a0fa87f", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win64/Newcryptor.YAE!MTB\nVT Total Detection:56/72\nFirst Submission:2025-05-20T08:19:24.000000+00:00\nLast Submission:2025-06-09T23:30:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1750806924", "uuid": "6e5ff8b1-4825-4e8c-8835-ae870c4fa966", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1750806067", "to_ids": true, "type": "md5", "uuid": "f0aca61b-aa19-418a-9a4c-6d2e4363baa9", "value": "29a2cc59a9ebd334103ce146bca38522", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1750805863", "to_ids": true, "type": "sha1", "uuid": "55185eac-d87d-4023-8739-24343f376aa6", "value": "4a4a58abebe37642c1ed3411e3154d1f68bca4d3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1750805864", "to_ids": true, "type": "sha256", "uuid": "44636e4d-36fd-46f7-8e17-6e3a8b321bf0", "value": "c7efe9b84b8f48b71248d40143e759e6fc9c6b7177224eb69e0816cc2db393db", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1750805086", "to_ids": true, "type": "ssdeep", "uuid": "9e86e30b-0dd3-4187-990a-4aac5410b23e", "value": "3072:Lb+XxBHGVJgggwgggwgggwgggwggggmOrIlp:LrIl" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1750805086", "to_ids": false, "type": "size-in-bytes", "uuid": "2185a88f-7bc0-41c2-9f78-9fff2bd9c944", "value": "105320" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1750805086", "to_ids": true, "type": "vhash", "uuid": "9dd96ed6-e03c-4b68-b9e4-8cd183cadf71", "value": "bee038c27338338ba807b26285dea4f8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1750805086", "to_ids": true, "type": "filename", "uuid": "7384de90-94bc-40df-b336-e8504b35bf05", "value": "2025-06-09_29a2cc59a9ebd334103ce146bca38522_revil_sodinokibi" }, { "category": "Other", "comment": "Checked: 25/06/2025\nLast-scan\t: 22/06/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1750805086", "to_ids": false, "type": "text", "uuid": "f9b32124-9735-4dbe-8c04-c06fbbedfa69", "value": "Type Description: ELF\nMicrosoft: Ransom:Linux/MoneyMessage.K!MTB\nVT Total Detection:37/65\nFirst Submission:2025-03-18T19:22:49.000000+00:00\nLast Submission:2025-06-09T02:00:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1750806945", "uuid": "cf81e26e-c596-42d9-849c-3cfff08f5740", "Attribute": [ { "category": "Payload delivery", "comment": "PS used by Bert Group", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1750806088", "to_ids": true, "type": "md5", "uuid": "cd2e649f-4fb7-4ef8-a79f-972815280569", "value": "38ce06bf89b28ccebf5a78404eb3818e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PS used by Bert Group", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1750805865", "to_ids": true, "type": "sha1", "uuid": "b82d83d4-9294-4d37-81ed-4e9c9cf7a266", "value": "f65aec7f7bc57218adaa970963b386eeecdc107d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PS used by Bert Group", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1750805865", "to_ids": true, "type": "sha256", "uuid": "95d7908f-7046-4d2f-9f64-48b8fbf82480", "value": "b2f601ca68551c0669631fd5427e6992926ce164f8b3a25ae969c7f6c6ce8e4f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1750805108", "to_ids": true, "type": "ssdeep", "uuid": "f0c3acc0-d9b1-4bca-9642-c00d89c19488", "value": "48:SRmFRO43KuCKeKhDKTGfZtKDXUK8UKrNNMcTC85uTNFre5ET5+AR5:WmFEoHrw3DXd8drNpf0JFr2CR5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1750805108", "to_ids": false, "type": "size-in-bytes", "uuid": "d5f6173a-3f5b-4ffc-b611-3d79475cb561", "value": "2714" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1750805108", "to_ids": true, "type": "filename", "uuid": "534b1adb-b39e-4c8c-9cce-3d244dddbf36", "value": "start.ps1" }, { "category": "Other", "comment": "Checked: 25/06/2025\nLast-scan\t: 23/06/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1750805108", "to_ids": false, "type": "text", "uuid": "19805e8a-718c-48be-a81f-1086feb4adf9", "value": "PS used by Bert Group\r\nType Description: Powershell\nMicrosoft: Trojan:Win32/Seheq!rfn\nVT Total Detection:26/62\nFirst Submission:2025-05-06T19:55:19.000000+00:00\nLast Submission:2025-05-08T19:51:57.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1750806967", "uuid": "18717640-e802-4984-b891-ebdc716fea78", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1750806108", "to_ids": true, "type": "md5", "uuid": "e5d01c31-91f0-439a-88d5-3957ce8a160f", "value": "3e581aad42a2a9e080a4a676de42f015", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1750805865", "to_ids": true, "type": "sha1", "uuid": "de716810-b9f1-4191-b136-e6d1663a973e", "value": "4f5d4429d80f10609b5c22bea3dddf47c390b90a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1750805865", "to_ids": true, "type": "sha256", "uuid": "7cf7b9d3-adac-4d95-9a59-0efa35ce4411", "value": "f2dc218ea8e2caa8668e54bae6561afd9fbf035a40b80ce9e847664ff0809799", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1750805130", "to_ids": true, "type": "ssdeep", "uuid": "2639b192-3eb4-4f3d-9ddb-9cf53c22b5e3", "value": "192:6BFlMiDlbliVb861krTerqwf6MwaHw5Y317OwyNCbehYE7++TQu+VVdhU18O9:6Hh5iO61kGtwaHw+lBI3dwVDk8O" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1750805130", "to_ids": false, "type": "size-in-bytes", "uuid": "78db0608-f20f-42c7-a58d-67d302b555d8", "value": "12800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1750805130", "to_ids": true, "type": "vhash", "uuid": "e70fbf77-b3ae-49a1-af85-896ffce08446", "value": "014026551\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1750805130", "to_ids": true, "type": "filename", "uuid": "cca3468c-b127-42e9-b8fa-3b424a12a27b", "value": "newcryptor.exe" }, { "category": "Other", "comment": "Checked: 25/06/2025\nLast-scan\t: 22/06/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1750805130", "to_ids": false, "type": "text", "uuid": "15c712ec-304b-43be-ae77-b7f4145e9711", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win64/Newcryptor.YAE!MTB\nVT Total Detection:53/72\nFirst Submission:2025-05-15T02:09:24.000000+00:00\nLast Submission:2025-06-06T05:35:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1750806988", "uuid": "e1162101-c812-4802-872e-5f3a3266ee89", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1750806129", "to_ids": true, "type": "md5", "uuid": "63b072a0-4446-4712-94d9-deceb86049d5", "value": "5cab4fabffeb5903f684c936a90e0b46", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1750805866", "to_ids": true, "type": "sha1", "uuid": "43e20f5e-7c87-412a-b51f-22e3a7bc3c10", "value": "be687f964b17c0a3ccd7e4c7ba88e8de618ea2cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1750805866", "to_ids": true, "type": "sha256", "uuid": "1a830796-8568-4c0f-a23a-56ff0f999592", "value": "78eb838238dad971dcbc46b86491d95e297f3d47dc770de5c43af3163990d31c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1750805152", "to_ids": true, "type": "ssdeep", "uuid": "72467941-460c-44c4-bb99-87fdc1c046e1", "value": "192:CuOdjpbAmtnOFKJITrCXB3Bi93AqOdNkbLW2gzyVdCWF8O9:ykmtmKsrUB3KQpIVUW8O" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1750805152", "to_ids": false, "type": "size-in-bytes", "uuid": "c4f44409-c6ca-4b34-a03b-7b02ee28f13e", "value": "11264" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1750805152", "to_ids": true, "type": "vhash", "uuid": "188cae60-5e4e-4bbc-918a-7a0db9452907", "value": "014026551\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1750805152", "to_ids": true, "type": "filename", "uuid": "54d81cb1-9ec7-49d9-a3ed-176612912479", "value": "newcryptor.exe" }, { "category": "Other", "comment": "Checked: 25/06/2025\nLast-scan\t: 19/06/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1750805152", "to_ids": false, "type": "text", "uuid": "9f051590-57b0-4e30-bb69-c95f9bcbc78b", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:HTML/Redirector!rfn\nVT Total Detection:52/72\nFirst Submission:2025-03-17T09:31:31.000000+00:00\nLast Submission:2025-03-17T09:31:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1750807010", "uuid": "5ba78ff6-8d02-4e93-b0b9-bc161a2e5a93", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1750806150", "to_ids": true, "type": "md5", "uuid": "cdd67e07-4402-4703-831f-46a9030ee77a", "value": "71dc9540eb03f2ed4d1b6496b13fe839", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1750805867", "to_ids": true, "type": "sha1", "uuid": "e26936da-9cea-4838-bcce-fbe390a9b367", "value": "7aa1de73654f7d6605c81d93f89245a8969d5b9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1750805867", "to_ids": true, "type": "sha256", "uuid": "c44fb357-3123-4253-b103-8b6069e0dc56", "value": "8478d5f5a33850457abc89a99718fc871b80a8fb0f5b509ac1102f441189a311", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1750805173", "to_ids": true, "type": "ssdeep", "uuid": "c217b2ca-dcfd-49db-b790-06495cb4112c", "value": "192:5BFlMiDlblid561krTerqwf6MwaHw5Y317OwyNCbp52/lL1URTu+VVdh5F8O9:5Hh5iL61kGtwaHw+lBIiyBcVDv8O" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1750805173", "to_ids": false, "type": "size-in-bytes", "uuid": "fb4d18b5-0f70-4c93-ae2a-d92b3c652f09", "value": "12800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1750805173", "to_ids": true, "type": "vhash", "uuid": "8e7d7c81-e625-4293-b91b-2730ee210270", "value": "014026551\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1750805173", "to_ids": true, "type": "filename", "uuid": "d9e6aeed-827a-4f59-be25-0c20415e3d4a", "value": "newcryptor.exe" }, { "category": "Other", "comment": "Checked: 25/06/2025\nLast-scan\t: 19/06/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1750805173", "to_ids": false, "type": "text", "uuid": "ffa72982-0c6c-4bc4-8e6b-d723385774f2", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Pomal!rfn\nVT Total Detection:54/72\nFirst Submission:2025-05-06T19:55:43.000000+00:00\nLast Submission:2025-05-31T00:15:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1750807031", "uuid": "d48c84e8-e96b-4ba0-acd3-2f66f95cadcf", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1750806171", "to_ids": true, "type": "md5", "uuid": "b5cbaee6-4801-4d07-be13-77824e86b55a", "value": "d1013bbaa2f151195d563b2b65126fa3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1750805867", "to_ids": true, "type": "sha1", "uuid": "12e5befe-28b6-4975-b3dd-1a5a369b9333", "value": "0f63b3603bd4bf49bdbb7e1ab9912e3fc88cf9bf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1750805867", "to_ids": true, "type": "sha256", "uuid": "ce323e06-0349-4204-b45a-2c2c0b50cbca", "value": "ced4ed5e5ef7505dd008ed7dd28b8aff38df7febe073d990d6d74837408ea4be", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1750805195", "to_ids": true, "type": "ssdeep", "uuid": "1f2ec6ed-2f59-418f-a182-3961bb5c1661", "value": "192:wBFlMiDlblidF61krTerqwf6MwaHw5Y317OwyNCbnzDJ1URGu+VVdhrF8O9:wHh5iP61kGtwaHw+lBIyzHZVDR8O" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1750805195", "to_ids": false, "type": "size-in-bytes", "uuid": "2f794825-f47a-4cd8-ab65-9854380156da", "value": "12800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1750805195", "to_ids": true, "type": "vhash", "uuid": "26d18821-fe98-4c83-bbeb-c603181d3eab", "value": "014026551\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1750805195", "to_ids": true, "type": "filename", "uuid": "a3654075-a46f-4fb8-8991-e5ffa856e380", "value": "newcryptor.exe" }, { "category": "Other", "comment": "Checked: 25/06/2025\nLast-scan\t: 20/06/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1750805195", "to_ids": false, "type": "text", "uuid": "1a27190b-fe25-4ab5-99dc-782c57416405", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:MSIL/CipherLocker.YGC!MTB\nVT Total Detection:51/72\nFirst Submission:2025-05-21T13:34:48.000000+00:00\nLast Submission:2025-05-22T17:50:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1750807053", "uuid": "0c70b7f0-15be-4f37-9863-892570af3edc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1750806192", "to_ids": true, "type": "md5", "uuid": "1c2f44c1-65a9-436e-9e59-789115e5d575", "value": "edec051ce461d62fbbd3abf09534b731", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1750805868", "to_ids": true, "type": "sha1", "uuid": "90ee495e-7338-4499-8739-17406afdcb49", "value": "781da9e43d18343252d242b6a441ad3a4d8f00c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1750805868", "to_ids": true, "type": "sha256", "uuid": "4abbb051-c572-4ee4-8891-ede9c3fe0d93", "value": "25c693808095f45d297171eba5196e9a5176281a2d248cb1a8cfa07a68bbe332", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1750805217", "to_ids": true, "type": "ssdeep", "uuid": "cb256d7d-2640-4a9b-9ce6-de2c9635b726", "value": "192:FuuhFbzpcHc9RAy9nUnDi93AqOdNHbXW2gloVdTF8O9:Bl6D9nIQp/V78O" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1750805217", "to_ids": false, "type": "size-in-bytes", "uuid": "22a3444d-4d94-4ce0-b8a5-9ac9611025a6", "value": "11264" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1750805217", "to_ids": true, "type": "vhash", "uuid": "99233b88-b4a8-4d08-b7bb-6ead16961830", "value": "014026551\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1750805217", "to_ids": true, "type": "filename", "uuid": "072c7ff0-9a5c-48b0-ac33-88dd23fca9fe", "value": "newcryptor.exe" }, { "category": "Other", "comment": "Checked: 25/06/2025\nLast-scan\t: 18/06/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1750805217", "to_ids": false, "type": "text", "uuid": "15ae378b-382f-46d9-bc76-0f7defaa2627", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:HTML/Redirector!rfn\nVT Total Detection:49/72\nFirst Submission:2025-03-16T05:57:52.000000+00:00\nLast Submission:2025-03-17T09:47:54.000000+00:00" } ] } ] } }