{ "Event": { "analysis": "1", "date": "2022-06-27", "extends_uuid": "", "info": "[Threat Intel] Attacks on industrial control systems using ShadowPad", "protected": false, "publish_timestamp": "1780039425", "published": true, "threat_level_id": "1", "timestamp": "1780039425", "uuid": "cc95784f-b4fb-49b4-8f6b-f5602e79675d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#670cf4", "local": false, "name": "misp-galaxy:target-information=\"Pakistan\"", "relationship_type": "" }, { "colour": "#86e845", "local": false, "name": "misp-galaxy:target-information=\"Afghanistan\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#1ebce4", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"ShadowPad\"", "relationship_type": "" }, { "colour": "#c55f42", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive via Library - T1560.002\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#cfba47", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"", "relationship_type": "" }, { "colour": "#0affe9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"BITS Jobs - T1197\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#e95bc8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"", "relationship_type": "" }, { "colour": "#280b0e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Proxy - T1090.002\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#c295b4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Proxy - T1090.001\"", "relationship_type": "" }, { "colour": "#0c8fe6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Email Collection - T1114.001\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#d528b5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows File and Directory Permissions Modification - T1222.001\"", "relationship_type": "" }, { "colour": "#f8140a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Logistic\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Manufacturing\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Telecoms\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Transport\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MimiKatz\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Cobalt Strike\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"PlugX\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"HAFNIUM\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736667228", "to_ids": false, "type": "link", "uuid": "3160d43e-577d-4d2f-942b-f326f4534011", "value": "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736667228", "to_ids": false, "type": "text", "uuid": "4cfafd9d-0dfe-4a4a-a9d6-615c4cf85c5f", "value": "In mid-October 2021 researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan. Infected machines included engineering computers in building automation systems that are part of the infrastructure of a telecommunications company." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736667228", "to_ids": false, "type": "text", "uuid": "99eea5af-47ba-47c7-883d-7e65ad232c16", "value": "Name: Attacks on industrial control systems using ShadowPad\nAuthor: AlienVault\nAdversary: \nTags: [\"ShadowPad\", \"China Chopper\", \"OleView\", \"Webshell\", \"HAFNUIM\"]\nTgtd countries: [\"Pakistan\", \"Afghanistan\", \"Malaysia\"]\nMlwr families: [\"ShadowPad - S0596\", \"China Chopper - S0020\", \"PlugX - S0013\", \"Cobalt Strike - S0154\"]\nAttack_ids: [\"T1059.001\", \"T1053.005\", \"T1047\", \"T1197\", \"T1574.002\", \"T1053.005\", \"T1197\", \"T1140\", \"T1222.001\", \"T1564.001\", \"T1574.002\", \"T1083\", \"T1046\", \"T1012\", \"T1560.002\", \"T1560.002\", \"T1119\", \"T1005\", \"T1114.001\", \"T1071.001\", \"T1132.001\", \"T1090.001\", \"T1090.002\", \"T1020\", \"T1041\", \"T1567.002\"]\nIndustries: [\"Telecommunications\", \"Technology\"]" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740264372", "to_ids": false, "type": "vulnerability", "uuid": "0d0c6a8a-ee63-46be-9223-c432a4d44c32", "value": "CVE-2021-26855" }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267914", "to_ids": true, "type": "md5", "uuid": "3a6eed38-e1d4-4272-9c8e-1c2a83f36f14", "value": "1a5856c343597dc219e3f5456018612b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267915", "to_ids": true, "type": "md5", "uuid": "30e09ff3-501b-4370-9557-a61cf404d4d1", "value": "011beaf3e9cd2896479313772cd591de", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267917", "to_ids": true, "type": "md5", "uuid": "e6b14def-3525-41e5-9121-33694a7d4472", "value": "a7f3bf89f0b41704f185545c784b8457", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267918", "to_ids": true, "type": "md5", "uuid": "6f4403d8-b0b0-46bb-b2f0-9d5d63f2c257", "value": "35912c914bd84f23203c8fadac6d0548", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267919", "to_ids": true, "type": "md5", "uuid": "21437a68-8cf1-4826-ac2c-80e5d2fa9b18", "value": "299980c914250bac7522de849f6df24f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267920", "to_ids": true, "type": "md5", "uuid": "684c3a9e-7d12-4003-b7c2-3eba8781801f", "value": "381616642d2567f8872b150b37e5196b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267921", "to_ids": true, "type": "md5", "uuid": "4f3e3c57-e78a-42b5-a192-b25d47f3f23e", "value": "31fdae0b71c290440e0b465b17cf3c8d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267922", "to_ids": true, "type": "md5", "uuid": "812e4bc6-3a96-4b1b-a7ef-4215dc8b5f8b", "value": "420fcf11240589e8d29daab08251831d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267923", "to_ids": true, "type": "md5", "uuid": "d0d133b6-1c98-4bf3-9853-da38bc9efd0d", "value": "40cd646554ed42d385ca6b55b9d3397d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267924", "to_ids": true, "type": "md5", "uuid": "bf6ff04c-9cb6-4628-ae33-e89ce43d7549", "value": "61ba23b3b3d132fe0825907c0ea58399", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267925", "to_ids": true, "type": "md5", "uuid": "e55d4d1a-d156-4e53-9142-5401a0ccdeb8", "value": "0cac537476fd71763c07edfd7d831f0f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267927", "to_ids": true, "type": "md5", "uuid": "aea1b457-0df7-4c6f-b2ea-e4309cab8023", "value": "80ee7a1e9ad4ac6afcac83087dc5360f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Bat file for credential theft No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267928", "to_ids": true, "type": "md5", "uuid": "a74d39fd-4b01-4db3-bd4c-66139618afa6", "value": "74e43eca18e8c92cb332bbb671ce13b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Nextnet No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740267929", "to_ids": true, "type": "md5", "uuid": "c9b0c300-e93f-4f20-9980-216f4dc2dad3", "value": "8ee863c926d6847d1bf767783e700248", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad C&C", "deleted": false, "disable_correlation": false, "timestamp": "1747520772", "to_ids": true, "type": "url", "uuid": "bb677c3f-0c9e-47ff-8804-74c3bc293353", "value": "https://order.cargobussiness.site/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad C&C", "deleted": false, "disable_correlation": false, "timestamp": "1747520772", "to_ids": true, "type": "url", "uuid": "ec11127f-8fd2-40c4-ad3f-6fc1343db20c", "value": "https://documents.kankuedu.org/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad C&C", "deleted": false, "disable_correlation": false, "timestamp": "1747520772", "to_ids": true, "type": "url", "uuid": "a707bd34-c945-4c3c-bbbb-3cea087ec6f5", "value": "https://live.musicweb.xyz/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad C&C", "deleted": false, "disable_correlation": false, "timestamp": "1747520772", "to_ids": true, "type": "url", "uuid": "be37949e-6f31-44e5-9f7b-4f09c3e16170", "value": "https://obo.videocenter.org/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad C&C", "deleted": false, "disable_correlation": false, "timestamp": "1747520772", "to_ids": true, "type": "url", "uuid": "1366fdc5-5a67-424c-9e68-b92305307667", "value": "https://tech.obj.services/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad C&C", "deleted": false, "disable_correlation": false, "timestamp": "1747520772", "to_ids": true, "type": "url", "uuid": "a2c0349d-7600-4317-8fe1-b73966af91b6", "value": "https://houwags.defineyourid.site/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad C&C", "deleted": false, "disable_correlation": false, "timestamp": "1747520772", "to_ids": true, "type": "url", "uuid": "3bd795db-14f3-44a1-b0d4-51a8c420c58d", "value": "https://noub.crabdance.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad C&C", "deleted": false, "disable_correlation": false, "timestamp": "1747520772", "to_ids": true, "type": "url", "uuid": "f7946501-d8f7-4353-b6e3-e681bca86a2a", "value": "https://grandfoodtony.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CobaltStrike hosting and C&C", "deleted": false, "disable_correlation": false, "timestamp": "1740270154", "to_ids": true, "type": "hostname", "uuid": "92d96ea0-d4b3-4593-9b8b-a5f757c2a663", "value": "storage.ondriev.tk", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CobaltStrike hosting and C&C", "deleted": false, "disable_correlation": false, "timestamp": "1780039424", "to_ids": true, "type": "ip-dst", "uuid": "5eef08f8-7d00-40d4-80da-18cb63984c81", "value": "116.206.92.26", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#7d9f3c", "local": false, "name": "asn:asn=\"51847\"", "relationship_type": "" }, { "colour": "#b4d089", "local": false, "name": "asn:as-owner=\"NEAROUTE\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CobaltStrike hosting and C&C", "deleted": false, "disable_correlation": false, "timestamp": "1740270196", "to_ids": true, "type": "hostname", "uuid": "3bf34cad-bfa5-4f30-aef2-d7b892605e80", "value": "api.onedriev.tk", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CobaltStrike hosting and C&C", "deleted": false, "disable_correlation": false, "timestamp": "1780039425", "to_ids": true, "type": "ip-dst", "uuid": "7e1c1964-fdc9-4bb7-ae61-549038c58f3c", "value": "69.172.80.131", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#556d45", "local": false, "name": "asn:asn=\"132585\"", "relationship_type": "" }, { "colour": "#4c24c1", "local": false, "name": "asn:as-owner=\"SIA-HK-AS SkyExchange Internet Access\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1740264510", "uuid": "e497aca7-2ced-4a2f-b2e4-10851213b701", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1740264510", "to_ids": false, "type": "comment", "uuid": "dd028416-c714-420e-90d3-e8c33768d98c", "value": "Rule for detecting Shadowpad iviewers.dll variant" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1740264510", "to_ids": true, "type": "yara", "uuid": "00778aa0-aea5-4a55-9c50-ab8fff88cb5b", "value": "rule apt_shadowpad_iviewers_dll_variant\r\n{\r\nmeta:\r\n description = \"Rule for detecting Shadowpad iviewers.dll variant\"\r\n author = \"Kaspersky\"\r\n copyright = \"Kaspersky\"\r\n distribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM\"\r\n version = \"1.0\"\r\n last_modified = \"2022-01-20\"\r\n hash = \"011BEAF3E9CD2896479313772CD591DE\"\r\n hash = \"A7F3BF89F0B41704F185545C784B8457\"\r\n hash = \"35912C914BD84F23203C8FADAC6D0548\"\r\n hash = \"299980C914250BAC7522DE849F6DF24F\"\r\nstrings:\r\n $viewers = \"VIEWER.dll\" fullword\r\n $Iviewers = \"IVIEWERS.dll\"\r\n $oleview = \"OLEViewer\"\r\n $comapi = \"viewer Copyright\" wide\r\ncondition:\r\n uint16(0) == 0x5A4D and filesize < 2MB and pe.is_dll() and ($Iviewers or $comapi or $viewers) and\r\n(\r\n not for any i in (0 .. pe.number_of_signatures) : (pe.signatures[0].subject contains \"O=Microsoft Corporation\")\r\n and not $oleview\r\n )\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1740264510", "to_ids": false, "type": "text", "uuid": "1db9f475-ef7b-4c52-aad0-14d43a68e524", "value": "apt_shadowpad_iviewers_dll_variant" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740270238", "uuid": "f0ea3864-02b7-42f7-ae1b-9b0899124627", "Attribute": [ { "category": "Payload delivery", "comment": "ShadowPad", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740270238", "to_ids": true, "type": "md5", "uuid": "7e982d32-7f60-4f35-8004-5b46483be639", "value": "91131ccf507f61279268fa857ab53463", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740267908", "to_ids": true, "type": "sha1", "uuid": "39caaae4-de01-4bce-8d5b-9d99570071e4", "value": "4cc495d48bfb5ac0ce0ee81cb60eeec5a74d2995", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740267908", "to_ids": true, "type": "sha256", "uuid": "1f01ca17-2e59-45d7-a228-4d55bfee15a1", "value": "284c664b4baff90444c4ed96cfcb4ef6d26cc7aedc46c1e996c359ecea95f697", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740267244", "to_ids": true, "type": "ssdeep", "uuid": "f8b69568-56bf-4586-938e-8e57a9624616", "value": "3072:ihT8UDXFVZktbrcdIg/XPpmk2s0K7kbPW/K0ZrGQ7Dy+e61cIyhy4:qT7DXFVetkd1//pmBsHkjeK0ZSOLeiy" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740267244", "to_ids": false, "type": "size-in-bytes", "uuid": "841f17e5-09e6-40e4-a307-0fd1588f8304", "value": "131584" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740267244", "to_ids": true, "type": "vhash", "uuid": "d24ed10f-4b5a-4b66-a694-e57b983bdb3d", "value": "115096661616157d15155az41?zd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740267244", "to_ids": true, "type": "filename", "uuid": "b34af336-7f17-4678-a854-dc7bb0a5e6a6", "value": "mscoree.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 17/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740267244", "to_ids": false, "type": "text", "uuid": "e91c6a35-05fa-4653-ac5d-63b878e3d2ed", "value": "ShadowPad\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Tnega!MSR\nVT Total Detection:52/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740270259", "uuid": "df7b280f-a1f1-4cd8-a0ad-3f08de15c562", "Attribute": [ { "category": "Payload delivery", "comment": "ShadowPad", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740270259", "to_ids": true, "type": "md5", "uuid": "ce705f8a-ce19-4b27-8437-7cc7cfa462a3", "value": "8d5807d8ee69e472764faee7269b460b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740267909", "to_ids": true, "type": "sha1", "uuid": "f35d2492-4597-4036-9164-8ac07c24e0d7", "value": "bde30ed020d5139c0f7d8e468b70e7ee63bd3b5e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740267909", "to_ids": true, "type": "sha256", "uuid": "93cea1c2-01b5-44e3-bc9d-14fd24c83297", "value": "88a60c235a2fbf9b681d9b67daf8f67e9a21edd53fc84b8babfa8f286c38e6b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740267265", "to_ids": true, "type": "ssdeep", "uuid": "4390c02e-3621-4d61-ba81-86047f41345e", "value": "3072:ihT8UDXFVZktmgGzV7VoHejKFL+YLE1Hh3tPgtyRJK/UMCsV8LKqy4:qT7DXFVetmddVofZpLE1B3hgArK5D" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740267265", "to_ids": false, "type": "size-in-bytes", "uuid": "ca5cec61-b4e0-48aa-a2a7-698469b8294e", "value": "131584" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740267265", "to_ids": true, "type": "vhash", "uuid": "4f474b17-6209-4b65-b1de-fec70f9e145e", "value": "115096661616157d15155az41?zd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740267265", "to_ids": true, "type": "filename", "uuid": "d5d6f969-1791-4579-8126-9374c9f2f810", "value": "a21edd53fc84b8babfa8f286c38e6b8.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 30/06/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740267265", "to_ids": false, "type": "text", "uuid": "f121d05e-da1e-4606-95a1-05f34780f74c", "value": "ShadowPad\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:41/67" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740270280", "uuid": "ea484b9c-4477-44e1-a6d0-400527d63fbb", "Attribute": [ { "category": "Payload delivery", "comment": "ShadowPad", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740270280", "to_ids": true, "type": "md5", "uuid": "b02e56ba-589a-40f4-bfa7-4bed3419bab0", "value": "27f636a36207581e75c700c0e36a8031", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740267911", "to_ids": true, "type": "sha1", "uuid": "bab33636-2f71-4efb-b19b-1380ec2ee593", "value": "e5091779e52536657eb321a1ccb7cfd0e67bd897", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740267911", "to_ids": true, "type": "sha256", "uuid": "1849d04c-78f6-4104-bcd2-19917b010577", "value": "231d21ceefd5c70aa952e8a21523dfe6b5aae9ae6e2b71a0cdbe4e5430b4f5b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740267307", "to_ids": true, "type": "ssdeep", "uuid": "0fe1a09f-b1ea-4744-b63a-01a70bb36680", "value": "3072:yXMlSwD+JHA2Y+4nmbYV5gHXl+ZWwkW4CwI6YwuF:yCNChA2YlnmbDVqWwLwduF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740267307", "to_ids": false, "type": "size-in-bytes", "uuid": "9ee2653e-66a2-4e85-8882-810b91b32f4f", "value": "144728" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740267307", "to_ids": true, "type": "vhash", "uuid": "431ad338-87de-4562-96c8-6b97cb517a7c", "value": "115046657d155az38?z5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740267307", "to_ids": true, "type": "filename", "uuid": "e2dc91b0-dfd6-4a8f-bda2-9dad28c872aa", "value": "231d21ceefd5c70aa952e8a21523dfe6b5aae9ae6e2b71a0cdbe4e5430b4f5b3.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 27/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740267307", "to_ids": false, "type": "text", "uuid": "af10c682-6b8d-43a1-a1eb-63e6bb476006", "value": "ShadowPad\r\nType Description: Win32 DLL\n\nMicrosoft: Backdoor:Win32/Shadowpad!MSR\nVT Total Detection:58/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740270301", "uuid": "a1406d51-7c5d-4802-82a0-3ce85a18be15", "Attribute": [ { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740270301", "to_ids": true, "type": "md5", "uuid": "3b30aa56-0f19-42c8-9930-4f7ed5a609b5", "value": "c024e5163ab6dd844813bf0d9a6f082b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740267912", "to_ids": true, "type": "sha1", "uuid": "9b5a94a8-95e2-4896-a5dd-645633935d05", "value": "724081c323828f9c0547e3f21c0969632a59b42c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Mimikatz", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740267912", "to_ids": true, "type": "sha256", "uuid": "308f3cb8-df2c-4138-9954-c56123f45357", "value": "30a78770615c6b42c17900c4ad03a9b708dc2d9b743bbdc51218597518749382", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740267581", "to_ids": true, "type": "ssdeep", "uuid": "14412a27-253d-4cf4-ba96-68680ab0c6ce", "value": "98304:oEupHBqdbiPFUZ4DPsdhFjGKzNn/lSSYpoVzda2XmTiDa6Cpi43Jo3KSjt3fVO4L:Vuty2lczVgK57LsiAG35jt91hnG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740267581", "to_ids": false, "type": "size-in-bytes", "uuid": "9067cff0-deaf-49fd-9cd5-b5e098a514a1", "value": "6308352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740267581", "to_ids": true, "type": "vhash", "uuid": "9659ff55-005a-4ceb-9c2d-b17091c76bee", "value": "066096050d05050707751013z13z21z1011z1011z10101011z101dz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740267581", "to_ids": true, "type": "filename", "uuid": "b1e5fe40-1a1b-41ff-ab10-fc275666b10f", "value": "m1.log" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 05/07/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740267581", "to_ids": false, "type": "text", "uuid": "8dbd3d03-2e19-4378-a310-77086a723070", "value": "Mimikatz\r\nType Description: Win32 EXE\n\nMicrosoft: HackTool:Win32/Mikatz!dha\nVT Total Detection:45/68" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740270322", "uuid": "7346a344-2d2a-4c71-a407-45a97c8df836", "Attribute": [ { "category": "Payload delivery", "comment": "Nextnet", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740270322", "to_ids": true, "type": "md5", "uuid": "956cd777-58f7-4f5b-affc-461796135101", "value": "86b25e416eee0f5fb17370f3929e45f4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Nextnet", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740267914", "to_ids": true, "type": "sha1", "uuid": "efa36978-fc32-416a-8882-51f55e8f054a", "value": "dc980f4bec0918829effa3770a4297c06d21f1cc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Nextnet", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740267914", "to_ids": true, "type": "sha256", "uuid": "df874bc2-d898-4408-ae6f-c616bdd5efec", "value": "5312027e6500cf0c35eb3c77f5a0329b0db6e0bade49a2787e90030fa0debe12", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740267602", "to_ids": true, "type": "ssdeep", "uuid": "8105af81-8cf2-41a0-8fc9-cfdfb7ccbdfb", "value": "24576:FpuA2EMaUO3GBo454uFPOE683tB5r8HuLTZg7Oph9hCI:FIA2TLgkQuFtKaZg7OvCI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740267602", "to_ids": false, "type": "size-in-bytes", "uuid": "a8b2f1cc-7932-4ec1-993e-e23bcecfc85d", "value": "1058816" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740267602", "to_ids": true, "type": "vhash", "uuid": "7caa9ab1-43aa-4943-ac23-bc9c3366a61b", "value": "01603e0f7d1bz4tz1017z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740267602", "to_ids": true, "type": "filename", "uuid": "b52be27e-fe4f-47ef-805d-6ec78bb3b7d1", "value": "nnbt.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 19/07/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740267602", "to_ids": false, "type": "text", "uuid": "62eb61ac-cf99-493e-9729-9836465f50ed", "value": "Nextnet\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:40/70" } ] } ] } }