{ "Event": { "analysis": "2", "date": "2015-01-22", "extends_uuid": "2face905-11c0-4d37-b106-950a1235e579", "info": "[Threat Intel] An analysis of Regin\u2019s Hopscotch and Legspin", "protected": false, "publish_timestamp": "1780039727", "published": true, "threat_level_id": "1", "timestamp": "1772901971", "uuid": "6503c448-8845-4c88-862d-6d56a43de1a6", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Regin\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Hopscotch\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#1ebce4", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740327325", "to_ids": false, "type": "link", "uuid": "5aef6fb2-df6c-4e16-804d-37b0a2a4c0ea", "value": "https://securelist.com/an-analysis-of-regins-hopscotch-and-legspin/68438/" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1741389657", "uuid": "07789a49-e3fa-4550-8d1e-2b86c9c3a0ac", "Attribute": [ { "category": "Payload delivery", "comment": "Hopscotch", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1741389657", "to_ids": true, "type": "md5", "uuid": "1209410a-a4a5-461f-a277-8649ad81415f", "value": "6c34031d7a5fc2b091b623981a8ae61c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Hopscotch", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740358779", "to_ids": true, "type": "sha1", "uuid": "ccb5d9e6-c37f-4793-ac9d-8bfa95f1e18b", "value": "88ec5d8da2ea964056fad2c7b46e3d80a793dbd4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Hopscotch", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740358779", "to_ids": true, "type": "sha256", "uuid": "a6492a07-cb4d-47fa-bc93-f3677f844849", "value": "d83428779b0c0ebfa08c6b50f34e0f1ae7812eeb9ed78b86610517d8208b6cb3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740327533", "to_ids": true, "type": "ssdeep", "uuid": "8f38f94f-f3a1-41fe-bde4-125df51d19a3", "value": "768:Z0B0QMq8DdyGIUheDCEq4PWDCHwsiTGGcMggQnNcTBu0Sa:KaqEsU2JPWDCHwsiTSg9PS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740327533", "to_ids": false, "type": "size-in-bytes", "uuid": "5f39cc7e-9ca4-4671-8a0d-9d8dfe1aece1", "value": "36864" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740327533", "to_ids": true, "type": "vhash", "uuid": "83518948-0ff3-4ef4-9a98-847a410e199e", "value": "034046651d5560a8z1e2704jz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740327533", "to_ids": true, "type": "filename", "uuid": "6d084abf-3f71-4752-9c14-9806d0d85347", "value": "d83428779b0c0ebfa08c6b50f34e0f1ae7812eeb9ed78b86610517d8208b6cb3_unpacked" }, { "category": "Other", "comment": "Checked: 24/02/2025\nLast-scan\t: 23/06/2023", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740327533", "to_ids": false, "type": "text", "uuid": "e78b5cb6-3d5e-447b-83ea-927e63d79e16", "value": "Hopscotch\r\nType Description: Win32 EXE\n\nMicrosoft: Backdoor:Win32/Regin.D!dha\nVT Total Detection:54/71" }, { "category": "Other", "comment": "Checked: 08/03/2025\nLast-scan\t: 23/06/2023", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1741384720", "to_ids": false, "type": "text", "uuid": "bc5280c0-963e-456d-9787-6850c8c85985", "value": "Type Description: Win32 EXE\n\nMicrosoft: Backdoor:Win32/Regin.D!dha\nVT Total Detection:54/71" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1741384720", "to_ids": true, "type": "ssdeep", "uuid": "fa717295-6911-4d0a-b699-779a80513721", "value": "768:Z0B0QMq8DdyGIUheDCEq4PWDCHwsiTGGcMggQnNcTBu0Sa:KaqEsU2JPWDCHwsiTSg9PS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1741384720", "to_ids": false, "type": "size-in-bytes", "uuid": "5e4486e5-dfe6-479e-ba4b-df5f889a02f4", "value": "36864" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1741384720", "to_ids": true, "type": "vhash", "uuid": "98862e9d-39b2-42c8-92fa-ff7869927a06", "value": "034046651d5560a8z1e2704jz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1741384720", "to_ids": true, "type": "filename", "uuid": "ace8312b-3103-4f00-9f11-9a672b2ad608", "value": "d83428779b0c0ebfa08c6b50f34e0f1ae7812eeb9ed78b86610517d8208b6cb3_unpacked" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1741389678", "uuid": "d1755595-3961-4acb-9019-821405e610d1", "Attribute": [ { "category": "Payload delivery", "comment": "Hopscotch", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1741389678", "to_ids": true, "type": "md5", "uuid": "f875975d-8d87-4ef0-8d31-ba41fdc56cfa", "value": "42eaf2ab25c9ead201f25ecbdc96fb60", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Hopscotch", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740358781", "to_ids": true, "type": "sha1", "uuid": "7560a787-c34a-4d5b-94bf-603e8faa7605", "value": "70317695dd79863284342ba842bbd5c486c24268", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Hopscotch", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740358781", "to_ids": true, "type": "sha256", "uuid": "382dceb7-5485-40a4-9ba6-2060f6056e63", "value": "6fed6d625eb850dfc6f8795de4887c1c8998e9739e782692d45c3f0f6f7e3ac1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740327555", "to_ids": true, "type": "ssdeep", "uuid": "2dc1d390-90ff-47aa-82f3-52ae4a787ff2", "value": "384:vq4qu4zdW4CHwsTWT4qu+NvcMggQAkN3Vyxw4Bu0SaN:vq4PWDCHwsiTGGcMggQnNcTBu0SaN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740327555", "to_ids": false, "type": "size-in-bytes", "uuid": "c54a9bac-8dae-43ad-8293-49f988bc8994", "value": "18432" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740327555", "to_ids": true, "type": "vhash", "uuid": "aba82987-ada4-4b8a-a186-1806a5b3057c", "value": "014036655d7068z2d19lz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740327555", "to_ids": true, "type": "filename", "uuid": "5a5c833c-f4ca-4a67-a57b-a8274bf578cd", "value": "BINARY103" }, { "category": "Other", "comment": "Checked: 24/02/2025\nLast-scan\t: 06/03/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740327555", "to_ids": false, "type": "text", "uuid": "d4082176-b55a-43d4-a8e7-4c20ae699274", "value": "Hopscotch\r\nType Description: Win32 EXE\n\nMicrosoft: Backdoor:Win32/Regin.D!dha\nVT Total Detection:55/72" }, { "category": "Other", "comment": "Checked: 08/03/2025\nLast-scan\t: 06/03/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1741384741", "to_ids": false, "type": "text", "uuid": "0acbb1eb-f0fa-45db-99d9-4826e4737c40", "value": "Type Description: Win32 EXE\n\nMicrosoft: Backdoor:Win32/Regin.D!dha\nVT Total Detection:55/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1741384741", "to_ids": true, "type": "ssdeep", "uuid": "6a981418-8a74-4d6e-a488-70b152c8a131", "value": "384:vq4qu4zdW4CHwsTWT4qu+NvcMggQAkN3Vyxw4Bu0SaN:vq4PWDCHwsiTGGcMggQnNcTBu0SaN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1741384741", "to_ids": false, "type": "size-in-bytes", "uuid": "aa805dc4-353f-465f-af19-e15c82884b15", "value": "18432" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1741384741", "to_ids": true, "type": "vhash", "uuid": "f9f19aae-7839-4ac2-b7c6-6be038c6cfcf", "value": "014036655d7068z2d19lz1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1741384741", "to_ids": true, "type": "filename", "uuid": "ad3924d2-de50-49dc-8cc2-11bf7620c2c4", "value": "BINARY103" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1741389699", "uuid": "1e7e66e8-4409-4b09-8575-10c137e0a8b4", "Attribute": [ { "category": "Payload delivery", "comment": "Legspin", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1741389699", "to_ids": true, "type": "md5", "uuid": "6c982555-9902-4192-94fb-57e642cde0e6", "value": "29105f46e4d33f66fee346cfd099d1cc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Legspin", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740358782", "to_ids": true, "type": "sha1", "uuid": "3ca1d6ed-b243-43a3-bc69-a8fd19988795", "value": "04a8f58d16723c531a94bfa672223a0317d41b95", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Legspin", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740358783", "to_ids": true, "type": "sha256", "uuid": "b2f6e609-c05b-4555-acaf-68e1cc19d6c2", "value": "5b50a34c2499eb33a24d0e5a7b96247b66fe81e943995d0d088b981642573e25", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740327577", "to_ids": true, "type": "ssdeep", "uuid": "f3ddbff2-0853-4527-b9fc-33ca4cdd0dfa", "value": "1536:ge2AbaNZ0/Xj/7jsJVl6j4NSIp892CmeaQokeJko0csK:gcmNK/fcVlm4QI3HeameJk8sK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740327577", "to_ids": false, "type": "size-in-bytes", "uuid": "5910a975-04ef-43f1-b032-ac368446b590", "value": "67584" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740327577", "to_ids": true, "type": "vhash", "uuid": "7d3ff80a-6166-4abf-aa82-264c31e1cc9e", "value": "064046655d5d0218z4c4d159z46z1403dz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740327577", "to_ids": true, "type": "filename", "uuid": "a2656012-5dab-42c0-a80d-28fe09a1ff2f", "value": "vti-rescan" }, { "category": "Other", "comment": "Checked: 24/02/2025\nLast-scan\t: 04/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740327577", "to_ids": false, "type": "text", "uuid": "1cced04b-d956-49d4-9bd8-1764c0fcbd34", "value": "Legspin\r\nType Description: Win32 EXE\n\nMicrosoft: Backdoor:Win32/Regin.D!dha\nVT Total Detection:54/72" }, { "category": "Other", "comment": "Checked: 08/03/2025\nLast-scan\t: 04/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1741384762", "to_ids": false, "type": "text", "uuid": "6986aad3-b350-4f78-98da-75cdabe0dd71", "value": "Type Description: Win32 EXE\n\nMicrosoft: Backdoor:Win32/Regin.D!dha\nVT Total Detection:54/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1741384762", "to_ids": true, "type": "ssdeep", "uuid": "6648f379-9c4b-4790-802f-d28250e8c1bd", "value": "1536:ge2AbaNZ0/Xj/7jsJVl6j4NSIp892CmeaQokeJko0csK:gcmNK/fcVlm4QI3HeameJk8sK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1741384762", "to_ids": false, "type": "size-in-bytes", "uuid": "12015078-04b9-4c8d-910b-d898666b0f56", "value": "67584" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1741384762", "to_ids": true, "type": "vhash", "uuid": "146015e4-e3a4-47ae-9074-6435e95b23be", "value": "064046655d5d0218z4c4d159z46z1403dz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1741384762", "to_ids": true, "type": "filename", "uuid": "c93898f4-c55e-44bc-867b-6f94d1284b4c", "value": "vti-rescan" } ] } ] } }