{ "Event": { "analysis": "2", "date": "2018-04-23", "extends_uuid": "", "info": "[Threat Intel] New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia", "protected": false, "publish_timestamp": "1780039852", "published": true, "threat_level_id": "2", "timestamp": "1780039852", "uuid": "5947a5a4-9c86-45e8-9756-25fa38c54ff3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Symantec\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Health\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"IT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Logistic\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Manufacturing\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#e459c3", "local": false, "name": "misp-galaxy:target-information=\"Hong Kong\"", "relationship_type": "" }, { "colour": "#620e4e", "local": false, "name": "misp-galaxy:target-information=\"Hungary\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#fa487c", "local": false, "name": "misp-galaxy:target-information=\"Philippines\"", "relationship_type": "" }, { "colour": "#809a25", "local": false, "name": "misp-galaxy:target-information=\"Poland\"", "relationship_type": "" }, { "colour": "#3b9849", "local": false, "name": "misp-galaxy:target-information=\"Saudi Arabia\"", "relationship_type": "" }, { "colour": "#63bd05", "local": false, "name": "misp-galaxy:target-information=\"Sweden\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Orangeworm\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740397193", "to_ids": false, "type": "link", "uuid": "aa4e2605-8e64-4b3e-bf9b-0357b1d4525c", "value": "https://www.security.com/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740397200", "to_ids": false, "type": "link", "uuid": "ae328bd9-3432-4c6a-bdd8-23057143c66f", "value": "https://www.security.com/sites/default/files/2018-04/Orangeworm%20IOCs.pdf" }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510381", "to_ids": true, "type": "md5", "uuid": "9dfa8cb4-9481-4640-b126-9d373c5f2dca", "value": "047f70dbac6cd9a4d07abef606d89fb7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510402", "to_ids": true, "type": "md5", "uuid": "c27bf022-ba88-4023-850d-2a3df54b9b33", "value": "2ae53de1a1f65a6d57e96dab26c73cda", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510423", "to_ids": true, "type": "md5", "uuid": "172526c6-53db-497d-ad60-cc59162383c2", "value": "47345640c135bd00d9f2969fabb4c9fa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510465", "to_ids": true, "type": "md5", "uuid": "f226484c-1a9a-4fc4-b6d2-0f904e935fda", "value": "b680b119643876286030c4f6134dc4e3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510507", "to_ids": true, "type": "md5", "uuid": "3ba2faae-f90e-4504-9b34-afe26c2aec48", "value": "856683aee9687f6fdf00cfd4dc4c2aef", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510528", "to_ids": true, "type": "md5", "uuid": "82940550-3fd6-4e46-b5e4-d5c8a3309be0", "value": "847459c8379250d8be2b2d365be877f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510570", "to_ids": true, "type": "md5", "uuid": "ff7fdb06-7561-4ed1-ae22-cbd7a6432618", "value": "3bedc1c4c1023c141c2f977e846c476e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510591", "to_ids": true, "type": "md5", "uuid": "93a98177-f015-44b0-b223-6e1721540773", "value": "ce3894ee6f3c2c2c828148f7f779aafe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510655", "to_ids": true, "type": "md5", "uuid": "39196ccd-b24b-4645-8587-54fe02dd2068", "value": "177bece20ba6cc644134709a391c4a98", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510675", "to_ids": true, "type": "md5", "uuid": "d4a34883-932f-491f-bb4d-c9e32847c4c7", "value": "b59e4942f7c68c584a35d59e32adce3a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510696", "to_ids": true, "type": "md5", "uuid": "33d11e9a-254f-4942-b94a-baf599f5bea5", "value": "81e61e5f44a6a476983e7a90bdac6a55", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510717", "to_ids": true, "type": "md5", "uuid": "6a1053a4-65cb-4f7b-83f1-e3b797b00b09", "value": "ec968325394f3e6821bf90fda321e09b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510738", "to_ids": true, "type": "md5", "uuid": "b355a97c-3c6d-42ae-b17a-ca4a25aa549f", "value": "01cf05a07af57a7aafd0ad225a6fd300", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510759", "to_ids": true, "type": "md5", "uuid": "6010aa85-320b-497d-972f-f28fd40a3d6b", "value": "d57df638c7befd7897c9013e90b678f0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510801", "to_ids": true, "type": "md5", "uuid": "a056da11-338a-49f9-9da0-82409019c407", "value": "4b91ec8f5d4a008dd1da723748a633b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510822", "to_ids": true, "type": "md5", "uuid": "59afc363-456f-4fb2-a00c-98ea83b4c4b5", "value": "134846465b8c3f136ace0f2a6f15e534", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510843", "to_ids": true, "type": "md5", "uuid": "63c6e6ac-3438-4105-a431-eaece2175a8a", "value": "9d2cb9d8e73fd879660d9390ba7de263", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510885", "to_ids": true, "type": "md5", "uuid": "646dc0a7-74dc-46be-9f9a-fae1504cd64d", "value": "de9b01a725d4f19da1c1470cf7a948ee", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510906", "to_ids": true, "type": "md5", "uuid": "76f32757-4f09-4f6e-8e89-b2e3ac92823d", "value": "bb939a868021db963916cc0118aab8ee", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510926", "to_ids": true, "type": "md5", "uuid": "480226d0-c111-4abc-ae37-9ef25cb69c8c", "value": "3289c9a1b534a19925a14a8f7c39187c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510947", "to_ids": true, "type": "md5", "uuid": "543a0aee-3261-4543-9968-3ca34c4a4b03", "value": "9d3839b39d699336993df1dd4501892b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510968", "to_ids": true, "type": "md5", "uuid": "e467a3eb-d2ed-4442-9dcc-0ab9eaa09b53", "value": "fece72bd41cb0e06e05a847838fbde56", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746510989", "to_ids": true, "type": "md5", "uuid": "6f2f3119-df21-4edf-8e97-2b3a6ac7c046", "value": "bbd9e4204514c66c1babda178c01c213", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL No sample in VT\r\nLast check:06/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746511010", "to_ids": true, "type": "md5", "uuid": "c51fbf19-db74-4036-998f-03b7805849ab", "value": "ee4206cf4227661d3e7ec846f0d69a43", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039838", "to_ids": true, "type": "ip-dst", "uuid": "719ee138-a5f0-48b5-aedf-537809ddfc35", "value": "65.116.107.24", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#88c387", "local": false, "name": "asn:asn=\"209\"", "relationship_type": "" }, { "colour": "#ea6335", "local": false, "name": "asn:as-owner=\"CENTURYLINK-US-LEGACY-QWEST\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1746518601", "to_ids": true, "type": "url", "uuid": "0085bbe6-0033-432d-b3ba-24c652ee27c0", "value": "http://65.116.107.24/login/login.php?q", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039839", "to_ids": true, "type": "ip-dst", "uuid": "0cd1dc27-ea87-412d-adbc-450ef50eb780", "value": "13.44.61.126", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#4745f2", "local": false, "name": "asn:asn=\"16509\"", "relationship_type": "" }, { "colour": "#5424ef", "local": false, "name": "asn:as-owner=\"AMAZON-02\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1746518643", "to_ids": true, "type": "url", "uuid": "cb748aa7-3edd-4182-9800-7ebe11ed1ad2", "value": "http://13.44.61.126/main/indexmain.php?q", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039841", "to_ids": true, "type": "ip-dst", "uuid": "fb4aa305-e7f4-4b57-af73-50530033a032", "value": "56.28.111.63", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#4745f2", "local": false, "name": "asn:asn=\"16509\"", "relationship_type": "" }, { "colour": "#5424ef", "local": false, "name": "asn:as-owner=\"AMAZON-02\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1746518684", "to_ids": true, "type": "url", "uuid": "61f4b61e-4504-4622-838d-963195d38910", "value": "http://56.28.111.63/group/group/defaultmain.php?q", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039842", "to_ids": true, "type": "ip-dst", "uuid": "f10493d4-d172-4053-9ae7-bd8d61a0689a", "value": "118.71.138.69", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#4ec525", "local": false, "name": "asn:asn=\"18403\"", "relationship_type": "" }, { "colour": "#1685e0", "local": false, "name": "asn:as-owner=\"FPT-AS-AP FPT Telecom Company\"", "relationship_type": "" }, { "colour": "#b8567e", "local": false, "name": "asn:as-country=\"VN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"vietnam\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1746518726", "to_ids": true, "type": "url", "uuid": "2f25902e-b048-489d-8ac1-57af90bdae3a", "value": "http://118.71.138.69/new/main/default.php?q", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039844", "to_ids": true, "type": "ip-dst", "uuid": "8f7b218f-b449-4aaf-a93d-999d487a8eb4", "value": "117.32.65.101", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#9ef9a4", "local": false, "name": "asn:asn=\"4134\"", "relationship_type": "" }, { "colour": "#2f9c31", "local": false, "name": "asn:as-owner=\"CHINANET-BACKBONE No.31,Jin-rong Street\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1746518768", "to_ids": true, "type": "url", "uuid": "fd795c6b-99c4-48ea-a5cd-85e25f76e0e5", "value": "http://117.32.65.101/users/login.php?q", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039845", "to_ids": true, "type": "ip-dst", "uuid": "2918acf3-95f0-4870-a143-6781f24e68c9", "value": "18.25.62.70", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#0d2090", "local": false, "name": "asn:asn=\"3\"", "relationship_type": "" }, { "colour": "#df4a91", "local": false, "name": "asn:as-owner=\"MIT-GATEWAYS\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1746518811", "to_ids": true, "type": "url", "uuid": "393bf964-5058-48be-85ab-9b3dbc5b0550", "value": "http://18.25.62.70/groupgroup/default.php?q", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039847", "to_ids": true, "type": "ip-dst", "uuid": "389be557-a239-4665-9909-182e0ff0b2f1", "value": "92.137.43.17", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#2abee0", "local": false, "name": "asn:asn=\"3215\"", "relationship_type": "" }, { "colour": "#3e0879", "local": false, "name": "asn:as-owner=\"France Telecom - Orange\"", "relationship_type": "" }, { "colour": "#93736f", "local": false, "name": "asn:as-country=\"FR\"", "relationship_type": "" }, { "colour": "#f6cea1", "local": false, "name": "misp-galaxy:country=\"france\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1746518856", "to_ids": true, "type": "url", "uuid": "0b423e74-c7ba-42e2-aa5e-6c35db30bbeb", "value": "http://92.137.43.17/group/group/home/login/home.php?q", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039848", "to_ids": true, "type": "ip-dst", "uuid": "f76a5df1-f932-4b03-a37e-4e7fe312d53a", "value": "33.25.72.21", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#5847b4", "local": false, "name": "asn:asn=\"749\"", "relationship_type": "" }, { "colour": "#2236dd", "local": false, "name": "asn:as-owner=\"DNIC-AS-00749\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1746518900", "to_ids": true, "type": "url", "uuid": "5caf17f1-31dc-4cf5-b425-34225d69b25b", "value": "http://33.25.72.21/group/main.asp?q", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039850", "to_ids": true, "type": "ip-dst", "uuid": "f92fc1b1-ece8-405d-8f55-40622a2a8617", "value": "16.48.37.37", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#4745f2", "local": false, "name": "asn:asn=\"16509\"", "relationship_type": "" }, { "colour": "#5424ef", "local": false, "name": "asn:as-owner=\"AMAZON-02\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1746518943", "to_ids": true, "type": "url", "uuid": "2b12aab2-5b16-4aa5-bdf0-3d1f7bab5a40", "value": "http://16.48.37.37/groupusers/default.php?q", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039852", "to_ids": true, "type": "ip-dst", "uuid": "82b9f411-a391-4552-bafe-be6b870efaa5", "value": "91.29.51.11", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#27be48", "local": false, "name": "asn:asn=\"3320\"", "relationship_type": "" }, { "colour": "#f21428", "local": false, "name": "asn:as-owner=\"DTAG Internet service provider operations\"", "relationship_type": "" }, { "colour": "#141680", "local": false, "name": "asn:as-country=\"DE\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"germany\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1746518990", "to_ids": true, "type": "url", "uuid": "4b9e2b20-3dc1-4171-a148-761c2f8e0b58", "value": "http://91.29.51.11/default/main.php?q", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1740397450", "uuid": "915774c4-2794-4dd3-8d25-0eb9b00691cb", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1740397450", "to_ids": false, "type": "comment", "uuid": "a3c92ca7-8d5a-458f-884d-0341d41f1641", "value": "Kwampirs dropper and main payload components" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1740397450", "to_ids": true, "type": "yara", "uuid": "ec1bbc0b-cae8-4624-9638-85591d6d89d7", "value": "rule Kwampirs\r\n{\r\n meta:\r\n copyright = \"Symantec\"\r\n family = \"Kwampirs\"\r\n description = \"Kwampirs dropper and main payload components\"\r\n strings:\r\n $pubkey =\r\n {\r\n 06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00\r\n 01 00 01 00 CD 74 15 BC 47 7E 0A 5E E4 35 22 A5\r\n 97 0C 65 BE E0 33 22 F2 94 9D F5 40 97 3C 53 F9\r\n E4 7E DD 67 CF 5F 0A 5E F4 AD C9 CF 27 D3 E6 31\r\n 48 B8 00 32 1D BE 87 10 89 DA 8B 2F 21 B4 5D 0A\r\n CD 43 D7 B4 75 C9 19 FE CC 88 4A 7B E9 1D 8C 11\r\n 56 A6 A7 21 D8 C6 82 94 C1 66 11 08 E6 99 2C 33\r\n 02 E2 3A 50 EA 58 D2 A7 36 EE 5A D6 8F 5D 5D D2\r\n 9E 04 24 4A CE 4C B6 91 C0 7A C9 5C E7 5F 51 28\r\n 4C 72 E1 60 AB 76 73 30 66 18 BE EC F3 99 5E 4B\r\n 4F 59 F5 56 AD 65 75 2B 8F 14 0C 0D 27 97 12 71\r\n 6B 49 08 84 61 1D 03 BA A5 42 92 F9 13 33 57 D9\r\n 59 B3 E4 05 F9 12 23 08 B3 50 9A DA 6E 79 02 36\r\n EE CE 6D F3 7F 8B C9 BE 6A 7E BE 8F 85 B8 AA 82\r\n C6 1E 14 C6 1A 28 29 59 C2 22 71 44 52 05 E5 E6\r\n FE 58 80 6E D4 95 2D 57 CB 99 34 61 E9 E9 B3 3D\r\n 90 DC 6C 26 5D 70 B4 78 F9 5E C9 7D 59 10 61 DF\r\n F7 E4 0C B3\r\n }\r\n $network_xor_key =\r\n {\r\n B7 E9 F9 2D F8 3E 18 57 B9 18 2B 1F 5F D9 A5 38\r\n C8 E7 67 E9 C6 62 9C 50 4E 8D 00 A6 59 F8 72 E0\r\n 91 42 FF 18 A6 D1 81 F2 2B C8 29 EB B9 87 6F 58\r\n C2 C9 8E 75 3F 71 ED 07 D0 AC CE 28 A1 E7 B5 68\r\n CD CF F1 D8 2B 26 5C 31 1E BC 52 7C 23 6C 3E 6B\r\n 8A 24 61 0A 17 6C E2 BB 1D 11 3B 79 E0 29 75 02\r\n D9 25 31 5F 95 E7 28 28 26 2B 31 EC 4D B3 49 D9\r\n 62 F0 3E D4 89 E4 CC F8 02 41 CC 25 15 6E 63 1B\r\n 10 3B 60 32 1C 0D 5B FA 52 DA 39 DF D1 42 1E 3E\r\n BD BC 17 A5 96 D9 43 73 3C 09 7F D2 C6 D4 29 83\r\n 3E 44 44 6C 97 85 9E 7B F0 EE 32 C3 11 41 A3 6B\r\n A9 27 F4 A3 FB 2B 27 2B B6 A6 AF 6B 39 63 2D 91\r\n 75 AE 83 2E 1E F8 5F B5 65 ED B3 40 EA 2A 36 2C\r\n A6 CF 8E 4A 4A 3E 10 6C 9D 28 49 66 35 83 30 E7\r\n 45 0E 05 ED 69 8D CF C5 40 50 B1 AA 13 74 33 0F\r\n DF 41 82 3B 1A 79 DC 3B 9D C3 BD EA B1 3E 04 33\r\n }\r\n\r\n $decrypt_string =\r\n {\r\n 85 DB 75 09 85 F6 74 05 89 1E B0 01 C3 85 FF 74\r\n 4F F6 C3 01 75 4A 85 F6 74 46 8B C3 D1 E8 33 C9\r\n 40 BA 02 00 00 00 F7 E2 0F 90 C1 F7 D9 0B C8 51\r\n E8 12 28 00 00 89 06 8B C8 83 C4 04 33 C0 85 DB\r\n 74 16 8B D0 83 E2 0F 8A 92 1C 33 02 10 32 14 38\r\n 40 88 11 41 3B C3 72 EA 66 C7 01 00 00 B0 01 C3\r\n 32 C0 C3\r\n }\r\n\r\n $init_strings =\r\n {\r\n 55 8B EC 83 EC 10 33 C9 B8 0D 00 00 00 BA 02 00\r\n 00 00 F7 E2 0F 90 C1 53 56 57 F7 D9 0B C8 51 E8\r\n B3 27 00 00 BF 05 00 00 00 8D 77 FE BB 4A 35 02\r\n 10 2B DE 89 5D F4 BA 48 35 02 10 4A BB 4C 35 02\r\n 10 83 C4 04 2B DF A3 C8 FC 03 10 C7 45 FC 00 00\r\n 00 00 8D 4F FC 89 55 F8 89 5D F0 EB 06\r\n }\r\n\r\n condition:\r\n 2 of them\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1740397450", "to_ids": false, "type": "text", "uuid": "d5e51432-6fc9-4e8d-950d-c3ce69396a7e", "value": "Kwampirs" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746519012", "uuid": "b4579516-a5bd-43e0-9056-1f33dd3d2e80", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746519012", "to_ids": true, "type": "md5", "uuid": "94331687-89a0-4985-8f2d-96e12829a5c7", "value": "0240ed7e45567f606793dafaff024acf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746510340", "to_ids": true, "type": "sha1", "uuid": "8718133c-78d4-4ad8-b150-481f54c194cc", "value": "2646a18fdd6a7a2063b3443283ec1159696c1339", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746510341", "to_ids": true, "type": "sha256", "uuid": "d215d27f-55cf-491b-89a5-d6425ca205d4", "value": "14461260f9b3988d4eb4e46bc7d9861172266a9a01bf15c57916a9e4f9dc0618", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746510340", "to_ids": true, "type": "ssdeep", "uuid": "a7717e2e-fd23-4801-b6c0-4dbba36e6a00", "value": "12288:Kfmj3br9Mpi2zujFK9NNk55iOW2C2zujFK9NNk55iOW2AQ:KCL2pi2XNOC2XNOAQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746510340", "to_ids": false, "type": "size-in-bytes", "uuid": "408886b1-34bf-4fa4-9439-b1d32d44b784", "value": "1324544" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746510340", "to_ids": true, "type": "vhash", "uuid": "67ca14d4-48e9-4388-85b4-2ce9e8e8799a", "value": "016056655d15555198z68bz29z15z67z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746510340", "to_ids": true, "type": "filename", "uuid": "8ba275ec-b059-4de2-a6b8-fc7b2e34bfe8", "value": "WmiApSrve.exe" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 23/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746510340", "to_ids": false, "type": "text", "uuid": "c54fcc0d-bd4a-4375-bc03-9a68a3a22cd9", "value": "Dropper\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Kwampirs.B!dha\nVT Total Detection:62/72\nFirst Submission:2016-08-22T23:56:48.000000+00:00\nLast Submission:2024-06-20T08:12:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746519033", "uuid": "935848ac-8fa3-422c-bb9d-358bd1f62131", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746519033", "to_ids": true, "type": "md5", "uuid": "61da91f3-78ea-486c-8755-221cd0c4b3ea", "value": "cb9954509dc82e6bbed2aee202d88415", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746510424", "to_ids": true, "type": "sha1", "uuid": "f46d8d4d-b14f-4f97-b37b-0ed3ee16605d", "value": "c6a56cd07bfeb45b2fecdf938927e3c5a5a3e38e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746510424", "to_ids": true, "type": "sha256", "uuid": "63ef5d77-3251-4b90-ac81-38ff70253534", "value": "f8022b973900c783fd861ede7d0ac02f665c041b9cd0641be7318999fb82ce8f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746510424", "to_ids": true, "type": "ssdeep", "uuid": "28af5db2-674b-43cb-b02c-e463b2b9f5c5", "value": "12288:n5usEMSuCBmYuvQk7rcB58s5oOfgjstLWWMV5Nc8myXJPOHkzC7bfkjpRI:n5usEMStdIM8tOfgjstLWJV5NjmemHbd" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746510424", "to_ids": false, "type": "size-in-bytes", "uuid": "d7beb090-2e60-475b-bcb7-c567c1916ee1", "value": "573440" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746510424", "to_ids": true, "type": "vhash", "uuid": "1dc398d8-a0d2-41ce-bb29-ccac47f272db", "value": "055056655d15755148z5fnz15z57z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746510424", "to_ids": true, "type": "filename", "uuid": "61a45771-6bce-4a4c-91b9-b49d7cd4dd12", "value": "WmiApSrve.exe" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 21/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746510424", "to_ids": false, "type": "text", "uuid": "90a4ead9-3527-476c-b3f9-763faad4bc62", "value": "Dropper\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Kwampirs.A\nVT Total Detection:60/72\nFirst Submission:2015-04-30T10:38:34.000000+00:00\nLast Submission:2023-06-23T12:10:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746519055", "uuid": "219239b2-16d0-4efc-abe4-8749eb4fcb39", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746519055", "to_ids": true, "type": "md5", "uuid": "e7ba3142-3b68-49ae-9897-61431a1c4c93", "value": "fac94bc2dcfbef7c3b248927cb5abf6d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746510466", "to_ids": true, "type": "sha1", "uuid": "eb209b0f-b519-4075-852d-fe082e11bb66", "value": "20b7e624eaa2da04867a9229e9aca41f952917c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746510466", "to_ids": true, "type": "sha256", "uuid": "04050def-4697-4533-96f5-7e54747109c0", "value": "3e7181fd3e893e6b13cc40ed70afa549c8aaf37fe9bee22445b8bd912d7bc522", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746510466", "to_ids": true, "type": "ssdeep", "uuid": "a36b79e0-9f4f-45c1-aaa6-0642fd71ee45", "value": "12288:M5sJpJ5wiqjGZ5DcIypRZM8q5lH1Nc8myXJPOHkzC7bfkjpRI:M5sJpJ5gKbQ+82VNjmemHbbfUU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746510466", "to_ids": false, "type": "size-in-bytes", "uuid": "300dc9bc-f696-477c-8392-c97877144113", "value": "573952" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746510466", "to_ids": true, "type": "vhash", "uuid": "5f38d54e-0c94-498c-9818-6955c272e3ce", "value": "055056655d15755148z5fnz15z57z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746510466", "to_ids": true, "type": "filename", "uuid": "eab834ab-876b-406b-a3f1-c33667393612", "value": "WmiApSrve.exe" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 04/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746510466", "to_ids": false, "type": "text", "uuid": "9f02d8f3-cca1-462f-b44b-31d952142b6b", "value": "Dropper\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Kwampirs.A!dha\nVT Total Detection:59/72\nFirst Submission:2016-02-26T13:54:01.000000+00:00\nLast Submission:2023-06-27T01:44:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746519076", "uuid": "8eb18b6c-b08b-4d4a-837a-c445edbad470", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746519076", "to_ids": true, "type": "md5", "uuid": "ad98c671-d9c9-4c2c-8a97-815b01e35610", "value": "6277e675d335fd69a3ff13a465f6b0a8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746510529", "to_ids": true, "type": "sha1", "uuid": "b3151ec9-0371-4e6b-81e1-2b59a9eaf971", "value": "3f5ea936f02187e3e6297c410e260e71ca11e14b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746510529", "to_ids": true, "type": "sha256", "uuid": "b564048d-6507-48b6-a751-80159556e85b", "value": "6f7173b7ae87b5f3262e24a5177dbbd4413d999627f767754f08d8289f359bb3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746510529", "to_ids": true, "type": "ssdeep", "uuid": "96fcd338-6eb2-4e6c-b95e-a0c73e304cb2", "value": "6144:IdN62+y+svbBrH0Sw0JgtS2Rt4bfhoPmwfKcsZtluA0936D7NTEYyM:Y62i8J0SBJsSxbfDmdctT09Q7REQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746510529", "to_ids": false, "type": "size-in-bytes", "uuid": "b96b32f9-a6bd-431e-9d3e-bc00b1d3fb81", "value": "747008" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746510529", "to_ids": true, "type": "vhash", "uuid": "6463563d-359e-4871-a053-2cbaf3191592", "value": "075056655d15555198z68bz29z15z67z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746510529", "to_ids": true, "type": "filename", "uuid": "3679e883-4085-4e9b-bc97-900db97e1822", "value": "WmiApSrve.exe" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 05/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746510529", "to_ids": false, "type": "text", "uuid": "090244a4-1a12-4d10-aa61-b226f5b5371a", "value": "Dropper\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Kwampirs.A!dha\nVT Total Detection:57/72\nFirst Submission:2016-06-23T15:40:12.000000+00:00\nLast Submission:2023-06-23T10:03:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746519101", "uuid": "febb0428-63ad-450a-ab40-6a9398539266", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746519101", "to_ids": true, "type": "md5", "uuid": "a02ee8a8-1582-4c62-a2f5-daa9c70ac932", "value": "3b3a1062689ffa191e58d5507d39939d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746510592", "to_ids": true, "type": "sha1", "uuid": "7bdb3b10-a510-4c24-9cbd-bebbd5408e25", "value": "ce3e75f6f8b187656d18618756da68aac135b334", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746510592", "to_ids": true, "type": "sha256", "uuid": "935aa3f8-13b8-40a1-b660-a79a3488daee", "value": "ea61bcd4774ce2b6ab364a7831f36e010214be2ba2e6daa7dcba10b7e229ddfa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746510592", "to_ids": true, "type": "ssdeep", "uuid": "ead8fec4-3570-4473-be6c-d0568755609c", "value": "12288:Kfmj3br9MUi2zujFK9NNk55iOW2C2zujFK9NNk55iOW2AQ:KCL2Ui2XNOC2XNOAQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746510592", "to_ids": false, "type": "size-in-bytes", "uuid": "61f9f6a6-f84b-4daf-a90a-c95dc24aebb9", "value": "1324544" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746510592", "to_ids": true, "type": "vhash", "uuid": "4ab87419-e792-4c1c-a355-07c1bfdb5592", "value": "016056655d15555198z68bz29z15z67z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746510592", "to_ids": true, "type": "filename", "uuid": "b850b6a6-d7d1-42f1-8628-b3cb47d32e91", "value": "WmiApSrve.exe" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 20/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746510592", "to_ids": false, "type": "text", "uuid": "735a5a69-ced6-466e-8ba3-7ff531b42ed7", "value": "Dropper\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Kwampirs.B!dha\nVT Total Detection:62/72\nFirst Submission:2016-09-13T12:40:17.000000+00:00\nLast Submission:2023-06-23T09:41:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746519148", "uuid": "b0151e34-0d71-48ac-af97-268c6c2385aa", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746519148", "to_ids": true, "type": "md5", "uuid": "c92c5ecc-3e85-4dd4-93ca-7572296e64e1", "value": "7e5f76c7b5bf606b0fdc17f4ba75de03", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746510613", "to_ids": true, "type": "sha1", "uuid": "971f69c1-6079-4e31-bfdc-eeb40a664638", "value": "20c30a82cc974cf1ef21dbcd94dfba73d7c4b723", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746510614", "to_ids": true, "type": "sha256", "uuid": "df5a12b9-7a50-4319-ba06-ceded2749d72", "value": "a37bf368f0285ac938e1477c1c0230d28e8f39717ddded2fd82b00190cdf090e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746510613", "to_ids": true, "type": "ssdeep", "uuid": "6a32272b-cfdf-4096-9d1a-7f3721ccece8", "value": "12288:Kfmj3br9MWi2zujFK9NNk55i02C2zujFK9NNk55i02AQ:KCL2Wi2XNpC2XNpAQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746510613", "to_ids": false, "type": "size-in-bytes", "uuid": "45d5a772-3540-4f2f-bf8e-045e6297a816", "value": "1324544" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746510613", "to_ids": true, "type": "vhash", "uuid": "ba30781e-84b9-4d70-b91f-34f65e209060", "value": "016056655d15555198z68bz29z15z67z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746510613", "to_ids": true, "type": "filename", "uuid": "27a65374-a599-4928-8112-bd7313383971", "value": "WmiApSrve.exe" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 23/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746510613", "to_ids": false, "type": "text", "uuid": "70d5f5be-4965-43a2-8d1c-35eda1ad9a20", "value": "Dropper\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Kwampirs.B!dha\nVT Total Detection:63/72\nFirst Submission:2016-11-16T21:28:41.000000+00:00\nLast Submission:2023-06-23T10:17:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746519169", "uuid": "b9114b37-48f1-4b7f-b456-bfa03cc299ce", "Attribute": [ { "category": "Payload delivery", "comment": "Payload DLL", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746519169", "to_ids": true, "type": "md5", "uuid": "7a74af88-4bac-4c5c-ad4b-d700b4b8a049", "value": "5c3499acfe0ad7563b367fbf7fb2928c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746510760", "to_ids": true, "type": "sha1", "uuid": "41ba13f2-325d-45b1-b8c2-7c337b76b77c", "value": "d1e791f3f8c79d76d4629b9360e1104156682899", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746510760", "to_ids": true, "type": "sha256", "uuid": "e63fda28-1eac-4e8b-b58e-aba4c89cc20f", "value": "c5b9406fdbe2c7bb1d516d1d270568c54a6e0002a4506668aaad9ff13298c3f2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746510759", "to_ids": true, "type": "ssdeep", "uuid": "9baed52b-d7d9-4514-8f30-3ffdc3f7dc96", "value": "3072://jbCP/TY82If/JgGWRcheeN9fyi+rff5weB6tLGHhrbVvG:/Lm882yhgGfhTNFyF5wPIhlu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746510759", "to_ids": false, "type": "size-in-bytes", "uuid": "b726e92e-99ac-4cfa-a0e1-ce9d1185e9ba", "value": "261120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746510759", "to_ids": true, "type": "vhash", "uuid": "865bd9a9-644f-4c9e-975c-423c5786ba37", "value": "125056655d151550d8z6chz13z21z4az1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746510759", "to_ids": true, "type": "filename", "uuid": "ffab8d0d-6a21-4fdb-9979-9c08f1554416", "value": "wmipadp.dll" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 28/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746510759", "to_ids": false, "type": "text", "uuid": "8873d265-0d69-4ede-a07d-a977dbad17b7", "value": "Payload DLL\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Kwampirs!dha\nVT Total Detection:64/72\nFirst Submission:2016-08-29T20:36:33.000000+00:00\nLast Submission:2023-06-23T09:59:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746519190", "uuid": "6af622d9-09a9-4160-8bbc-3429d2398c5f", "Attribute": [ { "category": "Payload delivery", "comment": "Payload DLL", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746519190", "to_ids": true, "type": "md5", "uuid": "e6cb9d2a-0804-4677-8102-46f562b0c529", "value": "939e76888bdeb628405e1b8be963273c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746510844", "to_ids": true, "type": "sha1", "uuid": "8149adf9-4bd6-4382-8e48-f3250fbf4f6c", "value": "a59de3e9f8c0b684575df7cac9cfe2d84ba26d6f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746510844", "to_ids": true, "type": "sha256", "uuid": "70e834bd-5287-4937-b8f7-3a10b6242126", "value": "7bb12284fc28fbb270507c410afdc21c60bde5d34d59de67f78796c09f5ccd9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746510843", "to_ids": true, "type": "ssdeep", "uuid": "227895b6-6181-48c0-9209-f7fcc0bd78a2", "value": "3072:TzTw6nnTmCu5Y+WxE2PGNXBr+VZxwOQlM4ULGDhrZ3PC3m:Tv9yCu5zWxyNxuxwHMKhxr" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746510843", "to_ids": false, "type": "size-in-bytes", "uuid": "57ab0027-01f5-48f8-a350-91624433c156", "value": "261120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746510843", "to_ids": true, "type": "vhash", "uuid": "03d61ac5-bf0e-40a2-8ebc-2759f7361165", "value": "125056655d151550d8z6chz13z21z4az1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746510843", "to_ids": true, "type": "filename", "uuid": "6edbeca1-2bdc-423d-80f6-c7e6434821d1", "value": "NPRCD642.exe" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 28/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746510843", "to_ids": false, "type": "text", "uuid": "8fdd1379-d10a-486d-9ced-2fb3fae234a0", "value": "Payload DLL\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Kwampirs!dha\nVT Total Detection:57/72\nFirst Submission:2016-08-16T09:29:39.000000+00:00\nLast Submission:2023-06-23T10:28:03.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746519211", "uuid": "4fc82482-8655-4a1a-b260-f641f0f2ec6a", "Attribute": [ { "category": "Payload delivery", "comment": "Payload DLL", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746519211", "to_ids": true, "type": "md5", "uuid": "b7811cfa-1fcf-43dd-9c8e-b8fd70e9e9d5", "value": "290d8e8524e57783e8cc1b9a3445dfe9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746511011", "to_ids": true, "type": "sha1", "uuid": "389f4b34-8c3a-4494-9796-7a9170719861", "value": "3adbb352b23e8750d993e3df27904b0e5a466016", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payload DLL", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746511011", "to_ids": true, "type": "sha256", "uuid": "a3843b3d-1de1-4b70-8530-be6074d4a7ab", "value": "15fc575b0278281541212e393f03278d47ea03d26693efeec8e16261735bc634", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746511010", "to_ids": true, "type": "ssdeep", "uuid": "ada12ca7-3ea5-4fdd-b244-33d111928f85", "value": "3072://jbCP/TY82If/JgGWRcheeN9fyi+rff5weB6tLGHhrMwR5txVvG:/Lm882yhgGfhTNFyF5wPIh1u" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746511010", "to_ids": false, "type": "size-in-bytes", "uuid": "ae3a8bd0-8ce4-4ca7-b835-aaa7a9803330", "value": "261120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746511010", "to_ids": true, "type": "vhash", "uuid": "2181e7dc-7b79-42ee-87f9-665f6ace9e00", "value": "125056655d151550d8z6chz13z21z4az1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746511010", "to_ids": true, "type": "filename", "uuid": "2695cab4-c99a-429a-9f27-edaea21a1bb4", "value": "15fc575b0278281541212e393f03278d47ea03d26693efeec8e16261735bc634_unpacked" }, { "category": "Other", "comment": "Checked: 06/05/2025\nLast-scan\t: 13/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746511010", "to_ids": false, "type": "text", "uuid": "d02cde84-6027-4a49-95a2-90e66098e097", "value": "Payload DLL\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Kwampirs\nVT Total Detection:64/72\nFirst Submission:2017-01-17T02:00:42.000000+00:00\nLast Submission:2023-06-23T09:32:48.000000+00:00" } ] } ] } }