{ "Event": { "analysis": "1", "date": "2020-02-16", "extends_uuid": "", "info": "[Threat Intel] Fox Kitten \u2013 Widespread Iranian Espionage-Offensive Campaign", "protected": false, "publish_timestamp": "1780039897", "published": true, "threat_level_id": "1", "timestamp": "1780039897", "uuid": "7463105c-9e41-4f9e-af45-eab5b7b3ef96", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Fox Kitten\"", "relationship_type": "" }, { "colour": "#b990dd", "local": false, "name": "misp-galaxy:target-information=\"Australia\"", "relationship_type": "" }, { "colour": "#66e036", "local": false, "name": "misp-galaxy:target-information=\"Austria\"", "relationship_type": "" }, { "colour": "#20962d", "local": false, "name": "misp-galaxy:target-information=\"Finland\"", "relationship_type": "" }, { "colour": "#15ccfd", "local": false, "name": "misp-galaxy:target-information=\"France\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#620e4e", "local": false, "name": "misp-galaxy:target-information=\"Hungary\"", "relationship_type": "" }, { "colour": "#26fab6", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#4cea11", "local": false, "name": "misp-galaxy:target-information=\"Italy\"", "relationship_type": "" }, { "colour": "#841801", "local": false, "name": "misp-galaxy:target-information=\"Kuwait\"", "relationship_type": "" }, { "colour": "#4cebc3", "local": false, "name": "misp-galaxy:target-information=\"Lebanon\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#809a25", "local": false, "name": "misp-galaxy:target-information=\"Poland\"", "relationship_type": "" }, { "colour": "#3b9849", "local": false, "name": "misp-galaxy:target-information=\"Saudi Arabia\"", "relationship_type": "" }, { "colour": "#a24b57", "local": false, "name": "misp-galaxy:target-information=\"United Arab Emirates\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"JuicyPotato\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create Account - T1136\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials in Files - T1081\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Custom Command and Control Protocol - T1094\"", "relationship_type": "" }, { "colour": "#15e278", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Compressed - T1002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Pass the Hash - T1075\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1076\"", "relationship_type": "" }, { "colour": "#682cad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#2ced92", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Uncommonly Used Port - T1065\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1100\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-enterprise-attack-tool=\"Mimikatz - S0002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-tool=\"Mimikatz - S0002\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"iran\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740434514", "to_ids": false, "type": "link", "uuid": "7abf400b-ccb3-43b1-b993-b3e3045ec38e", "value": "https://www.clearskysec.com/fox-kitten/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740434527", "to_ids": false, "type": "link", "uuid": "98deb9ea-92d4-4a61-9714-3a232167a24f", "value": "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf" }, { "category": "Payload delivery", "comment": "Webshell \u2013 GIF file No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435664", "to_ids": true, "type": "md5", "uuid": "3fa30b7b-f4e4-4e6a-9056-34db0f74a985", "value": "9dc9bbd0c6b0a946489ccd8793d22f28", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Combine.bat No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435686", "to_ids": true, "type": "md5", "uuid": "6f8f634a-358b-4257-936d-6d6b39aba798", "value": "ac9993f1124d404a08531df9a0ae28c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "HEX in TXT No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435707", "to_ids": true, "type": "md5", "uuid": "810b03d6-f058-43d5-b5a9-7a0718b19aa7", "value": "95ee534f32f305a895a1842898a4880e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "HEX in TXT No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435729", "to_ids": true, "type": "md5", "uuid": "ea690c41-558e-46c0-9f76-001af6003c93", "value": "62de35201acc8833e04221d9343e73e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "HEX in TXT No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435750", "to_ids": true, "type": "md5", "uuid": "9ceb5561-3875-4d6c-9d78-88349c584cec", "value": "7819bf37930edcdbb74b0535bc12558c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "HEX in TXT No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435771", "to_ids": true, "type": "md5", "uuid": "b5ded413-f4d6-4ea6-929c-962255896ce4", "value": "06d882d4c601a086f3b0f13d5f756830", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "HEX in TXT No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435792", "to_ids": true, "type": "md5", "uuid": "e849a97f-5324-4fd1-bdab-c4d6259d5c8a", "value": "5def1ab33ddf4455aaf8b7b70ad69e04", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Down VBS No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435813", "to_ids": true, "type": "md5", "uuid": "d10a1c2f-4743-46e3-8dc1-a2f9aa462aee", "value": "3741f987c9bd14263ffb4824dce8c147", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Down VBS No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435834", "to_ids": true, "type": "md5", "uuid": "126130f0-0223-4048-8b59-6459bac14ade", "value": "5c9d14c8eef4e9b8c0b4bd0d28c5a77a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "V VBS No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435855", "to_ids": true, "type": "md5", "uuid": "f4fcff5f-924f-42f6-a7fb-f5c45e5978de", "value": "94a47463e0b8d52aec5e90a5177e0a9b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "V VBS No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435876", "to_ids": true, "type": "md5", "uuid": "f022a6db-0812-4452-858f-eaa9e8af0302", "value": "54603feea3c4f3585011a5940c2f6b6f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "V VBS No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435897", "to_ids": true, "type": "md5", "uuid": "3efdd36b-a162-4df9-a300-bbd2ac61d678", "value": "3587cabf61366a7b5f0ba0d63d009b36", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "V VBS No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435918", "to_ids": true, "type": "md5", "uuid": "5ac1df26-999e-4e2b-ab04-e47aa998ddaa", "value": "f9103618c1b86e073b89ce28ba2679cc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LPManager (Schtask) No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740435983", "to_ids": true, "type": "md5", "uuid": "187ead4e-26cc-436b-bb0e-1cab6f01b498", "value": "5c67064f8fd83fdcceab49728495c3f4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "STSRCHECK No sample in VT\r\nLast check:25/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740436004", "to_ids": true, "type": "md5", "uuid": "5d68e76f-69d9-44c8-9236-a2a07a003afa", "value": "364f57928fc5fb0019b73f3fbd57f99b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Not Unique \u2013 Non-Malicious - Ngrok", "deleted": false, "disable_correlation": false, "timestamp": "1780039887", "to_ids": true, "type": "ip-dst", "uuid": "f0515182-f4aa-49ca-8696-a7e3b948e66f", "value": "18.221.150.202", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#4745f2", "local": false, "name": "asn:asn=\"16509\"", "relationship_type": "" }, { "colour": "#5424ef", "local": false, "name": "asn:as-owner=\"AMAZON-02\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Not Unique \u2013 Non-Malicious - Webshell", "deleted": false, "disable_correlation": false, "timestamp": "1780039889", "to_ids": true, "type": "ip-dst", "uuid": "740377a8-1b7b-43b5-8060-866b37c0283e", "value": "185.32.178.176", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#95ad55", "local": false, "name": "asn:asn=\"21450\"", "relationship_type": "" }, { "colour": "#67a436", "local": false, "name": "asn:as-owner=\"MIRS-AS\"", "relationship_type": "" }, { "colour": "#f2606d", "local": false, "name": "asn:as-country=\"IL\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"israel\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Unique \u2013 Malicious IP - C&C Rotten Fish", "deleted": false, "disable_correlation": false, "timestamp": "1780039890", "to_ids": true, "type": "ip-dst", "uuid": "4dba5c5c-93af-4af5-a081-e57bd8f76131", "value": "93.177.75.180", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#64bed2", "local": false, "name": "asn:asn=\"9009\"", "relationship_type": "" }, { "colour": "#41c276", "local": false, "name": "asn:as-owner=\"M247\"", "relationship_type": "" }, { "colour": "#26f3a1", "local": false, "name": "asn:as-country=\"RO\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"romania\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Unique \u2013 Malicious IP - C&C RDP over SSH Backdoor - 2017", "deleted": false, "disable_correlation": false, "timestamp": "1780039892", "to_ids": true, "type": "ip-dst", "uuid": "44d46485-6802-4616-bd7b-3a9ecd509bfa", "value": "95.211.210.55", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#d5c573", "local": false, "name": "asn:asn=\"60781\"", "relationship_type": "" }, { "colour": "#c0ef26", "local": false, "name": "asn:as-owner=\"LEASEWEB-NL-AMS-01 Netherlands\"", "relationship_type": "" }, { "colour": "#3ae32e", "local": false, "name": "asn:as-country=\"NL\"", "relationship_type": "" }, { "colour": "#768323", "local": false, "name": "misp-galaxy:country=\"netherlands\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Unique \u2013 Malicious IP - C&C RDP over SSH Backdoor - 2017", "deleted": false, "disable_correlation": false, "timestamp": "1780039893", "to_ids": true, "type": "ip-dst", "uuid": "a2b15e3d-96a5-41d3-8a8d-e09696a7a00a", "value": "95.211.213.168", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#d5c573", "local": false, "name": "asn:asn=\"60781\"", "relationship_type": "" }, { "colour": "#c0ef26", "local": false, "name": "asn:as-owner=\"LEASEWEB-NL-AMS-01 Netherlands\"", "relationship_type": "" }, { "colour": "#3ae32e", "local": false, "name": "asn:as-country=\"NL\"", "relationship_type": "" }, { "colour": "#768323", "local": false, "name": "misp-galaxy:country=\"netherlands\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Unique \u2013 Malicious IP - C&C RDP over SSH Backdoor - 2017", "deleted": false, "disable_correlation": false, "timestamp": "1780039895", "to_ids": true, "type": "ip-dst", "uuid": "15846ee7-a50b-4472-b3ad-3767527ab76e", "value": "95.211.213.177", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#d5c573", "local": false, "name": "asn:asn=\"60781\"", "relationship_type": "" }, { "colour": "#c0ef26", "local": false, "name": "asn:as-owner=\"LEASEWEB-NL-AMS-01 Netherlands\"", "relationship_type": "" }, { "colour": "#3ae32e", "local": false, "name": "asn:as-country=\"NL\"", "relationship_type": "" }, { "colour": "#768323", "local": false, "name": "misp-galaxy:country=\"netherlands\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Unique \u2013 Malicious IP - C&C communication SOCKET", "deleted": false, "disable_correlation": false, "timestamp": "1780039897", "to_ids": true, "type": "ip-dst", "uuid": "00dfe057-eeb7-4b12-a777-63fecbe99604", "value": "95.211.104.253", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#d5c573", "local": false, "name": "asn:asn=\"60781\"", "relationship_type": "" }, { "colour": "#c0ef26", "local": false, "name": "asn:as-owner=\"LEASEWEB-NL-AMS-01 Netherlands\"", "relationship_type": "" }, { "colour": "#3ae32e", "local": false, "name": "asn:as-country=\"NL\"", "relationship_type": "" }, { "colour": "#768323", "local": false, "name": "misp-galaxy:country=\"netherlands\"", "relationship_type": "" } ] }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740435078", "to_ids": false, "type": "mutex", "uuid": "33a38d41-36ce-4580-a15a-cf6ce08068d0", "value": "@ANIqnNScCaIQ" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740435089", "to_ids": false, "type": "mutex", "uuid": "cf9a0501-34fd-47ea-b6de-f5d9dd6626ed", "value": "@SISqnq" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740435518", "to_ids": false, "type": "vulnerability", "uuid": "5e5f410a-f888-40ca-9519-f6a709d2763a", "value": "CVE-2019-11510" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740435518", "to_ids": false, "type": "vulnerability", "uuid": "dbf3513b-e19a-4e9f-8315-846764111af0", "value": "CVE-2018-13379" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740435518", "to_ids": false, "type": "vulnerability", "uuid": "5527b12b-12dc-4592-9155-03d11a8284ab", "value": "CVE-2018-1579" }, { "category": "Other", "comment": "The first username used to attempt establish a connection is \u201cArbab\u201d.", "deleted": false, "disable_correlation": false, "timestamp": "1746812313", "to_ids": false, "type": "text", "uuid": "d32f6c03-9df8-4ae7-946c-9e61ffefad06", "value": "Arbab" }, { "category": "Other", "comment": "The first password used in the files repeats itself in all the files in the infrastructure, both from 2017 and 2019.", "deleted": false, "disable_correlation": false, "timestamp": "1746812333", "to_ids": false, "type": "text", "uuid": "3918a5f0-07e8-403e-bf21-a66b1d973366", "value": "G654g654!" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746814971", "uuid": "8201edcc-f813-4c24-9232-b1af8a9710ae", "Attribute": [ { "category": "Payload delivery", "comment": "Webshell \u2013 ASPX file (cmd.aspx)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746814971", "to_ids": true, "type": "md5", "uuid": "e7db3cec-7340-47dd-bacb-dae3c6a9d99f", "value": "0f7d3d33d7235b13d0fac4329e0d2420", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Webshell \u2013 ASPX file (cmd.aspx)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740435572", "to_ids": true, "type": "sha1", "uuid": "a57d8500-330d-4b76-b74f-6cdb1907bea1", "value": "4248b5dccb88c3f21c463b2cb3d95e6682a07867", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Webshell \u2013 ASPX file (cmd.aspx)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740435572", "to_ids": true, "type": "sha256", "uuid": "d447e263-7815-471f-a41a-537da3963ac5", "value": "fdb732e617838986ef3b8cf67fbebb61d95dbf999b5009be56ff2763591249e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740435571", "to_ids": true, "type": "ssdeep", "uuid": "b26d9842-e783-4654-8784-9b69ae7c4d6e", "value": "24:o4In7n5UzptTZf6tVw3+HU624owfgvX9vXmvyvuRAt+kvU+OB5MewE7E4c:kttU62AJ1kvQAoEt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740435571", "to_ids": false, "type": "size-in-bytes", "uuid": "926fad87-c932-4e80-bc98-d20388e8d836", "value": "1522" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740435571", "to_ids": true, "type": "filename", "uuid": "8542bf2e-23b7-4075-8005-a49cdd05f630", "value": "cmd.aspx" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 05/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740435571", "to_ids": false, "type": "text", "uuid": "1c6809c6-bd41-4191-8a9e-347be6d56465", "value": "Webshell \u2013 ASPX file (cmd.aspx)\r\nType Description: HTML\n\nMicrosoft: Backdoor:ASP/WebShell.C\nVT Total Detection:31/60" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746814993", "uuid": "1d094c3e-b9ed-4096-bda2-40dd44d754a0", "Attribute": [ { "category": "Payload delivery", "comment": "Webshell \u2013 ASPX files", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746814993", "to_ids": true, "type": "md5", "uuid": "9231fd46-cbca-4aab-8425-f3628ef52bf4", "value": "41cda77c69614a0fbfcc4a38ebae659b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Webshell \u2013 ASPX files", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740435599", "to_ids": true, "type": "sha1", "uuid": "f7557a50-b775-4b20-8371-9c563b67b363", "value": "8a8e8807aed9641f7012b1df2e4b9e823cf04826", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Webshell \u2013 ASPX files", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740435600", "to_ids": true, "type": "sha256", "uuid": "49e4c981-a80e-443c-9af4-9e5e40004af5", "value": "37a2494de2689be02bb0e6185dcf0248001e90d2b049a32bb907e1025e550748", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740435598", "to_ids": true, "type": "ssdeep", "uuid": "86f9bb81-cf9a-41ff-be02-e98bdbd16cde", "value": "3:aEwJkW9IA5eRtL/Svz:aEm7z5e/uL" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740435599", "to_ids": false, "type": "size-in-bytes", "uuid": "630b0f81-c2c5-4851-b77a-97c441f3fc31", "value": "68" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740435599", "to_ids": true, "type": "filename", "uuid": "9a807c21-ea5c-4604-9be3-18077583a5b7", "value": "37a2494de2689be02bb0e6185dcf0248001e90d2b049a32bb907e1025e550748.bin" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 21/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740435599", "to_ids": false, "type": "text", "uuid": "9f9cc12b-0f6d-4b26-a01c-ad19236d8b46", "value": "Webshell \u2013 ASPX files\r\nType Description: Text\n\nMicrosoft: Backdoor:ASP/Chopper.J!dha\nVT Total Detection:36/61" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815014", "uuid": "955214c0-c7b2-42f5-b046-bb1b061a35b5", "Attribute": [ { "category": "Payload delivery", "comment": "Webshell \u2013 ASPX files", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815014", "to_ids": true, "type": "md5", "uuid": "c5bbf08d-9ed0-4d57-9b09-b53f0800f0d8", "value": "6fea7a30b2bd6014c1b15defe8963273", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Webshell \u2013 ASPX files", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740435623", "to_ids": true, "type": "sha1", "uuid": "23bfbaa9-4fe7-423a-8aaf-1f436b1e0019", "value": "a6ccd33ff8bcd6b6ed42206126fa476a6c2c83d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Webshell \u2013 ASPX files", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740435623", "to_ids": true, "type": "sha256", "uuid": "3de38669-4a86-4588-8394-7f263e88c2a8", "value": "ae9308db26aa06556fd85e01c2009e81578b81a795608c8594d436c8ec48083b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740435622", "to_ids": true, "type": "ssdeep", "uuid": "9248afbd-e849-412b-bdb6-fe9b609e6f21", "value": "3:aEwJkW9uck1SLxAdRLgyKBM2aBZBQ/tZ/LmKABXXKF2xKYA5eRtJBxLlGMMeLWEN:aEm7EnLgyKBM5Y/tZ6KCHKF2xKt5e/PF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740435622", "to_ids": false, "type": "size-in-bytes", "uuid": "e80a1889-05ba-4a4e-a140-aaf737d1b8ac", "value": "177" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740435622", "to_ids": true, "type": "filename", "uuid": "50bca2e1-9039-4102-9f73-6690b485b37d", "value": "ae9308db26aa06556fd85e01c2009e81578b81a795608c8594d436c8ec48083b.aspx" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 21/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740435622", "to_ids": false, "type": "text", "uuid": "b1f913b3-1dc4-4b8a-9c65-c841f78d644b", "value": "Webshell \u2013 ASPX files\r\nType Description: Text\n\nMicrosoft: Backdoor:ASP/Chopper.K!dha\nVT Total Detection:31/61" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815035", "uuid": "9d814bda-ef07-47f7-96ac-6acc5f4194b0", "Attribute": [ { "category": "Payload delivery", "comment": "Juicy Potato - Local Privilege Escalation tool", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815035", "to_ids": true, "type": "md5", "uuid": "f376958b-a4b4-476a-a1f1-ffff5c6a73c0", "value": "a84549691a492ad081bf177b6c4518b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Juicy Potato - Local Privilege Escalation tool", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740435920", "to_ids": true, "type": "sha1", "uuid": "93c75c81-215b-4d0e-933f-c9c38c2d7cd4", "value": "03d86447276579dc6adf936a55f323d8a411b0d8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Juicy Potato - Local Privilege Escalation tool", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740435920", "to_ids": true, "type": "sha256", "uuid": "f05e7d56-6997-4f27-84c8-a8730fa7c3f0", "value": "c02734ef2944064e5312f1592e27408250d7ae6e1f63e6e4e1050e147e1832e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740435919", "to_ids": true, "type": "ssdeep", "uuid": "58e85e35-e668-4513-9553-b77e8107ed22", "value": "786432:S5jsBl0pXEMw69fumRdvexSy5ihAbLYgEWIh8:SGjUBw69ISoiEkgEWIh8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740435919", "to_ids": false, "type": "size-in-bytes", "uuid": "494007c0-0d9c-443a-9fe3-cd12288410cd", "value": "32060166" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740435919", "to_ids": true, "type": "vhash", "uuid": "c650df39-c6f4-41ff-aaab-c75551671e7e", "value": "037076655d155515755az5fvz17z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740435919", "to_ids": true, "type": "filename", "uuid": "1f20fe88-9a74-479d-9ed3-9bda382277a4", "value": "psexec.exe" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 28/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740435919", "to_ids": false, "type": "text", "uuid": "f3693dee-326b-4b0b-ae98-e9b8f1816ae7", "value": "Juicy Potato - Local Privilege Escalation tool\r\nType Description: Win32 EXE\n\nMicrosoft: PUA:Win32/Presenoker\nVT Total Detection:45/71" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815056", "uuid": "80d138eb-8775-40c1-938a-2ed007104999", "Attribute": [ { "category": "Payload delivery", "comment": "Juicy Potato - Local Privilege Escalation tool", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815056", "to_ids": true, "type": "md5", "uuid": "acb90307-c73d-4817-9865-a60556e03bc8", "value": "808502752ca0492aca995e9b620d507b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Juicy Potato - Local Privilege Escalation tool", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740435941", "to_ids": true, "type": "sha1", "uuid": "be091532-6405-4d56-bedc-b294837a062c", "value": "668c40bb6c792b3502b4eefd0916febc8dbd5182", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Juicy Potato - Local Privilege Escalation tool", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740435941", "to_ids": true, "type": "sha256", "uuid": "4da4e1fc-0904-47e9-8782-1349bf186249", "value": "0f56c703e9b7ddeb90646927bac05a5c6d95308c8e13b88e5d4f4b572423e036", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740435941", "to_ids": true, "type": "ssdeep", "uuid": "a58e78d8-c080-49c9-9a23-25dbf62c35fb", "value": "6144:1fuJYaRk/qxEuUPAVHKZxgHb95dL2f552yxhMsxEc8d7:1fGFRw3+P/PuiX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740435941", "to_ids": false, "type": "size-in-bytes", "uuid": "787cfe1d-d89e-4159-863e-e3ff43d342d1", "value": "347648" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740435941", "to_ids": true, "type": "vhash", "uuid": "a5d9be43-d4c1-4a7f-b32b-8929cce9d9bf", "value": "035076655d1555155550a8z6c7z65z3cz117z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740435941", "to_ids": true, "type": "filename", "uuid": "32721ac7-cf1c-4940-8275-4a9eee9b9c55", "value": "JuicyPotato.exe" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 20/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740435941", "to_ids": false, "type": "text", "uuid": "68d97584-6637-4298-8e9f-8d07d53796ec", "value": "Juicy Potato - Local Privilege Escalation tool\r\nType Description: Win32 EXE\n\nMicrosoft: HackTool:Win64/Juicypotato\nVT Total Detection:59/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815077", "uuid": "a4b89598-e7b1-4ac5-bdf2-ec1eb688af73", "Attribute": [ { "category": "Payload delivery", "comment": "Port.exe", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815077", "to_ids": true, "type": "md5", "uuid": "4584e73e-c979-405e-bac8-6026556b0562", "value": "01a9293fb10985204a4278006796ea3f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Port.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436005", "to_ids": true, "type": "sha1", "uuid": "13953dae-8a99-4d56-888b-43ad2eb84504", "value": "40d15257d343fdfca0f0c2d1ecb36cca9667821e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Port.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436005", "to_ids": true, "type": "sha256", "uuid": "65da5a81-92a2-4bcd-9e69-a253e4addf8b", "value": "a6295bf6255bed1b29aa09d3c303d1ed68169440cc70412cc50f5f07aeeea63b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436004", "to_ids": true, "type": "ssdeep", "uuid": "c4b2a229-c734-4868-8f18-3aa03c5aeb7c", "value": "48:6naLouDyo7mDNM6eTwSKsLXPxv2PvCt+xlilm1FypfbNtm:RDD8jsLXP050FzNt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436005", "to_ids": false, "type": "size-in-bytes", "uuid": "64809e62-72be-4270-bb64-63f185f472b9", "value": "5120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436005", "to_ids": true, "type": "vhash", "uuid": "ad8af5d3-a9e9-48c6-bfd0-f17c9db46b51", "value": "2530361515160812z20" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436005", "to_ids": true, "type": "filename", "uuid": "43494602-ef9b-42bc-abff-7e96ac7b49b2", "value": "port.exe" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 22/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436005", "to_ids": false, "type": "text", "uuid": "55434913-c50d-4ad7-9e61-f7d8173198d2", "value": "Port.exe\r\nType Description: Win32 EXE\n\nMicrosoft: None\nVT Total Detection:40/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815099", "uuid": "df5aebb9-c279-4019-9f55-94d51ba3673f", "Attribute": [ { "category": "Payload delivery", "comment": "Invoke the Hash - Invoke-SMBClient.ps1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815099", "to_ids": true, "type": "md5", "uuid": "5156262b-9d74-4e82-973f-5b0edc91c5d6", "value": "a87d59456f323bd373cb958273dfe8bb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke the Hash - Invoke-SMBClient.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436027", "to_ids": true, "type": "sha1", "uuid": "d4ddd489-7708-4143-ab28-691e23818033", "value": "de927e976089621832acc4872eff8cb10e24ab11", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke the Hash - Invoke-SMBClient.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436027", "to_ids": true, "type": "sha256", "uuid": "9a20e031-4e90-4ede-929b-ed88d0fe33b6", "value": "195e95b6a1f9de762ee01027f903010c560ce76e050d61a7223b6fce0b1060a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436026", "to_ids": true, "type": "ssdeep", "uuid": "76984883-8bef-4507-971a-5e413b14491d", "value": "3072:xK7U+hI/3rhEO2R/Trqt9bL1DHDcgxCZQK:x3+hI/3rhEO2R/Trqt9bL1DHDcggZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436026", "to_ids": false, "type": "size-in-bytes", "uuid": "50ce8f1a-033b-4eb4-9323-0d9e6a364b56", "value": "139584" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436026", "to_ids": true, "type": "vhash", "uuid": "4d866980-e5e7-4259-a6de-2e14a2fbab20", "value": "86b15b11c335d0686332d034febb9b16" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436026", "to_ids": true, "type": "filename", "uuid": "3a529db7-ae62-4b10-99e8-fce094f2f3c7", "value": "Invoke-SMBClient.ps1" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 09/10/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436026", "to_ids": false, "type": "text", "uuid": "f9f4c846-c211-4f28-bec2-66b2a9e56b84", "value": "Invoke the Hash - Invoke-SMBClient.ps1\r\nType Description: Powershell\n\nMicrosoft: Trojan:Win32/Ceevee\nVT Total Detection:34/63" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815120", "uuid": "7262987c-d19b-440b-b5f2-d67d61d30f91", "Attribute": [ { "category": "Payload delivery", "comment": "Invoke the Hash - Invoke-SMBEnum.ps1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815120", "to_ids": true, "type": "md5", "uuid": "d58f80cf-7f97-4a4c-aa8e-ec9e9ad5f0eb", "value": "b4fcb52673089caf3e6e76379f2604d8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke the Hash - Invoke-SMBEnum.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436048", "to_ids": true, "type": "sha1", "uuid": "8eb75192-c4ca-4194-ac23-44a419e7bb7b", "value": "1c20a348872b587810f2ca5ae4b339e56d74aa52", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke the Hash - Invoke-SMBEnum.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436048", "to_ids": true, "type": "sha256", "uuid": "e0519255-41d0-42a1-bbbd-54fcbacd4c94", "value": "32e602df2a327292b9c93b609d2d210e568a058a200563795654cf16c3afc6b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436048", "to_ids": true, "type": "ssdeep", "uuid": "8d04a77d-5eba-4693-8347-1807f21a1087", "value": "3072:CwehI/3rhEO2R/Trqt9bL1DHDcm+iuqDoWw+46cd4+bGrrxzZRh:CwehI/3rhEO2R/Trqt9bL1DHDc8hB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436048", "to_ids": false, "type": "size-in-bytes", "uuid": "a991a11e-1daf-4d58-b954-6de1cbf0c792", "value": "160376" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436048", "to_ids": true, "type": "vhash", "uuid": "02b31f06-4e9a-4f85-9994-76ebdcf64822", "value": "9990007df5d30af982cf1074dfaf2e37" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436048", "to_ids": true, "type": "filename", "uuid": "52885479-be37-42df-953c-935453a4be4c", "value": "32e602df2a327292b9c93b609d2d210e568a058a200563795654cf16c3afc6b8.ps1" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 22/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436048", "to_ids": false, "type": "text", "uuid": "2dc8a194-78fa-4e62-9d46-b2bc183350e7", "value": "Invoke the Hash - Invoke-SMBEnum.ps1\r\nType Description: Powershell\n\nMicrosoft: Trojan:Win32/Ceevee\nVT Total Detection:29/62" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815142", "uuid": "3d81d32c-2e5a-488f-949e-b3c46a3fd943", "Attribute": [ { "category": "Payload delivery", "comment": "Invoke-SMBExec.ps1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815142", "to_ids": true, "type": "md5", "uuid": "59d78829-4ad6-42d1-ad93-5f50fea6c279", "value": "31b431df84eaf71848c8b172c40124ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke-SMBExec.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436070", "to_ids": true, "type": "sha1", "uuid": "1203d77d-43f9-4c2b-a366-93910f92d6f2", "value": "e926e0562f755f16798bf440854b6df46c389ec9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke-SMBExec.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436071", "to_ids": true, "type": "sha256", "uuid": "4d074fe0-b45c-4e50-86c0-07f39bcd48d1", "value": "2211a127a4467fb15a2112dd48ebe26df2660f97e6b8be95db57bbafab806412", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436070", "to_ids": true, "type": "ssdeep", "uuid": "9f12616f-c988-44ad-adeb-9f7959c8391d", "value": "3072:KL0ehI/3rhEO2y/Trqt9bL1DHDcsuR5tR6Fs:KgehI/3rhEO2y/Trqt9bL1DHDcpzeFs" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436070", "to_ids": false, "type": "size-in-bytes", "uuid": "1a0b6b8b-c805-4876-a4a6-0ef688b890b3", "value": "149645" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436070", "to_ids": true, "type": "vhash", "uuid": "6e13a845-43f2-453e-9d14-aefb9af85827", "value": "71abdd059b469e812fb5d6cf3346102a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436070", "to_ids": true, "type": "filename", "uuid": "7f4c64a6-813e-43eb-91ff-02bfbf8bb65a", "value": "Invoke-SMBExec.ps1" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 12/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436070", "to_ids": false, "type": "text", "uuid": "745a12ff-4029-4727-bc42-8edcb4d99bf3", "value": "Invoke-SMBExec.ps1\r\nType Description: Powershell\n\nMicrosoft: Trojan:Win32/Ceevee\nVT Total Detection:32/62" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815163", "uuid": "0b4be7b0-6689-4e7f-b5ff-c410bd51bda5", "Attribute": [ { "category": "Payload delivery", "comment": "Invoke-TheHash.ps1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815163", "to_ids": true, "type": "md5", "uuid": "dfa19666-9bf2-4f86-b5a2-21879af352f1", "value": "0c4db17ed145310f336ab4887914f80c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke-TheHash.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436092", "to_ids": true, "type": "sha1", "uuid": "2dd5d2ad-932e-4c49-9768-e350c5574930", "value": "ace625c3d677f7c49f2b040dbd5e48e1152129d7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke-TheHash.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436092", "to_ids": true, "type": "sha256", "uuid": "ab6a5af3-c782-4eef-b0ee-a0c2f5b47fdd", "value": "49d5cfb41066bca7c9f03aad2d729e9d9d99c95bc9c50c152af3ccc94e3db4f9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436092", "to_ids": true, "type": "ssdeep", "uuid": "f6b60b83-383b-45e5-8180-84b04413f27b", "value": "192:o8GkAK4xAS1C2YlJ+WkLXT/PamBDOs61FZU/aZ0IXwZbGX6IqKcVSwyDkvdvTvVu:o8T4xAGYlJ+xLXT/PamBDOzGsZgGbkVE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436092", "to_ids": false, "type": "size-in-bytes", "uuid": "52df55d4-4110-46c3-8211-b7fcc4c3f604", "value": "12169" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436092", "to_ids": true, "type": "vhash", "uuid": "10249044-1f7f-405b-80cb-71c9b97bdf04", "value": "00b8c43bc65b9bc89cdffbb0cdfac7ea" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436092", "to_ids": true, "type": "filename", "uuid": "b467dcab-76ca-44a1-9cf7-83e7255834ac", "value": "Invoke-TheHash.ps1" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 30/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436092", "to_ids": false, "type": "text", "uuid": "aaf53c0b-418d-467a-9033-fc8683fa2e00", "value": "Invoke-TheHash.ps1\r\nType Description: Powershell\n\nMicrosoft: HackTool:PowerShell/ChokDocn.A!MTB\nVT Total Detection:28/62" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815184", "uuid": "8f2c8886-e0f4-4cda-80aa-08daed906d58", "Attribute": [ { "category": "Payload delivery", "comment": "Invoke-TheHash.psd1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815184", "to_ids": true, "type": "md5", "uuid": "a62e7be3-d40f-4c97-ad5b-54c4792e94d9", "value": "836d61745e087e6017832233701218a4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke-TheHash.psd1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436114", "to_ids": true, "type": "sha1", "uuid": "ab1c189f-1a52-48a9-bc6f-98ff29536d9e", "value": "0f20d21e8e389730644db215b4f328303ce32755", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke-TheHash.psd1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436114", "to_ids": true, "type": "sha256", "uuid": "0483ffaf-ca87-4720-8c0f-3f82bffb6d1d", "value": "0a12cd6b5c85dbf65e524507429163e35818943aea6e81aa5a9c5205391d256c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436113", "to_ids": true, "type": "ssdeep", "uuid": "672584df-7e8b-449a-b9d8-ec873f52d54a", "value": "48:ua7Y+AlvbVSImwCTgrsTsPte81m8te8lteOPte/leWpNgsZymmmfD9ucLpui8Jmo:wpMgQZ8kv8y7/LymNDEHB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436113", "to_ids": false, "type": "size-in-bytes", "uuid": "47b86b4b-094b-4413-ae60-5e00e712ecfd", "value": "2400" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436113", "to_ids": true, "type": "filename", "uuid": "3b514e1c-c7e4-43ac-b8cb-da0e17bd2278", "value": "0a12cd6b5c85dbf65e524507429163e35818943aea6e81aa5a9c5205391d256c.ps1" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 15/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436113", "to_ids": false, "type": "text", "uuid": "760fe75e-0227-44c7-8012-0e761ebe3829", "value": "Invoke-TheHash.psd1\r\nType Description: Powershell\n\nMicrosoft: None\nVT Total Detection:9/62" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815206", "uuid": "d73e938f-2eda-4481-b10b-925295dad1a4", "Attribute": [ { "category": "Payload delivery", "comment": "Invoke-TheHash.psm1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815206", "to_ids": true, "type": "md5", "uuid": "4c4f3fa3-e6c7-4a27-8020-771e27a3c0b3", "value": "54af54c9e0aa4b26c4be803c44c5f473", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke-TheHash.psm1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436136", "to_ids": true, "type": "sha1", "uuid": "8624f583-cebe-44a5-84ad-ed260539e63d", "value": "1a213e7b8ad73a4e3fcd7ec25d1ae732e706d4d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke-TheHash.psm1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436136", "to_ids": true, "type": "sha256", "uuid": "1e1804a3-8084-4d9c-be9c-a0362deda1b7", "value": "87a81d039330f9489065d7179f89a0ab662f966f33de7d6126321a4cdb6f0675", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436136", "to_ids": true, "type": "ssdeep", "uuid": "45952ced-78e6-47f5-a73d-760e43801f82", "value": "6:tzrnW6vmuxMmrt9tdzagadzitfgadzWgadzSgadzI8:tFmu1rLrpueauFuZuE8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436136", "to_ids": false, "type": "size-in-bytes", "uuid": "7089f9d4-f683-4e9f-98b9-d1b579b8165e", "value": "312" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436136", "to_ids": true, "type": "vhash", "uuid": "70c637f2-1722-4726-b98b-736fe6411744", "value": "2294d27ed7dbbe5d5d8c0ea3224bfb2b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436136", "to_ids": true, "type": "filename", "uuid": "364d47ff-f620-4d27-8569-045afe40eb0a", "value": "87a81d039330f9489065d7179f89a0ab662f966f33de7d6126321a4cdb6f0675.ps1" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 27/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436136", "to_ids": false, "type": "text", "uuid": "26f6f8e0-41a7-4686-8ce6-c57f9dc9cf1f", "value": "Invoke-TheHash.psm1\r\nType Description: Powershell\n\nMicrosoft: HackTool:PowerShell/Powersploit\nVT Total Detection:27/61" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815227", "uuid": "174ce03c-31a8-4b3a-88d6-75b7d5332190", "Attribute": [ { "category": "Payload delivery", "comment": "Invoke-WMIExec.ps1", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815227", "to_ids": true, "type": "md5", "uuid": "f7f32cb9-a18c-4ab8-91ed-bd396645648a", "value": "b63de834ab7cc8fcd0e71003c6786213", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke-WMIExec.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436158", "to_ids": true, "type": "sha1", "uuid": "df761c3d-39f0-4d85-b7a0-5c9d93302fab", "value": "49c3444fbc9e55ac6f789261f41426b8bd2ade9f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Invoke-WMIExec.ps1", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436159", "to_ids": true, "type": "sha256", "uuid": "d26534a9-20b4-4bca-aaa3-bb8f6d762c7f", "value": "d4a177af7b6e19ff4f1917e2f0a606c21845c7921e62453432ff341485b4cfa8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436158", "to_ids": true, "type": "ssdeep", "uuid": "23eca14e-938d-4724-ab17-5b9396e587b0", "value": "768:L9G3Vv9wjdBPE4S4tdivavMByOHQc0leRqc2exPF2K96efqzqa0L6EbqRi0l/hNX:LyoMPxWmGNB3k8QrKXpnETfhelbuW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436158", "to_ids": false, "type": "size-in-bytes", "uuid": "123dec5f-7581-40c3-8add-0ed10aafbe05", "value": "97878" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436158", "to_ids": true, "type": "vhash", "uuid": "bf325999-e6c7-48c2-a502-c581c0e567e0", "value": "875f45b15e2a45007f2147ae45678fd8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436158", "to_ids": true, "type": "filename", "uuid": "67dcabe5-9864-4af4-9cc3-62572a3b0b32", "value": "Invoke-WMIExec.ps1" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 03/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436158", "to_ids": false, "type": "text", "uuid": "1e8e4f1b-898a-40ef-b6d8-578094753cd1", "value": "Invoke-WMIExec.ps1\r\nType Description: Powershell\n\nMicrosoft: HackTool:PowerShell/Smbexec\nVT Total Detection:32/61" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815248", "uuid": "af7b2d7e-bf18-4c79-95cc-322fc8e381f2", "Attribute": [ { "category": "Payload delivery", "comment": "RDP over SSH (SSHNET) Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815248", "to_ids": true, "type": "md5", "uuid": "63170780-df4c-4c9b-b4b1-bbdefbefa6b0", "value": "783dc28185837c8e66dca34e9a519c7c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RDP over SSH (SSHNET) Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436180", "to_ids": true, "type": "sha1", "uuid": "dec2ef8a-1628-404a-bf3a-9f1292a4a9ae", "value": "5a705f7621d85214ac00efd2642fbcc050112e4e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RDP over SSH (SSHNET) Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436180", "to_ids": true, "type": "sha256", "uuid": "0989eaa3-d62c-4850-ad0e-1efdb595e7fd", "value": "6b092d4eb4382794fd3cf5389e9f6d2e8fca66e6161d788f18042a7e8840b0be", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436179", "to_ids": true, "type": "ssdeep", "uuid": "b0b40479-6678-46fb-b6e7-e96e46414277", "value": "3072:C6QGP44mC4nR5EmkSpjmEsEKMLtKJvLYDf+GxpWQagi9/yUbIlutGDImSc:e0r4cTEPLZDmGxpWQgoUbIl91" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436179", "to_ids": false, "type": "size-in-bytes", "uuid": "83f28398-ad24-4c57-89ba-7193b8b65b15", "value": "188416" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436179", "to_ids": true, "type": "vhash", "uuid": "d663a061-aac9-4865-969c-5c3beccb54fb", "value": "21503675151a0c1742041" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436179", "to_ids": true, "type": "filename", "uuid": "3ba35e30-a164-4a6d-a020-9604edb173c7", "value": "sshnet.exe" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 28/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436179", "to_ids": false, "type": "text", "uuid": "865109c3-961f-4555-92fe-51e776c589f7", "value": "RDP over SSH (SSHNET) Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: Backdoor:Win32/Sshnet\nVT Total Detection:54/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815269", "uuid": "057d86d3-3d1e-4068-9850-ad75914eced3", "Attribute": [ { "category": "Payload delivery", "comment": "RDP over SSH (SSHNET) Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815269", "to_ids": true, "type": "md5", "uuid": "135c136e-27a8-4131-bba3-9eaf67a979d6", "value": "29fb089328e78f67ff86739583a9e63a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RDP over SSH (SSHNET) Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436201", "to_ids": true, "type": "sha1", "uuid": "9ffa23be-f53d-492e-8d88-13a9c96ea995", "value": "67bcfdeb6ecc9d61233191abfa544e1393e23318", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RDP over SSH (SSHNET) Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436201", "to_ids": true, "type": "sha256", "uuid": "428d5c88-8282-40a0-ae6a-8c745861b0f6", "value": "ec5ba7b35059e20518a99957338bf6efa3b1e810da4ca33ec79c8b72bd931dd7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436201", "to_ids": true, "type": "ssdeep", "uuid": "288d8cd9-9f37-4ffa-a07b-bd46d7543dd7", "value": "3072:B6QGP44mC4nR5EmkSpjmEsEKMLtKJvLYDf+GxpWQagi9/yUbIlutGDImK:h0r4cTEPLZDmGxpWQgoUbIl91" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436201", "to_ids": false, "type": "size-in-bytes", "uuid": "fb10b08d-19c1-459d-a667-bc66ea37538f", "value": "188416" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436201", "to_ids": true, "type": "vhash", "uuid": "67c78ea1-5f04-4f44-812b-1cb1207a9b05", "value": "21503675151a0c1742041" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436201", "to_ids": true, "type": "filename", "uuid": "542030c3-0674-40b9-8671-171871b592a5", "value": "sshnet.exe" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 18/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436201", "to_ids": false, "type": "text", "uuid": "0548844f-7e7b-4f3c-90ec-7e84401b9588", "value": "RDP over SSH (SSHNET) Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: None\nVT Total Detection:49/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815290", "uuid": "7408d867-7b01-4d18-8c52-e737dafb7cb5", "Attribute": [ { "category": "Payload delivery", "comment": "RDP over SSH (SSHNET) Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815290", "to_ids": true, "type": "md5", "uuid": "08971fed-e106-49c9-b61f-8c6f39866822", "value": "f064ff619ebf67a59566c0dd54c5d05c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RDP over SSH (SSHNET) Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436223", "to_ids": true, "type": "sha1", "uuid": "f6bca855-71ff-4e55-ad0b-03d256910257", "value": "2a739378714b678c218b462ef4c628bd16c879c4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RDP over SSH (SSHNET) Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436223", "to_ids": true, "type": "sha256", "uuid": "be0968ef-7846-4e59-a72a-8001549417d5", "value": "d42f454627e484145222fb15b70725d3bc75168beb1108ddd2b9e04989ef72c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436222", "to_ids": true, "type": "ssdeep", "uuid": "9c8c0141-a4a4-489c-980f-9cd627d5836d", "value": "48:6r2jU+MWi7wDoM+l/Te8MHIiQVNMy+PFCFkPpQSyKPjXWVxVZsFtoPlahYrFipfG:a+/0hzhMof9+PTQSyAXWV92fzNt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436222", "to_ids": false, "type": "size-in-bytes", "uuid": "d6abd63e-64d1-4697-a2be-1d5cceaf0d71", "value": "6144" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436222", "to_ids": true, "type": "vhash", "uuid": "aba97030-5db2-454b-8211-ee22ba5007c7", "value": "263036551516081221041" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436222", "to_ids": true, "type": "filename", "uuid": "353b1393-ed14-4a17-9ba4-cdaef3affc26", "value": "sshnet.exe" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 20/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436222", "to_ids": false, "type": "text", "uuid": "bf8b8e5f-6b44-41ef-bdb9-987eaa87e5af", "value": "RDP over SSH (SSHNET) Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: None\nVT Total Detection:42/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815311", "uuid": "bf483646-5db4-4678-b688-c9798f9acb3f", "Attribute": [ { "category": "Payload delivery", "comment": "SOCKET-Based Backdoor (cs.exe)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815311", "to_ids": true, "type": "md5", "uuid": "3dde259d-f75e-44c6-b7e8-ee5de0bf2fd8", "value": "475f89de6031db2158231eafa07b8b72", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SOCKET-Based Backdoor (cs.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436245", "to_ids": true, "type": "sha1", "uuid": "27ddd155-b157-47f0-8396-50d51780f8c5", "value": "0e88e03a3e072eba82f94f343a1cc6892eb1ca22", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SOCKET-Based Backdoor (cs.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436245", "to_ids": true, "type": "sha256", "uuid": "0049e8f6-f974-4ee5-b74b-ad431d457e0a", "value": "e9d7918eab7e6d52431da675f530fe66ae5d1cd8c13d1c3240acb4f6d7932616", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436244", "to_ids": true, "type": "ssdeep", "uuid": "bc66ba14-6de3-45a3-a6a7-cf95da305e1d", "value": "48:6ioNJ8OgF8G1O07y/9LrIdnK8KqjBJoXC2rBm/xXRQVExqOPulo03II:NFL1Xm/9LrL8JgRrISFm03" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436244", "to_ids": false, "type": "size-in-bytes", "uuid": "6fc01555-c372-4ceb-bb41-30ca186e5d91", "value": "4608" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436244", "to_ids": true, "type": "vhash", "uuid": "e12a36ad-9030-4ecd-8aeb-003588ccf4fd", "value": "2430361515141z11z10" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436244", "to_ids": true, "type": "filename", "uuid": "5a32c9d5-7e4d-41ed-a35d-e8d3492e467f", "value": "cs.exe" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 21/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436244", "to_ids": false, "type": "text", "uuid": "54684eac-cc25-422e-a3b1-c3acc8cbce58", "value": "SOCKET-Based Backdoor (cs.exe)\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:MSIL/Tiny.EM!MTB\nVT Total Detection:58/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815332", "uuid": "ccd1655a-0623-44af-9c55-f35edcc3fbf9", "Attribute": [ { "category": "Payload delivery", "comment": "Console Application Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815332", "to_ids": true, "type": "md5", "uuid": "8d4e7d4d-04fb-4f3c-8e7d-5e93789aa83e", "value": "cfcbb6472cac07ea138379578d80845b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Console Application Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436266", "to_ids": true, "type": "sha1", "uuid": "4653fb7e-dfd7-4c35-abbd-092ebcd72cbd", "value": "e221af5c48fc8ee31d9f2860dba85f13e9f228a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Console Application Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436266", "to_ids": true, "type": "sha256", "uuid": "4d46e9e5-dc32-43dd-b6ea-e76727228cc7", "value": "9d2613b310e860432e0b705b7ab6f07c61697f677e6c331ee0a830ef7b6a739a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436266", "to_ids": true, "type": "ssdeep", "uuid": "6ad12031-886f-4f44-987f-50648db859c6", "value": "96:inxAtAdK5mEl6c/jRF7+vaXpZWJciQEvAJq8ImnDzNt:yWtAdKMEH/3maZEd7w1F" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436266", "to_ids": false, "type": "size-in-bytes", "uuid": "dd4b3f89-0685-4764-baa4-d2fb2882e8c7", "value": "6656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436266", "to_ids": true, "type": "vhash", "uuid": "d3f6ecce-a8b6-4643-aed6-9da1ccdac759", "value": "2630366515150822z10" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436266", "to_ids": true, "type": "filename", "uuid": "ced9be86-b971-4d84-afa2-5ff01ade89de", "value": "ConsoleApplication5.exe" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 28/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436266", "to_ids": false, "type": "text", "uuid": "193b2d1c-7663-4548-b049-ed2e7caf5b1f", "value": "Console Application Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: VirTool:MSIL/Meterpreter.G!MTB\nVT Total Detection:58/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815353", "uuid": "b41f9af8-a99c-46ab-9f89-9484b1db2e35", "Attribute": [ { "category": "Payload delivery", "comment": "Console Application Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815353", "to_ids": true, "type": "md5", "uuid": "fa993789-78f6-4e62-ae4d-2fd7e53bb638", "value": "155837e476b50c93b6522b310a684a33", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Console Application Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436288", "to_ids": true, "type": "sha1", "uuid": "9c7ecfbb-f359-4af5-a253-9fb7242ca4c5", "value": "cc879b2da746a3b540f417ed1c3b6758a86bb390", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Console Application Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436288", "to_ids": true, "type": "sha256", "uuid": "dcd1932a-31e9-45c4-b5a6-a673b278658b", "value": "d3df47a88dc9291142986bddd16e861dbfd83c0184881820e1b7391aa431d9ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436287", "to_ids": true, "type": "ssdeep", "uuid": "73f4471e-ec54-4c25-956d-5801e4c53b4c", "value": "96:DnxAtAdK5mEl6c/jRF7+PaXpHWJciQEvAJq8ImnDzNt:jWtAdKMEH/3yaZ2d7w1F" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436287", "to_ids": false, "type": "size-in-bytes", "uuid": "af382903-13d9-4345-9fb6-490c3cad0270", "value": "6656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436287", "to_ids": true, "type": "vhash", "uuid": "5141ca70-0b41-47c2-aab8-5438e7120be0", "value": "2630366515150822z10" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436287", "to_ids": true, "type": "filename", "uuid": "e854b42f-61c0-4cc8-8440-bd80d905a869", "value": "ConsoleApplication5.exe" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 28/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436287", "to_ids": false, "type": "text", "uuid": "0ae5ae1b-3656-4590-9515-a80c28bcb57a", "value": "Console Application Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: VirTool:MSIL/Meterpreter.G!MTB\nVT Total Detection:58/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746815375", "uuid": "3ce4fc97-ee66-496c-bb1e-7ccd0d0c6ef9", "Attribute": [ { "category": "Payload delivery", "comment": "Console Application Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746815375", "to_ids": true, "type": "md5", "uuid": "bbffd72a-8b80-4f3e-a81f-94f381702494", "value": "cb84fc4682a74ba81ef477bc1359959b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Console Application Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740436309", "to_ids": true, "type": "sha1", "uuid": "e57a3475-7220-4b71-be2b-8b4e5108b4e5", "value": "c1937cf81d671c00a863c96560abe114ed79a294", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Console Application Backdoor", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740436309", "to_ids": true, "type": "sha256", "uuid": "f563987a-85e9-465f-adc1-c1cdfd27cd83", "value": "40ba95b54dc4cf0754efcfaeef3bbd71aac65882f3c92b8814a82ea02969da84", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740436309", "to_ids": true, "type": "ssdeep", "uuid": "e476d9ee-52d7-466d-af6a-d987a8f778a3", "value": "96:rnxAtAdK5mElD/jRF7+KaXpH88HNfySnDzNt:bWtAdKMEF/3naZvwqF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740436309", "to_ids": false, "type": "size-in-bytes", "uuid": "183d2f43-042a-448d-832f-5b37e0a0cfa2", "value": "6656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740436309", "to_ids": true, "type": "vhash", "uuid": "1120e796-dfde-4781-b8cd-eb3fc9a73343", "value": "2630366515150822z10" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740436309", "to_ids": true, "type": "filename", "uuid": "b81eb54c-9336-4ad6-8abf-3e2386ff93c8", "value": "ConsoleApplication5.exe" }, { "category": "Other", "comment": "Checked: 25/02/2025\nLast-scan\t: 28/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740436309", "to_ids": false, "type": "text", "uuid": "5c45ed2e-f75c-438b-a301-76d59092ac81", "value": "Console Application Backdoor\r\nType Description: Win32 EXE\n\nMicrosoft: VirTool:MSIL/Meterpreter.G!MTB\nVT Total Detection:59/72" } ] } ] } }