{ "Event": { "analysis": "1", "date": "2025-10-15", "extends_uuid": "", "info": "[Threat Intel] The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors", "protected": false, "publish_timestamp": "1780041249", "published": true, "threat_level_id": "2", "timestamp": "1780041249", "uuid": "625b5d1f-8629-4a9a-9f73-f4e85089b432", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#3000b9", "local": false, "name": "rectifyq:workflow=\"enrichment\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#1b0fe1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#5887a6", "local": false, "name": "misp-galaxy:target-information=\"Japan\"", "relationship_type": "" }, { "colour": "#e459c3", "local": false, "name": "misp-galaxy:target-information=\"Hong Kong\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"ANGRYREBEL\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Ghost RAT\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3a00e0", "local": false, "name": "rectifyq:action-taken=\"x\"", "relationship_type": "" }, { "colour": "#3b00e2", "local": false, "name": "rectifyq:action-taken=\"linkedin\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1760354976", "to_ids": false, "type": "link", "uuid": "208ebdf7-fdaa-4b7b-b363-26313b71667a", "value": "https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1760354976", "to_ids": false, "type": "text", "uuid": "3c17267b-3878-4838-aceb-334d9701f2bd", "value": "A sophisticated cyber intrusion campaign utilizing log poisoning and a new tool called Nezha has been uncovered. The attackers exploited a vulnerable phpMyAdmin interface to deploy a web shell, followed by the installation of Nezha, an open-source server monitoring tool repurposed for malicious activities. The campaign targeted over 100 victims, primarily in Taiwan, Japan, South Korea, and Hong Kong. The threat actors also deployed Ghost RAT, a remote access trojan, for further system compromise. The attack methodology and victimology suggest a China-nexus threat actor, highlighting the need for improved security measures and vigilance against emerging threats." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1760354976", "to_ids": false, "type": "text", "uuid": "0c9454ec-897a-4e8b-b8ef-8a00ff9ed2ca", "value": "Name: The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors\nAuthor: AlienVault\nAdversary: China-nexus threat actors\nTags: [\"log poisoning\", \"nezha\", \"web shell\", \"china chopper\", \"server monitoring\", \"ghost rat\", \"antsword\", \"remote access trojan\"]\nTgtd countries: [\"Taiwan\", \"Japan\", \"Hong Kong\"]\nMlwr families: [\"Nezha\", \"Ghost RAT\"]\nAttack_ids: [\"T1033\", \"T1543.003\", \"T1082\", \"T1140\", \"T1190\", \"T1112\", \"T1505.003\", \"T1016\", \"T1083\", \"T1036.004\", \"T1497\", \"T1057\", \"T1059.001\", \"T1547.001\", \"T1027\", \"T1012\", \"T1059.003\", \"T1071.001\", \"T1105\", \"T1569.002\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1760354976", "to_ids": false, "type": "threat-actor", "uuid": "a12f7a89-f1fc-49a0-ae2f-a9e4f4b6e47d", "value": "China-nexus threat actors" }, { "category": "Network activity", "comment": "Web shell and Backdoor C2/Operator IP", "deleted": false, "disable_correlation": false, "timestamp": "1780041244", "to_ids": true, "type": "ip-dst", "uuid": "346a3400-81c5-4211-b581-5933303c99b3", "value": "45.207.220.12", "Tag": [ { "colour": "#88bd9f", "local": false, "name": "asn:asn=\"53808\"", "relationship_type": "" }, { "colour": "#342179", "local": false, "name": "asn:as-owner=\"MOEDOVE-N2\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Backdoor C2/Operator Domain", "deleted": false, "disable_correlation": false, "timestamp": "1760695353", "to_ids": true, "type": "hostname", "uuid": "b1d6cf23-218d-4444-b098-468498057869", "value": "gd.bj2.xyz" }, { "category": "Network activity", "comment": "Nezha C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1780041245", "to_ids": true, "type": "ip-dst", "uuid": "ee300688-448b-47c9-b6ef-eabd52e2875b", "value": "172.245.52.169", "Tag": [ { "colour": "#6a53a7", "local": false, "name": "asn:asn=\"36352\"", "relationship_type": "" }, { "colour": "#9daeac", "local": false, "name": "asn:as-owner=\"AS-COLOCROSSING\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious DLL No sample in VT\r\nLast check:19/10/2025", "deleted": false, "disable_correlation": false, "timestamp": "1760853258", "to_ids": true, "type": "sha256", "uuid": "b52b2e8b-088a-4d32-ba91-8f6054eb46c9", "value": "35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Web shell No sample in VT\r\nLast check:19/10/2025", "deleted": false, "disable_correlation": false, "timestamp": "1760853300", "to_ids": true, "type": "sha256", "uuid": "cd06c2be-9d3d-4395-93ef-f95db011f22b", "value": "f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041247", "to_ids": true, "type": "ip-dst", "uuid": "c1e6a2f5-c409-47cf-8e5b-0f4a989fa1eb", "value": "38.246.250.201", "Tag": [ { "colour": "#a0cacc", "local": false, "name": "asn:asn=\"979\"", "relationship_type": "" }, { "colour": "#9309fe", "local": false, "name": "asn:as-owner=\"NETLAB-SDN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Nezha C2", "deleted": false, "disable_correlation": false, "timestamp": "1760695341", "to_ids": true, "type": "hostname", "uuid": "15b6108c-3814-4202-ab8e-c9fedc966b24", "value": "c.mid.al" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1760354976", "to_ids": true, "type": "hostname", "uuid": "11164d5a-20f0-4d13-aec2-242a0fd97e97", "value": "host.404111.xyz" }, { "category": "Network activity", "comment": "Nezha Agent", "deleted": false, "disable_correlation": false, "timestamp": "1760695311", "to_ids": true, "type": "url", "uuid": "39ee94a0-f28d-4727-bfda-ef3cbfd4c52d", "value": "https://rism.pages.dev/microsoft.exe" }, { "category": "Network activity", "comment": "Initial Access IP", "deleted": false, "disable_correlation": false, "timestamp": "1780041249", "to_ids": true, "type": "ip-dst", "uuid": "e5aa7467-fe0e-437b-8aea-ca063d3363a8", "value": "54.46.50.255", "Tag": [ { "colour": "#4745f2", "local": false, "name": "asn:asn=\"16509\"", "relationship_type": "" }, { "colour": "#5424ef", "local": false, "name": "asn:as-owner=\"AMAZON-02\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1760861525", "uuid": "1be52c83-7803-4159-8eb2-01818fe70814", "Attribute": [ { "category": "Payload delivery", "comment": "Ghost RAT Payload", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1760861525", "to_ids": true, "type": "md5", "uuid": "377e41b7-3a90-492c-8776-f4d9cc8abacc", "value": "d757ec4d5350843c44dd34a95dcb3a50", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Ghost RAT Payload", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1760861525", "to_ids": true, "type": "sha1", "uuid": "0d71c78d-5d0f-4743-b5c7-35e5c963febf", "value": "ad5e5b00f58396f5a518680e7084dc7dd5f2cc2b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Ghost RAT Payload", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1760861525", "to_ids": true, "type": "sha256", "uuid": "1ba7cd65-030b-4725-8c29-0c6c2361fb1d", "value": "7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1760853216", "to_ids": true, "type": "ssdeep", "uuid": "5bff23e6-8559-40cf-829f-420e0d3ac9fb", "value": "768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMI2V:BHJaAoHoc2x7bZoYBAcQlwJdMG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1760853216", "to_ids": false, "type": "size-in-bytes", "uuid": "bc798ba9-d5d1-4e6f-b0be-272aab481407", "value": "69632" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1760853216", "to_ids": true, "type": "vhash", "uuid": "57a9e9f4-71af-4bc8-a8d0-2a9a32f7a806", "value": "064046151d551bze04&z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1760853216", "to_ids": true, "type": "filename", "uuid": "0f0393a9-05c5-48a0-bf29-1c702238fb59", "value": "x.exe" }, { "category": "Other", "comment": "Checked: 19/10/2025\nLast-scan\t: 17/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1760853216", "to_ids": false, "type": "text", "uuid": "eaa0a5c9-b033-4fbd-9eac-8dcff63ac1a5", "value": "Ghost RAT Payload\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Fareit!pz\nVT Total Detection:65/72\nFirst Submission:2025-06-01T18:24:30.000000+00:00\nLast Submission:2025-06-01T18:24:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1760861526", "uuid": "6db91e48-6950-4cc1-ba0e-ede75d98e870", "Attribute": [ { "category": "Payload delivery", "comment": "Nezha Agent", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1760861525", "to_ids": true, "type": "md5", "uuid": "8b648017-d3b1-4dd0-aa10-6181f0f8991a", "value": "89cb9c926e136c54011f3e0792b4a28c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Nezha Agent", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1760861526", "to_ids": true, "type": "sha1", "uuid": "55609e1a-cf5e-4dce-be95-cbd11c29feb6", "value": "1c948822cb57763c1d343542ee4ade212d8f4fbb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Nezha Agent", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1760861526", "to_ids": true, "type": "sha256", "uuid": "e5324247-fcb2-4315-97c6-859f815c73c4", "value": "9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1760853258", "to_ids": true, "type": "ssdeep", "uuid": "66934ee6-fc5d-48f8-9c40-9b428f1c628f", "value": "98304:Ni+0Qn+1+KIcOUVbXFOHwvztoG34eMp+fO8z6hkVRNwM8Y6zTNqH4c9iE:NiT1+hcOUxXae5z34pcmM8yYcd" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1760853258", "to_ids": false, "type": "size-in-bytes", "uuid": "01e5df36-7894-4941-b28a-2e838170e823", "value": "18992128" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1760853258", "to_ids": true, "type": "vhash", "uuid": "8675b03e-ae5e-45fd-9e07-aa5298a1850a", "value": "017086655d55551d15541az2e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1760853258", "to_ids": true, "type": "filename", "uuid": "e8c69bee-2b40-4033-bed3-e4cfd44c98dd", "value": "live.exe" }, { "category": "Other", "comment": "Checked: 19/10/2025\nLast-scan\t: 17/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1760853258", "to_ids": false, "type": "text", "uuid": "bfe4920b-a1d3-4e83-87d1-aeea11368edb", "value": "Nezha Agent\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:27/72\nFirst Submission:2025-07-11T04:50:44.000000+00:00\nLast Submission:2025-10-15T19:56:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1760861526", "uuid": "1c58853e-6504-468a-b166-1d2c700ea19e", "Attribute": [ { "category": "Payload delivery", "comment": "Renamed rundll32.exe", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1760861526", "to_ids": true, "type": "md5", "uuid": "c12132c3-973d-4575-a0b5-0a7ab8c8f06e", "value": "8459d693c951248a5e8e128f299e9618", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Renamed rundll32.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1760861526", "to_ids": true, "type": "sha1", "uuid": "b133ea53-9f09-4272-b779-0065b37b04d6", "value": "55ac33d1ebfa28296c5128617d29ccbfed11157e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Renamed rundll32.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1760861526", "to_ids": true, "type": "sha256", "uuid": "157d0ef8-25cf-47b9-8777-307853ef1110", "value": "82611e60a2c5de23a1b976bb3b9a32c4427cb60a002e4c27cadfa84031d87999", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1760853301", "to_ids": true, "type": "ssdeep", "uuid": "df834379-8cfd-4262-9428-458d503f5e47", "value": "768:OmaaMusV17cKt/ivgkXDbmekkhR8bSEln5IyYpamDjobj8Sj:OcagtIKmqhREln5IUmDjoX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1760853301", "to_ids": false, "type": "size-in-bytes", "uuid": "7b69e6bc-96c3-464d-8ff1-c3457176e23e", "value": "61952" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1760853301", "to_ids": true, "type": "vhash", "uuid": "807029a2-c25b-48af-9320-348afd2e5c24", "value": "0640666d155d15556cz1c1za@z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1760853301", "to_ids": true, "type": "filename", "uuid": "be57524f-f743-4c0a-a320-953229cf2552", "value": "RUNDLL32.EXE" }, { "category": "Other", "comment": "Checked: 19/10/2025\nLast-scan\t: 18/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1760853301", "to_ids": false, "type": "text", "uuid": "10f6d543-528f-4a48-89b9-d004c874404a", "value": "Renamed rundll32.exe\r\nType Description: Win32 EXE\nFile distributed by: ['Microsoft']\nData sources: ['Microsoft Corporation', 'HashDB']\nVerdict filename: ['rundll32.exe']\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2021-01-13T00:38:13.000000+00:00\nLast Submission:2025-10-10T09:02:58.000000+00:00" } ] } ] } }