{ "Event": { "analysis": "2", "date": "2020-06-05", "extends_uuid": "", "info": "[Threat Intel] CrowdStrike\u2019s work with the Democratic National Committee: Setting the record straight", "protected": false, "publish_timestamp": "1780039905", "published": true, "threat_level_id": "1", "timestamp": "1772901993", "uuid": "76d18fbe-0d66-412d-90f6-6e1d9f6d7dbe", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"CrowdStrike\"", "relationship_type": "" }, { "colour": "#c94db5", "local": false, "name": "misp-galaxy:target-information=\"Brazil\"", "relationship_type": "" }, { "colour": "#1faf16", "local": false, "name": "misp-galaxy:target-information=\"Canada\"", "relationship_type": "" }, { "colour": "#52d590", "local": false, "name": "misp-galaxy:target-information=\"China\"", "relationship_type": "" }, { "colour": "#7d6b1a", "local": false, "name": "misp-galaxy:target-information=\"Georgia\"", "relationship_type": "" }, { "colour": "#20a667", "local": false, "name": "misp-galaxy:target-information=\"Iran\"", "relationship_type": "" }, { "colour": "#5887a6", "local": false, "name": "misp-galaxy:target-information=\"Japan\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#9c7ff4", "local": false, "name": "misp-galaxy:target-information=\"South Korea\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT28\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT29\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"SEADADDY\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"X-Tunnel (.NET)\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"XTunnel\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740501631", "to_ids": false, "type": "link", "uuid": "7a747508-54b7-44f4-868c-bfa110c5eeed", "value": "https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/" }, { "category": "Network activity", "comment": "SeaDaddy implant C2", "deleted": false, "disable_correlation": false, "timestamp": "1740501849", "to_ids": true, "type": "ip-dst|port", "uuid": "6798b050-0f93-4cb4-ae65-8e143cc76638", "value": "185.100.84.134|443" }, { "category": "Network activity", "comment": "SeaDaddy implant C2", "deleted": false, "disable_correlation": false, "timestamp": "1740501849", "to_ids": true, "type": "ip-dst|port", "uuid": "a2828b56-d7b9-4314-b7ee-364399df45cd", "value": "58.49.58.58|443" }, { "category": "Network activity", "comment": "Powershell implant C2", "deleted": false, "disable_correlation": false, "timestamp": "1740501849", "to_ids": true, "type": "ip-dst|port", "uuid": "49d9ca5b-6fe0-40d0-8c45-4030bdf564f8", "value": "218.1.98.203|80" }, { "category": "Network activity", "comment": "Powershell implant C2", "deleted": false, "disable_correlation": false, "timestamp": "1740501849", "to_ids": true, "type": "ip-dst|port", "uuid": "4fd068fb-b45f-43c8-bae4-1f22744db0b2", "value": "187.33.33.8|80" }, { "category": "Network activity", "comment": "X-Agent implant C2", "deleted": false, "disable_correlation": false, "timestamp": "1740501849", "to_ids": true, "type": "ip-dst|port", "uuid": "f0e619c7-571a-4fad-8c24-9e90fdd715f4", "value": "185.86.148.227|443" }, { "category": "Network activity", "comment": "X-Tunnel implant C2", "deleted": false, "disable_correlation": false, "timestamp": "1740501849", "to_ids": true, "type": "ip-dst|port", "uuid": "25fabc0d-44f0-433c-8f00-4dfa476f3d71", "value": "45.32.129.185|443" }, { "category": "Network activity", "comment": "X-Tunnel implant C2", "deleted": false, "disable_correlation": false, "timestamp": "1740501849", "to_ids": true, "type": "ip-dst|port", "uuid": "b6ff13af-103c-4319-b689-deb0ea0e6396", "value": "23.227.196.217|443" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746831748", "uuid": "6cb6c5b9-85cd-456a-811a-85b9b9613a99", "Attribute": [ { "category": "Payload delivery", "comment": "pagemgr.exe (SeaDaddy implant)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746831748", "to_ids": true, "type": "md5", "uuid": "f4ed160d-2483-4d1a-b91e-ff15d7bfe51e", "value": "004b55a66b3a86a1ce0a0b9b69b95976", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "pagemgr.exe (SeaDaddy implant)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746697014", "to_ids": true, "type": "sha1", "uuid": "2d9df230-206b-403c-8eb8-2fe0c58d214b", "value": "e2b98c594961aae731b0ccee5f9607080ec57197", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "pagemgr.exe (SeaDaddy implant)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746697014", "to_ids": true, "type": "sha256", "uuid": "7e2b4cc0-7844-4ee7-8480-f9a88e95992c", "value": "6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746697013", "to_ids": true, "type": "ssdeep", "uuid": "497e22b5-f75a-4265-86be-839a7bfacdcd", "value": "49152:ACQAYCdp0wNvATRFt03zOavcye0mz0c3khqt6L2jOwiQAbM7qV3Q7VNb2+f2XEa5:YCzITRFtyOaEz0q6PS8MMQPTf2UaESjz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746697013", "to_ids": false, "type": "size-in-bytes", "uuid": "d7bf8398-73b3-46e4-98c0-119ded0fe335", "value": "3132974" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746697013", "to_ids": true, "type": "vhash", "uuid": "09a28c6f-bd92-481e-8ac2-e50f48aa538e", "value": "03603e0f7d1bz6nz1bz11z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746697013", "to_ids": true, "type": "filename", "uuid": "d910a5d1-bd89-4cf5-b5aa-c824822f3c53", "value": "ImplantCozy.bin" }, { "category": "Other", "comment": "Checked: 08/05/2025\nLast-scan\t: 15/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746697013", "to_ids": false, "type": "text", "uuid": "d2355b8e-4704-4db7-a14b-5e13b9dd42bd", "value": "pagemgr.exe (SeaDaddy implant)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Esulat\nVT Total Detection:56/72\nFirst Submission:2016-06-21T17:06:19.000000+00:00\nLast Submission:2025-04-09T19:37:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746831769", "uuid": "71292bec-5c5d-4bc8-bc6e-10cdca596d2b", "Attribute": [ { "category": "Payload delivery", "comment": "pagemgr.exe (SeaDaddy implant)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746831769", "to_ids": true, "type": "md5", "uuid": "df5ec2e7-1930-4e0a-88ab-9ec00efe40d0", "value": "ce227ae503e166b77bf46b6c8f5ee4da", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "pagemgr.exe (SeaDaddy implant)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746697036", "to_ids": true, "type": "sha1", "uuid": "4aa61387-0da5-448b-888d-a156f59297ee", "value": "cb872edd1f532c10d0167c99530a65c4d4532a1e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "pagemgr.exe (SeaDaddy implant)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746697036", "to_ids": true, "type": "sha256", "uuid": "c558c035-af85-4898-ac49-e1518b41e404", "value": "b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746697035", "to_ids": true, "type": "ssdeep", "uuid": "f5f2d5ac-feb4-4590-9f59-2e361b0efbf3", "value": "49152:CCQAYCdp0wNvATRFt03zOavcye0Tiw4qaF8VqGBoGEDyiUmbM7qV3Q7VNb2+f2XU:6CzITRFtyOaE4iqlBcU6MMQPTf2UaESG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746697035", "to_ids": false, "type": "size-in-bytes", "uuid": "dc9a8f1c-8adb-4731-b6bf-6a331766b16d", "value": "3124270" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746697035", "to_ids": true, "type": "vhash", "uuid": "b8754745-61d2-4f9e-abaa-ce7d1c46e72f", "value": "03603e0f7d1bz6nz1bz11z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746697035", "to_ids": true, "type": "filename", "uuid": "0fc49058-9c3a-4c9b-bc94-b0efee7ddf7a", "value": "CozyBearImplant.bin" }, { "category": "Other", "comment": "Checked: 08/05/2025\nLast-scan\t: 10/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746697035", "to_ids": false, "type": "text", "uuid": "2164f42b-e2d3-43ed-8a24-e1e866ac7569", "value": "pagemgr.exe (SeaDaddy implant)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Leonem\nVT Total Detection:50/72\nFirst Submission:2016-06-21T17:09:00.000000+00:00\nLast Submission:2025-03-12T20:20:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746831790", "uuid": "8b45c341-a763-4733-aaea-1f3d0fb0c9d2", "Attribute": [ { "category": "Payload delivery", "comment": "twain_64.dll (64-bit X-Agent implant)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746831790", "to_ids": true, "type": "md5", "uuid": "e2559296-5374-49f3-97b0-220eddde54c5", "value": "cc9e6578a47182a941a478b276320e06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "twain_64.dll (64-bit X-Agent implant)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746697057", "to_ids": true, "type": "sha1", "uuid": "cdfb2aff-4724-402f-9845-a5dac965acba", "value": "0b3852ae641df8ada629e245747062f889b26659", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "twain_64.dll (64-bit X-Agent implant)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746697057", "to_ids": true, "type": "sha256", "uuid": "da6814fa-63e6-4cc3-b861-ef5b4c462390", "value": "fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746697057", "to_ids": true, "type": "ssdeep", "uuid": "15a7c20c-b57c-4552-a87f-6b8a86e53787", "value": "3072:0TrTaRcOsbAZo/DWEx9SYCTfyTcCuUtBwXO1HYF9GQkgYKON4hz46Gyi:+rT4cL/l9lofyTmUtBwX64FgKdhxGy" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746697057", "to_ids": false, "type": "size-in-bytes", "uuid": "5d1ed6b1-b67d-4516-8b0e-b591d572220f", "value": "283136" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746697057", "to_ids": true, "type": "vhash", "uuid": "e8bdc028-3b5f-40f2-906f-0c52f4b383ab", "value": "125066655d6555151075z600657z21z13z10301111zc1z36z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746697057", "to_ids": true, "type": "filename", "uuid": "40d94fae-0534-4ea9-897a-ecf07ef56868", "value": "esert.dll" }, { "category": "Other", "comment": "Checked: 08/05/2025\nLast-scan\t: 22/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746697057", "to_ids": false, "type": "text", "uuid": "b8255312-7745-4e1b-8c9f-83d9ba8c8886", "value": "twain_64.dll (64-bit X-Agent implant)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Esulat\nVT Total Detection:57/73\nFirst Submission:2016-06-21T17:10:37.000000+00:00\nLast Submission:2025-03-16T15:35:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746831811", "uuid": "d9dffab1-feb4-4f6b-8df1-fe96f1da7f06", "Attribute": [ { "category": "Payload delivery", "comment": "VmUpgradeHelper.exe (X-Tunnel implant)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746831811", "to_ids": true, "type": "md5", "uuid": "6d00eb47-e0a6-40fa-b9f8-7b8dbacb52ec", "value": "9e7053a4b6c9081220a694ec93211b4e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VmUpgradeHelper.exe (X-Tunnel implant)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746697079", "to_ids": true, "type": "sha1", "uuid": "d210b396-f65e-46c0-84b1-f895f8078b90", "value": "f09780ba9eb7f7426f93126bc198292f5106424b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VmUpgradeHelper.exe (X-Tunnel implant)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746697080", "to_ids": true, "type": "sha256", "uuid": "8f5c2754-fa45-4335-860d-28bd166da0b8", "value": "4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746697079", "to_ids": true, "type": "ssdeep", "uuid": "f38fd91f-7d1d-4aa0-b042-80eab4925e9f", "value": "24576:JKw4ZZ6rTIBJwqEaxChz52shpktYlecs5ZCo+jlxf1NTfkYJ+nbgEvrZmDxcP+4F:Iw4ZMrTeJKisRki+F8q24eZxtP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746697079", "to_ids": false, "type": "size-in-bytes", "uuid": "6e7c8de1-2675-4290-9773-18a834b62123", "value": "1925120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746697079", "to_ids": true, "type": "vhash", "uuid": "e1a42c58-4ecc-4fc0-9e85-dc45930738c3", "value": "016056555d55551038z62nz41z800166z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746697079", "to_ids": true, "type": "filename", "uuid": "5b97bd4b-27da-4a67-ab12-e71d150bba77", "value": "Backdoor.XTunnel.exe" }, { "category": "Other", "comment": "Checked: 08/05/2025\nLast-scan\t: 06/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746697079", "to_ids": false, "type": "text", "uuid": "e1192b83-32a2-485e-9147-ed40c74d009e", "value": "VmUpgradeHelper.exe (X-Tunnel implant)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Esulat\nVT Total Detection:57/72\nFirst Submission:2016-06-21T17:08:23.000000+00:00\nLast Submission:2025-04-08T02:28:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746831832", "uuid": "6fe60592-60ec-43d7-9b2b-d0c72f092438", "Attribute": [ { "category": "Payload delivery", "comment": "VmUpgradeHelper.exe (X-Tunnel implant)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746831832", "to_ids": true, "type": "md5", "uuid": "d74a5d99-8b47-48c0-834e-6b7622f9ef17", "value": "19172b9210295518ca52e93a29cfe8f4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VmUpgradeHelper.exe (X-Tunnel implant)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746697101", "to_ids": true, "type": "sha1", "uuid": "3026c1ab-d281-444a-a681-34b2019d8ed6", "value": "74c190cd0c42304720c686d50f8184ac3faddbe9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VmUpgradeHelper.exe (X-Tunnel implant)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746697101", "to_ids": true, "type": "sha256", "uuid": "fa47acd5-1d0f-47b6-9063-e35ecebf8a64", "value": "40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746697100", "to_ids": true, "type": "ssdeep", "uuid": "399d17da-6923-4a86-88fa-61b3c877856e", "value": "24576:h1bZhRWzp5ulEuoV/UCrz7lIggnecs5JCo+jHhigqe2+FYaFVV7eFOWKneRPkjFN:DbZhRWzDuMND+GasMssjFIUtP8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746697100", "to_ids": false, "type": "size-in-bytes", "uuid": "0492d0e5-8780-4ced-ac6e-5eb38d00cb65", "value": "1925120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746697100", "to_ids": true, "type": "vhash", "uuid": "734918f7-5255-4c9a-85cb-3971450efbac", "value": "016056555d55551038z62nz41z800166z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746697100", "to_ids": true, "type": "filename", "uuid": "29fc35f9-ab8e-4609-a5b5-6b7dc3670294", "value": "74C190CD0C42304720C686D50F8184AC3FADDBE9.exe_" }, { "category": "Other", "comment": "Checked: 08/05/2025\nLast-scan\t: 04/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746697100", "to_ids": false, "type": "text", "uuid": "1492b900-84aa-414f-8266-08ccb8f33575", "value": "VmUpgradeHelper.exe (X-Tunnel implant)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Phonzy.A!ml\nVT Total Detection:55/72\nFirst Submission:2016-06-21T17:07:08.000000+00:00\nLast Submission:2025-04-09T19:48:24.000000+00:00" } ] } ] } }