{ "Event": { "analysis": "2", "date": "2021-09-30", "extends_uuid": "", "info": "[Threat Intel] GhostEmperor: From ProxyLogon to kernel mode", "protected": false, "publish_timestamp": "1780039959", "published": true, "threat_level_id": "2", "timestamp": "1780039959", "uuid": "c5796e2a-1297-4f8f-b559-00169e2fb88f", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#1ebce4", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#86e845", "local": false, "name": "misp-galaxy:target-information=\"Afghanistan\"", "relationship_type": "" }, { "colour": "#78cd12", "local": false, "name": "misp-galaxy:target-information=\"Egypt\"", "relationship_type": "" }, { "colour": "#997689", "local": false, "name": "misp-galaxy:target-information=\"Ethiopia\"", "relationship_type": "" }, { "colour": "#f9cdc4", "local": false, "name": "misp-galaxy:target-information=\"Indonesia\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#1b8479", "local": false, "name": "misp-galaxy:target-information=\"Vietnam\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"GhostEmperor\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"3b16bb5a-eb4f-4603-a909-bebc5df4a46d\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Ladon\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MimiKatz\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"PowerCat\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"GhostEmperor\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740746721", "to_ids": false, "type": "link", "uuid": "eb898b41-ec07-4914-8b28-0943ca528f76", "value": "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" }, { "category": "Payload delivery", "comment": "Stage 2 \u2013 Service DLL No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746790095", "to_ids": true, "type": "md5", "uuid": "aefbd77d-60ad-45fa-9c81-2e3d8d052f60", "value": "1bc301aa9b861f762ce5f376228e992a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746980712", "to_ids": true, "type": "hostname", "uuid": "b9ac38f2-501a-438a-9f27-c06cb2e9e631", "value": "imap.newlylab.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746980733", "to_ids": true, "type": "hostname", "uuid": "855614a5-25c5-499e-bd3c-1d58a9e3b1e9", "value": "mail.reclubpress.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746980754", "to_ids": true, "type": "hostname", "uuid": "4d04fbca-8294-457f-9f17-50979ae49d3f", "value": "imap.webdignusdata.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746980775", "to_ids": true, "type": "domain", "uuid": "8c979126-bb7d-44ea-ada1-c473e2b20238", "value": "freedecrease.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746980796", "to_ids": true, "type": "domain", "uuid": "07bd022f-c7d8-4ca6-ae0c-a8c81b3d3b94", "value": "aftercould.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746980817", "to_ids": true, "type": "domain", "uuid": "e5c8cf37-b0ed-48d0-b2d7-786521504155", "value": "datacentreonline.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746980838", "to_ids": true, "type": "hostname", "uuid": "b844418f-9b86-4aa5-ab0f-bf64dbadb3dc", "value": "game.newfreepre.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039947", "to_ids": true, "type": "ip-dst", "uuid": "703af586-12e0-4e7e-acbc-6409e732b665", "value": "27.102.113.57", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#13ee90", "local": false, "name": "asn:asn=\"45996\"", "relationship_type": "" }, { "colour": "#612cb5", "local": false, "name": "asn:as-owner=\"DAOU-AS-KR DAOU TECHNOLOGY\"", "relationship_type": "" }, { "colour": "#0735ba", "local": false, "name": "asn:as-country=\"KR\"", "relationship_type": "" }, { "colour": "#061c19", "local": false, "name": "misp-galaxy:country=\"south korea\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039949", "to_ids": true, "type": "ip-dst", "uuid": "61409729-e0bf-4b75-967d-61889f6890f8", "value": "27.102.113.240", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#13ee90", "local": false, "name": "asn:asn=\"45996\"", "relationship_type": "" }, { "colour": "#612cb5", "local": false, "name": "asn:as-owner=\"DAOU-AS-KR DAOU TECHNOLOGY\"", "relationship_type": "" }, { "colour": "#0735ba", "local": false, "name": "asn:as-country=\"KR\"", "relationship_type": "" }, { "colour": "#061c19", "local": false, "name": "misp-galaxy:country=\"south korea\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039951", "to_ids": true, "type": "ip-dst", "uuid": "0a77d20a-e41c-46ed-983f-79a193b0d9b3", "value": "27.102.114.55", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#13ee90", "local": false, "name": "asn:asn=\"45996\"", "relationship_type": "" }, { "colour": "#612cb5", "local": false, "name": "asn:as-owner=\"DAOU-AS-KR DAOU TECHNOLOGY\"", "relationship_type": "" }, { "colour": "#0735ba", "local": false, "name": "asn:as-country=\"KR\"", "relationship_type": "" }, { "colour": "#061c19", "local": false, "name": "misp-galaxy:country=\"south korea\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039952", "to_ids": true, "type": "ip-dst", "uuid": "3e8b14f0-fd5e-4774-9b99-f39e0a7a8ba8", "value": "27.102.115.51", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#13ee90", "local": false, "name": "asn:asn=\"45996\"", "relationship_type": "" }, { "colour": "#612cb5", "local": false, "name": "asn:as-owner=\"DAOU-AS-KR DAOU TECHNOLOGY\"", "relationship_type": "" }, { "colour": "#0735ba", "local": false, "name": "asn:as-country=\"KR\"", "relationship_type": "" }, { "colour": "#061c19", "local": false, "name": "misp-galaxy:country=\"south korea\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039954", "to_ids": true, "type": "ip-dst", "uuid": "5f229ab5-44c5-4508-a0ec-0d0126d17c26", "value": "27.102.129.120", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#13ee90", "local": false, "name": "asn:asn=\"45996\"", "relationship_type": "" }, { "colour": "#612cb5", "local": false, "name": "asn:as-owner=\"DAOU-AS-KR DAOU TECHNOLOGY\"", "relationship_type": "" }, { "colour": "#0735ba", "local": false, "name": "asn:as-country=\"KR\"", "relationship_type": "" }, { "colour": "#061c19", "local": false, "name": "misp-galaxy:country=\"south korea\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039957", "to_ids": true, "type": "ip-dst", "uuid": "e6346f66-916b-4f89-809a-a650af3a0816", "value": "107.148.165.158", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#cf05b0", "local": false, "name": "asn:asn=\"21859\"", "relationship_type": "" }, { "colour": "#5e9494", "local": false, "name": "asn:as-owner=\"ZEN-ECN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039959", "to_ids": true, "type": "ip-dst", "uuid": "fb633df6-bd31-446e-b981-206b8e85f3f6", "value": "154.223.135.214", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c4bd10", "local": false, "name": "asn:asn=\"13335\"", "relationship_type": "" }, { "colour": "#60003e", "local": false, "name": "asn:as-owner=\"CLOUDFLARENET\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740747039", "to_ids": false, "type": "link", "uuid": "fff5d9f7-a348-436b-9985-8086b545b0c8", "value": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf" }, { "category": "Other", "comment": "A password protected archive with these contents was generated", "deleted": false, "disable_correlation": false, "timestamp": "1746979100", "to_ids": false, "type": "text", "uuid": "40bd3594-87ad-462d-9fc8-f5df6e8878cb", "value": "Baigong" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981471", "uuid": "523d275f-23dc-490f-a7cb-d5acefb9c82e", "Attribute": [ { "category": "Payload delivery", "comment": "Stage 1 \u2013 PowerShell Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981471", "to_ids": true, "type": "md5", "uuid": "16dba531-3d13-493c-966f-c921ad9746af", "value": "012862165ec105a44fea14face53492f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 1 \u2013 PowerShell Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746747916", "to_ids": true, "type": "sha1", "uuid": "20635c49-d0d7-4815-b63b-d19d0daad6ed", "value": "58da9b816f2f46cb0cef4042c4fc5806da43f4f7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 1 \u2013 PowerShell Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746747916", "to_ids": true, "type": "sha256", "uuid": "eb0f45ad-b041-4bf6-8d80-d28026728bba", "value": "4daa026f6998458b3ba2beb62fa0cc798c2fb42201c9477d77a608b6bb47ab03", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746747916", "to_ids": true, "type": "ssdeep", "uuid": "c16c62ae-bcf1-4aba-91db-91426b02670e", "value": "49152:XgSyx/Cc02jHj6QKoj60lzHKZ2P2YI5DWKTBx7NNScy1sxSOHZjpt0U3qE3Lxnka:n" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746747916", "to_ids": false, "type": "size-in-bytes", "uuid": "7d4288df-da38-4c62-b62a-6875aa3f1300", "value": "3495016" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746747916", "to_ids": true, "type": "filename", "uuid": "31312048-35c6-4cbd-bcd2-936fa0597edb", "value": "4daa026f6998458b3ba2beb62fa0cc798c2fb42201c9477d77a608b6bb47ab03.ps1" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 06/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746747916", "to_ids": false, "type": "text", "uuid": "0f280fa6-ea10-41ea-9bfb-b47acc3ec48c", "value": "Stage 1 \u2013 PowerShell Dropper\r\nType Description: Powershell\nMicrosoft: TrojanDownloader:PowerShell/GhostEmperor!MSR\nVT Total Detection:39/61\nFirst Submission:2021-03-11T07:42:10.000000+00:00\nLast Submission:2025-01-29T21:50:04.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746981028", "uuid": "9ed8fb85-79b7-4a69-ad69-eb4108588113", "Attribute": [ { "category": "Payload delivery", "comment": "Stage 2 \u2013 Service DLL", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746981028", "to_ids": true, "type": "md5", "uuid": "cd1a6a64-59fe-4a9d-b52d-2565b2d61313", "value": "6a44fdd66ab841c33949620666ca847a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 2 \u2013 Service DLL", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746747937", "to_ids": true, "type": "sha1", "uuid": "c6c77ad1-9b18-4f9e-a3fc-6355cb100202", "value": "654d28401f7f181277823c02748da0b21b8228b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 2 \u2013 Service DLL", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746747938", "to_ids": true, "type": "sha256", "uuid": "370ac1f5-0170-4625-adc5-296fed1d4cc8", "value": "951aaefbaca22fb3afc10dfe239ccbce1331252589d0a5ff6f2093ede49c0b38", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746747937", "to_ids": true, "type": "ssdeep", "uuid": "d55a9fa8-3fc1-4708-a9c0-6c9960f47824", "value": "768:3UMZymSq6abKbMkPpAUoTvaEGgEeEU8/VWbtpjH:Eq6ay7PaaDWbtR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746747937", "to_ids": false, "type": "size-in-bytes", "uuid": "5289a65d-6331-4e83-b295-2e13ada65761", "value": "26112" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746747937", "to_ids": true, "type": "vhash", "uuid": "60b6f022-8d4c-4e11-8f03-af56fbfa200e", "value": "3240465d151511108581z46" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746747937", "to_ids": true, "type": "filename", "uuid": "7ebe6e97-1c81-4f68-b53e-73baf0ce8834", "value": "SvchostSharp.dll" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 25/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746747937", "to_ids": false, "type": "text", "uuid": "e2872422-0cef-4c33-b785-e4fbeb043960", "value": "Stage 2 \u2013 Service DLL\r\nType Description: Win32 DLL\nMicrosoft: Trojan:MSIL/GhostEmperor!MSR\nVT Total Detection:54/72\nFirst Submission:2021-03-31T05:29:58.000000+00:00\nLast Submission:2025-01-30T14:35:40.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981471", "uuid": "38209217-8f9d-4b76-a42b-03e34807be76", "Attribute": [ { "category": "Payload delivery", "comment": "Stage 2 \u2013 Service DLL", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981471", "to_ids": true, "type": "md5", "uuid": "7fbec016-fdeb-4753-af94-4028348f0d88", "value": "2dd0885f84b890883a396030db841d28", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 2 \u2013 Service DLL", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746747959", "to_ids": true, "type": "sha1", "uuid": "c1543f45-9c10-42f5-b8cf-683c3018eb5b", "value": "4fd75190db8ddb7f919c7a10270262eba90c3964", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 2 \u2013 Service DLL", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746747959", "to_ids": true, "type": "sha256", "uuid": "3e703d09-134c-4c34-be64-297b7a2fac82", "value": "a4e835aa0635685e39e7dd112bc5f1b937bbad1b95c7a4fe9c53fcb31da54c79", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746747958", "to_ids": true, "type": "ssdeep", "uuid": "1f36e99b-1c51-4ac5-bdd8-38f21a1461c8", "value": "1536:6JyqoH9dCtxSPDJsGmD9nuEWjkRk9XmwVBwjunJ/zHSyA0dCGek/rwQ:6JyqoHHyxhGS9u/YRk9f1xzyyA6CU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746747958", "to_ids": false, "type": "size-in-bytes", "uuid": "5aeaaa8e-2a19-485d-83ee-c97122ebf684", "value": "89600" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746747958", "to_ids": true, "type": "vhash", "uuid": "03009cde-1cde-494f-9324-9c99e500adb8", "value": "184066651d1515151059zc0c&z2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746747958", "to_ids": true, "type": "filename", "uuid": "78b6811b-6294-4d1e-aa2a-7c650ca1f2d1", "value": "unknown" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 25/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746747958", "to_ids": false, "type": "text", "uuid": "fc1ec2b2-6e17-41ab-b4d0-aa70bd13510b", "value": "Stage 2 \u2013 Service DLL\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/GhostEmperor!MSR\nVT Total Detection:58/72\nFirst Submission:2020-09-14T01:34:08.000000+00:00\nLast Submission:2025-01-29T21:42:51.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746981071", "uuid": "1fbcd449-7e13-45c4-9e82-4cdcda6e31c9", "Attribute": [ { "category": "Payload delivery", "comment": "Stage 4", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746981071", "to_ids": true, "type": "md5", "uuid": "3bdd284e-1379-468a-b001-14a5cd4b3c36", "value": "0bbfba106fbb9e310330dc87c32cb6d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 4", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748001", "to_ids": true, "type": "sha1", "uuid": "0aeaa175-3931-446c-9ab4-1a24ce6557fc", "value": "d88df20e17f78e959d6d4bc624d67dcc3395af2f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 4", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748001", "to_ids": true, "type": "sha256", "uuid": "0d7b27af-db51-46bc-8f6b-487ef6f2fde8", "value": "ffeced302eccb680280c04cc53110a6e6849eabca709f5e674ac9176290095c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748000", "to_ids": true, "type": "ssdeep", "uuid": "cc9df692-b361-4394-9d3c-b01a9853556d", "value": "12288:ZU83H2NQVbRUZMe4uaoitH5yMXzwLI+Y5/pS:ZU8GNKbRUZMKaoitH5DsLI+wS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748001", "to_ids": false, "type": "size-in-bytes", "uuid": "efc5c0ce-4c5a-4bea-8cc1-52ba022ffc32", "value": "546816" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748001", "to_ids": true, "type": "vhash", "uuid": "97333665-7d63-4955-b731-94e1dc3d606e", "value": "155066555d65551510d8z421d1z13zcjzd6z2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748001", "to_ids": true, "type": "filename", "uuid": "2f3a8f31-b8df-4d03-8d64-dda8f03618f8", "value": "0BBFBA106FBB9E310330DC87C32CB6D1.bin" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 06/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748001", "to_ids": false, "type": "text", "uuid": "1ca5e172-6656-4665-a2e6-5bfde59e315b", "value": "Stage 4\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/GhostEmperor!MSR\nVT Total Detection:54/72\nFirst Submission:2020-09-14T01:32:46.000000+00:00\nLast Submission:2025-01-30T15:10:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746981093", "uuid": "053dd07d-88a9-42c1-a38a-30cb3f3c53a0", "Attribute": [ { "category": "Payload delivery", "comment": "Stage 4", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746981093", "to_ids": true, "type": "md5", "uuid": "51dd455e-4f07-4d2d-88e0-261696227563", "value": "6685323c61d8edb4a6e35796af34d626", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 4", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748022", "to_ids": true, "type": "sha1", "uuid": "affc48f2-d86e-4bec-b5d4-56d2b7509db5", "value": "4e270f779be312a02375c94547ead4b94b1d6dc3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 4", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748022", "to_ids": true, "type": "sha256", "uuid": "ebb1564a-498c-460a-b9ff-5b8590931f15", "value": "76484e26b8fc811dc6cb6c8ff6525327bd07aafa4dcf8ddd565f9798e7c9a380", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748022", "to_ids": true, "type": "ssdeep", "uuid": "ebda7055-000a-4a3e-a125-b2e193002e19", "value": "768:z9vC5MSb5BEkkfF8ZQ4vOu2kigIcygqTY9pVNtcQp8unKaaM5:z5C2+cf8VvXXwY6aL" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748022", "to_ids": false, "type": "size-in-bytes", "uuid": "b06a33b5-d5a1-46f6-91ed-8eed93413847", "value": "50176" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748022", "to_ids": true, "type": "vhash", "uuid": "5e8b8ebc-a260-451d-87be-6439f2cd2b66", "value": "154056655d15151025zb001b1=z2" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 25/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748022", "to_ids": false, "type": "text", "uuid": "3382641a-cc9c-4c88-ae7c-670a422e622d", "value": "Stage 4\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/GhostEmperor!MSR\nVT Total Detection:52/72\nFirst Submission:2020-09-14T01:52:41.000000+00:00\nLast Submission:2025-01-30T15:40:29.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746981114", "uuid": "8e302d28-e8e5-4160-a1e6-ac8627ccf8be", "Attribute": [ { "category": "Payload delivery", "comment": "Post-exploitation", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746981114", "to_ids": true, "type": "md5", "uuid": "6b45e8bd-2966-4191-b9e3-67214943b4a2", "value": "be38d173e4e9118bdc2e83fd5f90be3b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Post-exploitation", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748043", "to_ids": true, "type": "sha1", "uuid": "6608cf3b-d096-4d2c-af6b-06cbb6b4b032", "value": "80d9b67cdc754601fc66258892b51134b9f720ed", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Post-exploitation", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748044", "to_ids": true, "type": "sha256", "uuid": "793c2916-ddb1-4dbf-8148-821a105dd040", "value": "b6998da5787d2869b9249f98a39cfe12ba8e906d16c549fff2661d3a86f9e3f2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748043", "to_ids": true, "type": "ssdeep", "uuid": "0bcd8ab0-2fff-44c7-b3e2-46ddbb88af9c", "value": "12288:YHSzCXmmOqsXG5QxG230si3MdhbJz5EAvzUdMpugI6:YxWmOqsPT0pWbJz5XuC" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748043", "to_ids": false, "type": "size-in-bytes", "uuid": "85147b5b-cf2f-410f-b29f-1724fac3b14e", "value": "497920" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748043", "to_ids": true, "type": "vhash", "uuid": "56c1d21a-0eed-4200-b8fe-f70e66626aca", "value": "045056651d65556182z152z4555040a1z23z80e01028z147z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748043", "to_ids": true, "type": "filename", "uuid": "19729686-f9e1-4f5d-a1bd-102f383b9e10", "value": "kekeo.exe" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 31/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748043", "to_ids": false, "type": "text", "uuid": "2159ffc9-4cc1-4a47-989e-39eaaa3b32e2", "value": "Post-exploitation\r\nType Description: Win32 EXE\nMicrosoft: HackTool:Win32/Mimikatz.D\nVT Total Detection:60/73\nFirst Submission:2020-07-24T13:01:12.000000+00:00\nLast Submission:2025-01-29T21:53:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981471", "uuid": "89669a52-6c11-41ac-815e-b3fe9bb7f8ec", "Attribute": [ { "category": "Payload delivery", "comment": "Post-exploitation", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981471", "to_ids": true, "type": "md5", "uuid": "ae97f590-34b7-42d0-9b29-79369c5e7ffd", "value": "f078ac9b012c503d35254af9629d3b67", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Post-exploitation", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748065", "to_ids": true, "type": "sha1", "uuid": "15fc6a0b-382d-45d0-9dfc-cfb9e091dc17", "value": "19b62fe0192eed6c4a25bb86b4aad4853624e940", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Post-exploitation", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748065", "to_ids": true, "type": "sha256", "uuid": "abe62d70-7ceb-45f7-ab78-9ac1b2876994", "value": "021f5268f5d480b78a33bd8c19132320418aa2fd30034a8a7364e7b1d69cdd46", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748064", "to_ids": true, "type": "ssdeep", "uuid": "d4093471-2d0b-4f1d-85be-0fd21e8fd787", "value": "384:PFLlucj410snLNd/0qC2+2asJ8zSwZaL872FuaReAIiyugU2Ze1EabMeZ8j4fR6X:PFLlucU10snLNd/0qC2+eJaZaw7euaRK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748064", "to_ids": false, "type": "size-in-bytes", "uuid": "3d171837-29ef-4256-9320-e4586cab61cc", "value": "22189" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748064", "to_ids": true, "type": "vhash", "uuid": "fad71ce3-52f9-4fdd-8e10-e1b558b8ebf6", "value": "d305751d49a50dd73e82605246a08464" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748064", "to_ids": true, "type": "filename", "uuid": "a84c8121-8e13-4e41-a6ff-c3af24dd0949", "value": "021f5268f5d480b78a33bd8c19132320418aa2fd30034a8a7364e7b1d69cdd46.unknown" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 01/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748064", "to_ids": false, "type": "text", "uuid": "5e9efd6d-1eb2-4f4b-8420-b8c102f9f04b", "value": "Post-exploitation\r\nType Description: VBA\nMicrosoft: TrojanDownloader:VBS/Recon!MSR\nVT Total Detection:36/63\nFirst Submission:2020-10-20T19:03:12.000000+00:00\nLast Submission:2025-01-29T21:45:53.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746981156", "uuid": "b8de3520-0e90-42c1-8a29-c11ec26f4983", "Attribute": [ { "category": "Payload delivery", "comment": "Driver", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746981156", "to_ids": true, "type": "md5", "uuid": "712f7aba-edd4-4d1c-a5af-18a4063add7c", "value": "7394229455151a9cd036383027a1536b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Driver", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748086", "to_ids": true, "type": "sha1", "uuid": "d70b7d4c-f4c2-4962-b952-8ece934496a5", "value": "9d7d42e4756cc20ea5a9c8c90813d5346ebdfc51", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Driver", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748086", "to_ids": true, "type": "sha256", "uuid": "b166925b-c451-4cc6-8b48-b4c577c49af2", "value": "87305aa7147f71557272ba75b65c11deeba94d35d9dc6d6f7a87075e3de78bec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748086", "to_ids": true, "type": "ssdeep", "uuid": "296cd71b-9cbb-4464-804d-7c26a3600cce", "value": "768:lyp1V6ycsAphzVk8D7nXgZLNFGH7yZp2Z2P6i:l65AfVzDELjc2P6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748086", "to_ids": false, "type": "size-in-bytes", "uuid": "45d55d7a-c66e-4279-88a9-8f6ccab2d6ed", "value": "31744" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748086", "to_ids": true, "type": "vhash", "uuid": "c43ab630-0501-47cc-8c68-7b7ff088838c", "value": "034076651d151516551iz2dxz" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 09/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748086", "to_ids": false, "type": "text", "uuid": "45b44fcf-5766-446f-93cb-cdebf9e6faa1", "value": "Driver\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/GhostEmperor!MSR\nVT Total Detection:50/72\nFirst Submission:2020-09-14T02:03:42.000000+00:00\nLast Submission:2025-01-29T21:41:49.000000+00:00" } ] } ] } }