{ "Event": { "analysis": "1", "date": "2025-10-26", "extends_uuid": "", "info": "[Threat Intel] Uncovering Qilin attack methods exposed through multiple cases", "protected": false, "publish_timestamp": "1780383653", "published": true, "threat_level_id": "2", "timestamp": "1780041279", "uuid": "d08b6f26-7bc7-409b-89a8-a342ba542772", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#7c6ad9", "local": false, "name": "misp-galaxy:producer=\"Cisco Talos Intelligence Group\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1087.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#3a0bda", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484.001\"", "relationship_type": "" }, { "colour": "#40bedd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Permissions Modification - T1222\"", "relationship_type": "" }, { "colour": "#90e419", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#00f752", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"", "relationship_type": "" }, { "colour": "#70b0b5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Brute Force - T1110\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Transfer Data to Cloud Account - T1537\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#1faf16", "local": false, "name": "misp-galaxy:target-information=\"Canada\"", "relationship_type": "" }, { "colour": "#15ccfd", "local": false, "name": "misp-galaxy:target-information=\"France\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Qilin\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Cobalt Strike\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MimiKatz\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Qilin\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"SystemBC\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Password Spraying - T1110.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"", "relationship_type": "" }, { "colour": "#d528b5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows File and Directory Permissions Modification - T1222.001\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1761678969", "to_ids": false, "type": "link", "uuid": "3a653a54-1921-43bc-97b1-d8fc01a57dfb", "value": "https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1761678969", "to_ids": false, "type": "text", "uuid": "f5bb96cd-8002-48fa-a0eb-8812c2d7aa1f", "value": "The ransomware group Qilin has been highly active in 2025, publishing over 40 victim cases per month on its leak site. Manufacturing, professional services, and wholesale trade are the most affected sectors. Attackers likely originate from Eastern Europe or Russian-speaking regions. They use tools like Cyberduck for data exfiltration and leverage notepad.exe and mspaint.exe to view sensitive information. The attack flow includes initial VPN access, reconnaissance, credential theft, lateral movement, and ransomware deployment. Two encryptors are often used: one spread via PsExec and another targeting network shares. The ransomware encrypts files, deletes backups, and leaves ransom notes. Persistence is achieved through scheduled tasks and registry modifications." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1761678969", "to_ids": false, "type": "text", "uuid": "f9fbc689-b02a-4a7f-8982-6160e184079b", "value": "Name: Uncovering Qilin attack methods exposed through multiple cases\nAuthor: AlienVault\nAdversary: Qilin\nTags: [\"manufacturing\", \"ransomware\", \"systembc\", \"cobalt strike\", \"qilin\"]\nTgtd countries: [\"United States of America\", \"Canada\", \"France\", \"Germany\", \"United Kingdom of Great Britain and Northern Ireland\"]\nMlwr families: [\"Qilin\", \"Cobalt Strike - S0154\", \"SystemBC\"]\nAttack_ids: [\"T1033\", \"T1003\", \"T1133\", \"T1489\", \"T1087.002\", \"T1082\", \"T1053\", \"T1021.002\", \"T1112\", \"T1484.001\", \"T1070.001\", \"T1222\", \"T1482\", \"T1057\", \"T1059.001\", \"T1547.001\", \"T1048\", \"T1110\", \"T1562.001\", \"T1078\", \"T1486\", \"T1537\", \"T1018\", \"T1046\", \"T1105\", \"T1021.001\", \"T1490\"]\nIndustries: [\"Manufacturing\", \"Professional and scientific services\", \"Wholesale trade\", \"Healthcare\", \"Construction\", \"Retail\", \"Education\", \"Finance\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1761678969", "to_ids": false, "type": "threat-actor", "uuid": "1f075b95-8ecc-4d19-a5b4-9b0e5dc1da67", "value": "Qilin" }, { "category": "Network activity", "comment": "IOC-description:CC=RO ASN=AS35505 pronet solutii it srl", "deleted": false, "disable_correlation": false, "timestamp": "1780041279", "to_ids": true, "type": "ip-dst", "uuid": "0b7cb902-95b4-4353-9630-7a59f12ff432", "value": "86.106.85.36", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#64bed2", "local": false, "name": "asn:asn=\"9009\"", "relationship_type": "" }, { "colour": "#41c276", "local": false, "name": "asn:as-owner=\"M247\"", "relationship_type": "" }, { "colour": "#26f3a1", "local": false, "name": "asn:as-country=\"RO\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"romania\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/11/2025", "deleted": false, "disable_correlation": false, "timestamp": "1762247533", "to_ids": true, "type": "sha256", "uuid": "93673b0b-9531-4366-a297-d26bf3154d4b", "value": "dd29138bf369863c33402a3fc995458ab5fc015a13a9378022131ab31d940c9f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IOC-description:CC=MD ASN=AS200019 alexhost srl", "deleted": false, "disable_correlation": false, "timestamp": "1762251384", "to_ids": true, "type": "ip-dst", "uuid": "d877b8eb-3e86-4490-a55f-ff3a0b1c4715", "value": "85.239.34.91", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1762251405", "to_ids": true, "type": "domain", "uuid": "4c2df3d9-a50f-4abc-81be-96512db01cb8", "value": "holapor67.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1762251426", "to_ids": true, "type": "domain", "uuid": "9ae69b85-64ac-408f-a6db-989a31c42c33", "value": "regsvchst.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1761678969", "to_ids": true, "type": "email-src", "uuid": "831f0fe8-f207-4022-8ce1-6d8076064560", "value": "mimikatz@anti.pm" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1761678969", "to_ids": true, "type": "email-src", "uuid": "d2d202f6-181f-49a4-bdb5-1b670763a953", "value": "mimikatzlogs@anti.pm" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762251447", "uuid": "d85147c6-a2b9-4251-9773-1b8607ea2912", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:Nrv2x\nIOC-description:MD5 of e705f69afd97f343f3c1f2bc6027d30935a0bfd29ff025c563f6f8c1f9a7478e", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762251447", "to_ids": true, "type": "md5", "uuid": "89e091d7-f074-4e29-b731-6da7b30c02e6", "value": "0f73b467ff03f9224c024f4eb3aecedb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:Nrv2x\nIOC-description:MD5 of e705f69afd97f343f3c1f2bc6027d30935a0bfd29ff025c563f6f8c1f9a7478e", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762247524", "to_ids": true, "type": "sha1", "uuid": "5ca464a9-dad0-47fd-8a93-479da35586e9", "value": "75ebd5bab5e2707d4533579a34d983b65af5ec7f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:Nrv2x\nIOC-description:MD5 of e705f69afd97f343f3c1f2bc6027d30935a0bfd29ff025c563f6f8c1f9a7478e", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762247524", "to_ids": true, "type": "sha256", "uuid": "b0c698d4-fae0-42fb-9594-6f39954116cb", "value": "e705f69afd97f343f3c1f2bc6027d30935a0bfd29ff025c563f6f8c1f9a7478e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762240747", "to_ids": true, "type": "ssdeep", "uuid": "aeaa984e-49fb-4474-872f-88dac442af34", "value": "49152:NjPlJMkPEno1ZBv9UERkKo7xGH4mDmpM296:NDlJPEo19zRRVnDmpMC6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762240747", "to_ids": false, "type": "size-in-bytes", "uuid": "a13d9707-db1e-4507-9ccc-b966cfc94c86", "value": "1965470" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762240747", "to_ids": true, "type": "vhash", "uuid": "63e83855-ae80-4186-bbce-47cb8a6afa0a", "value": "01603e0f7d601013z11z4015z1015z13z1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762240747", "to_ids": true, "type": "filename", "uuid": "f2168a04-a94b-4040-b59e-8581dca97919", "value": "HRSword.exe" }, { "category": "Other", "comment": "Checked: 04/11/2025\nLast-scan\t: 01/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762240747", "to_ids": false, "type": "text", "uuid": "292e0f1f-5a8b-4c7c-9e9a-91ae2b1d17ed", "value": "IOC-title:Nrv2x\nIOC-description:MD5 of e705f69afd97f343f3c1f2bc6027d30935a0bfd29ff025c563f6f8c1f9a7478e\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/AsyncRAT\nVT Total Detection:51/72\nFirst Submission:2020-07-20T13:27:05.000000+00:00\nLast Submission:2025-07-01T15:27:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762251468", "uuid": "92630775-3833-409d-8e31-19a561007706", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:nUFS_html\nIOC-description:MD5 of 38ddde36929a2ddf13b1844973550072c41004187eaa2456f86e20aa93036b18", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762251468", "to_ids": true, "type": "md5", "uuid": "d8e01f08-1a6e-439a-87de-89bd80146c7e", "value": "1bbca013922b156ad135a5f1d892441c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:nUFS_html\nIOC-description:MD5 of 38ddde36929a2ddf13b1844973550072c41004187eaa2456f86e20aa93036b18", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762247525", "to_ids": true, "type": "sha1", "uuid": "1452ee10-cf2b-428a-a127-54b7bdbaac96", "value": "99dcb442f6a90861d274ab628f6ec9fd2d31ef3e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:nUFS_html\nIOC-description:MD5 of 38ddde36929a2ddf13b1844973550072c41004187eaa2456f86e20aa93036b18", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762247525", "to_ids": true, "type": "sha256", "uuid": "5cbd1039-a6fa-4dac-9c3a-496951b2371e", "value": "38ddde36929a2ddf13b1844973550072c41004187eaa2456f86e20aa93036b18", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762240768", "to_ids": true, "type": "ssdeep", "uuid": "630d2cfa-c6e6-43a6-bbc2-4e80c79c0903", "value": "12288:UAjuakTOfDlEU4HWDblFlOTPThNolf+ECKHIy0tGsFzzF8cy6a:9u/OfDlEUKWflmTP3ol9CKHF0U8zh8ck" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762240768", "to_ids": false, "type": "size-in-bytes", "uuid": "eb02fbf6-2ada-48a2-b657-4ba263f58186", "value": "752032" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762240768", "to_ids": true, "type": "vhash", "uuid": "abbb97ee-1ef9-498f-b79a-9738787124ff", "value": "075066655d15156562d5z600967z8041z11z32z17fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762240768", "to_ids": true, "type": "filename", "uuid": "d90f597b-2280-40c1-bf74-b2c7a1c30fbb", "value": "Cyberduck-Installer-6.6.0.28133.exe" }, { "category": "Other", "comment": "Checked: 04/11/2025\nLast-scan\t: 03/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762240768", "to_ids": false, "type": "text", "uuid": "5e84336f-8e95-47fb-8894-dc3b0a9f3e50", "value": "IOC-title:nUFS_html\nIOC-description:MD5 of 38ddde36929a2ddf13b1844973550072c41004187eaa2456f86e20aa93036b18\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2018-05-31T19:35:55.000000+00:00\nLast Submission:2022-10-24T05:34:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762251489", "uuid": "7d78c29f-c38f-41ac-ade0-d1f99f07cfd1", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:Win.Ransomware.Qilin-10044197-0\nIOC-description:MD5 of 8fe746dd277e644fa0337db3394f0eadfafe57df029e13df9feef25c536adf4d", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762251489", "to_ids": true, "type": "md5", "uuid": "7e0f9b69-b9f1-47fa-bd18-d0899fec665b", "value": "227f14f4c3aa35b9fb279f52c73b2e1e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:Win.Ransomware.Qilin-10044197-0\nIOC-description:MD5 of 8fe746dd277e644fa0337db3394f0eadfafe57df029e13df9feef25c536adf4d", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762247526", "to_ids": true, "type": "sha1", "uuid": "7f8af0c2-ca9a-4c40-8101-4795c3ea56a3", "value": "888fa36b196c9b7722026e366fc574015fb7b552", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:Win.Ransomware.Qilin-10044197-0\nIOC-description:MD5 of 8fe746dd277e644fa0337db3394f0eadfafe57df029e13df9feef25c536adf4d", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762247526", "to_ids": true, "type": "sha256", "uuid": "79453ce4-d1ed-44e9-a14c-78eb46dd618f", "value": "8fe746dd277e644fa0337db3394f0eadfafe57df029e13df9feef25c536adf4d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762240790", "to_ids": true, "type": "ssdeep", "uuid": "89250808-1247-45a9-a5d1-915eda1ae4f0", "value": "98304:RdlTi6wtEa9jXPh3hQTGdyl04CIrRU7fK0BynEHRCDyWiFcDb+AbRuiGZ:RdM/Ea9rcTGrK0BynEH0DyWiWDbNbRuP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762240790", "to_ids": false, "type": "size-in-bytes", "uuid": "2cfb93ab-3e33-40ee-ba57-871d35185030", "value": "5254656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762240790", "to_ids": true, "type": "vhash", "uuid": "fffdbeb2-cc95-41ec-9e42-618650eff660", "value": "0560976d15755c0d5d1dbz48311z2@z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762240790", "to_ids": true, "type": "filename", "uuid": "ffccf977-2201-41e0-bf84-a49bcfe03f65", "value": "aaa.exe" }, { "category": "Other", "comment": "Checked: 04/11/2025\nLast-scan\t: 01/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762240790", "to_ids": false, "type": "text", "uuid": "8beefb02-2c3e-4267-9dac-6496291e40cc", "value": "IOC-title:Win.Ransomware.Qilin-10044197-0\nIOC-description:MD5 of 8fe746dd277e644fa0337db3394f0eadfafe57df029e13df9feef25c536adf4d\r\nType Description: Win32 EXE\nMicrosoft: Ransom:Win32/Qilinloader.AL!MTB\nVT Total Detection:58/72\nFirst Submission:2025-06-14T05:35:32.000000+00:00\nLast Submission:2025-09-16T16:42:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762251510", "uuid": "78e4ed65-aeb4-4172-8b4c-f0f79cf21d12", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-description:MD5 of a068f595472c4f94baf1c2a8fba6831a327514e24ec4b38e1eee2cf1646b1591", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762251510", "to_ids": true, "type": "md5", "uuid": "e9fb0c4b-1f9c-4646-95b0-c22c7b5b48c7", "value": "2984c4a0ae4fdc553b1b512024d86794", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:MD5 of a068f595472c4f94baf1c2a8fba6831a327514e24ec4b38e1eee2cf1646b1591", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762247526", "to_ids": true, "type": "sha1", "uuid": "767c180a-39c0-4ee3-a464-df75c5edd557", "value": "1ea94c458d228d001d42c1e9e0f8a4535d9d2bcc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:MD5 of a068f595472c4f94baf1c2a8fba6831a327514e24ec4b38e1eee2cf1646b1591", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762247526", "to_ids": true, "type": "sha256", "uuid": "24ac02dc-7dfa-4291-9f5d-c591242eb739", "value": "a068f595472c4f94baf1c2a8fba6831a327514e24ec4b38e1eee2cf1646b1591", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762240812", "to_ids": true, "type": "ssdeep", "uuid": "75b39113-ab19-42a4-972a-7da476609e3a", "value": "12288:AuIenRzQiTDfQWBdkmXsFOKdHoG9BS5sWtHBSGsJ44rK3KOsB8KOsBTQPiylf+IF:X2N/SrYGsJ44rWKOs6KOs9Qflp1K+Z" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762240812", "to_ids": false, "type": "size-in-bytes", "uuid": "cbdb8c0b-8f36-45b3-bcd5-066239ebae0c", "value": "1441336" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762240812", "to_ids": true, "type": "vhash", "uuid": "beddd7ff-8458-4990-863c-6ede193f03c8", "value": "21603665651f201078ffffffff25ff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762240812", "to_ids": true, "type": "filename", "uuid": "310a8376-adfa-49ad-a4fe-0ea0c5e824f1", "value": "Cyberduck.exe" }, { "category": "Other", "comment": "Checked: 04/11/2025\nLast-scan\t: 03/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762240812", "to_ids": false, "type": "text", "uuid": "336ece51-5691-476b-bd9e-b3b901845538", "value": "IOC-description:MD5 of a068f595472c4f94baf1c2a8fba6831a327514e24ec4b38e1eee2cf1646b1591\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2018-06-02T00:03:15.000000+00:00\nLast Submission:2022-11-30T02:01:57.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762251532", "uuid": "ab81f60d-6cb5-405d-a9c5-4e767c264a00", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:compromised_site_redirector_fromcharcode\nIOC-description:MD5 of d1347f4dccebf2fcd672dcef9c66c91b9d3f12b9881e3e390626927718fda616", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762251532", "to_ids": true, "type": "md5", "uuid": "b3ba9dd7-4d47-46b5-aa37-5e5634370450", "value": "719ba3d7051173982919d1e4e9e9a0ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:compromised_site_redirector_fromcharcode\nIOC-description:MD5 of d1347f4dccebf2fcd672dcef9c66c91b9d3f12b9881e3e390626927718fda616", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762247527", "to_ids": true, "type": "sha1", "uuid": "1ab0f206-9d1b-410a-b3a5-27468bc1da9f", "value": "e38082ae727aeaef4f241a1920150fdf6f149106", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:compromised_site_redirector_fromcharcode\nIOC-description:MD5 of d1347f4dccebf2fcd672dcef9c66c91b9d3f12b9881e3e390626927718fda616", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762247528", "to_ids": true, "type": "sha256", "uuid": "8610089e-d2d7-486b-85ef-a73040a758ad", "value": "d1347f4dccebf2fcd672dcef9c66c91b9d3f12b9881e3e390626927718fda616", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762240834", "to_ids": true, "type": "ssdeep", "uuid": "03ec1e45-1328-4107-8940-b734b217522f", "value": "98304:wOTb9M445bqK4GA9n5heddJbGrbyyl+cDBwzXy+WiW8elznzFERHBIFns+EGYsjG:TtEbq33d3eDtiAl1VW8elzqHuBs+gJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762240834", "to_ids": false, "type": "size-in-bytes", "uuid": "cf8b2dcf-1fce-460b-b434-74ed395e37a3", "value": "15928352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762240834", "to_ids": true, "type": "vhash", "uuid": "0f069e1f-8f22-4b1a-a4c6-89fb07b6143a", "value": "0170865d55156c0d1d1d7281605006f00980f13z1c135ze0501cb061z2017z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762240834", "to_ids": true, "type": "filename", "uuid": "2afa73b9-5944-4c27-8025-a25b5ab3d849", "value": "netscan.exe" }, { "category": "Other", "comment": "Checked: 04/11/2025\nLast-scan\t: 04/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762240834", "to_ids": false, "type": "text", "uuid": "9b28ec61-a784-4db8-ade5-0bd1dae8103a", "value": "IOC-title:compromised_site_redirector_fromcharcode\nIOC-description:MD5 of d1347f4dccebf2fcd672dcef9c66c91b9d3f12b9881e3e390626927718fda616\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:13/72\nFirst Submission:2022-03-08T21:12:31.000000+00:00\nLast Submission:2025-08-13T10:48:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762251556", "uuid": "5c7c0c73-f6a6-4362-b014-74753d142d2c", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:HackTool:Win32/Mimikatz.D\nIOC-description:MD5 of 912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762251556", "to_ids": true, "type": "md5", "uuid": "86a2d8d3-68b6-41e9-a8f6-4bb7c9663471", "value": "bb8bdb3e8c92e97e2f63626bc3b254c4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:HackTool:Win32/Mimikatz.D\nIOC-description:MD5 of 912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762247529", "to_ids": true, "type": "sha1", "uuid": "43352b1f-559f-4697-a261-2487925a2502", "value": "70df765f554ed7392200422c18776b8992c09231", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:HackTool:Win32/Mimikatz.D\nIOC-description:MD5 of 912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762247529", "to_ids": true, "type": "sha256", "uuid": "99c77645-5d84-4091-9f9e-e079db8ff612", "value": "912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762240855", "to_ids": true, "type": "ssdeep", "uuid": "4aae52db-2544-4b68-95ac-2bceb57a7da3", "value": "24576:APOLHP7+a2HVvM0UyYG7SbQbcaXjn4Gy5+aYoNEVJEjA3e:APO/4UgOLaz4FQdoNEVmMe" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762240855", "to_ids": false, "type": "size-in-bytes", "uuid": "37e97b7a-38f4-4342-9b3c-38439e9e87a9", "value": "1355680" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762240855", "to_ids": true, "type": "vhash", "uuid": "d55e1b67-2bda-4741-a200-2cfddd1b416e", "value": "016066651d155565163z1a2z8d37093a1z50400290c0105001303dz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762240855", "to_ids": true, "type": "filename", "uuid": "5eb7fa25-4299-432f-855d-d375ecd88f80", "value": "mimikatz.exe" }, { "category": "Other", "comment": "Checked: 04/11/2025\nLast-scan\t: 31/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762240855", "to_ids": false, "type": "text", "uuid": "d559fc6d-a71c-4ee8-8bcf-04ab2ab269f0", "value": "IOC-title:HackTool:Win32/Mimikatz.D\nIOC-description:MD5 of 912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9\r\nType Description: Win32 EXE\nFile distributed by: ['Offensive Security']\nData sources: ['National Software Reference Library (NSRL)']\nVerdict filename: ['mimikatz.exe']\nMicrosoft: HackTool:Win32/Mimikatz!pz\nVT Total Detection:60/71\nFirst Submission:2021-08-10T17:02:59.000000+00:00\nLast Submission:2025-10-22T21:33:54.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762251577", "uuid": "956586f9-16bc-4f80-87f0-85298fa08766", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762251577", "to_ids": true, "type": "md5", "uuid": "57ee5dbb-a806-49e9-9bb0-2d5e49442828", "value": "58bb9dab4e9b3aa2fd1e7a7b17d2eeb1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762247530", "to_ids": true, "type": "sha1", "uuid": "b77ce01f-45c7-4411-ab5c-c0588a06a709", "value": "8729815f87f4186fd46d52418c1b7ae2a54aebcf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762247530", "to_ids": true, "type": "sha256", "uuid": "28b368be-9458-4d97-aacb-26bbc3adc54b", "value": "6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762240877", "to_ids": true, "type": "ssdeep", "uuid": "4aa3fed3-85e3-4289-96b2-f6a83e6f096d", "value": "49152:4aohnC+kao3dSYoXDpGCD/x6jGrjCPoBsbfLRCX4B/+5dswnbh2wEtIy0ZRVQ+1z:InFkao3MYoTpGCD/x6jAjCPoBspCX4pG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762240877", "to_ids": false, "type": "size-in-bytes", "uuid": "9eac4605-2035-4da0-bb79-705da878b7ed", "value": "1988920" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762240877", "to_ids": true, "type": "vhash", "uuid": "7281bbe3-ba3f-4531-99a4-e6b60c5ea6ac", "value": "016076655d1d1515556160e02002e00997z7015z70300a5fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762240877", "to_ids": true, "type": "filename", "uuid": "bac31a1b-6fac-48af-a2a6-a2bb03e9b90a", "value": "HRSword.exe" }, { "category": "Other", "comment": "Checked: 04/11/2025\nLast-scan\t: 04/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762240877", "to_ids": false, "type": "text", "uuid": "954fa59d-068d-4d7a-8feb-9f4f68b656d5", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:9/72\nFirst Submission:2023-10-26T04:09:30.000000+00:00\nLast Submission:2025-11-01T12:22:48.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762251598", "uuid": "48ad7525-c493-4601-9457-6a8a3aefd884", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762251598", "to_ids": true, "type": "md5", "uuid": "be40a964-ed22-4628-a452-509a5a3ea3a5", "value": "59c3334d184159008cd45355b436d9a8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762247531", "to_ids": true, "type": "sha1", "uuid": "f675329c-f4b0-41ab-ab3a-b63e7202684a", "value": "31ac8f046d03636c9a395ab1d9da6ad5a3c01f1a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762247531", "to_ids": true, "type": "sha256", "uuid": "8c08511f-92b5-4eaf-86b9-97b3870c49f0", "value": "792182b7c5a56e5ccefd32073dc374e66c6a4e7981075e3804f49a276878e0fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762240899", "to_ids": true, "type": "ssdeep", "uuid": "bd1e34ad-bda6-4235-8ec9-18cf793a96c1", "value": "98304:9zs6efPhFFNUhJFF3s+BoiGg1Gc977zbt:9fefPCFF3bBR1H9773" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762240899", "to_ids": false, "type": "size-in-bytes", "uuid": "17a00e1b-12f9-41c9-a1fc-e47b5dbd3649", "value": "5658640" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762240899", "to_ids": true, "type": "vhash", "uuid": "7d4768d0-b791-4aae-bf2c-53c1cc98654a", "value": "056056655d15756az459z6tz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762240899", "to_ids": true, "type": "filename", "uuid": "2a37d061-2b71-430e-ac54-01412ab2f044", "value": "svchost.exe" }, { "category": "Other", "comment": "Checked: 04/11/2025\nLast-scan\t: 31/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762240899", "to_ids": false, "type": "text", "uuid": "90798a8d-54ec-405d-937c-196f13d3854a", "value": "Type Description: Win32 EXE\nMicrosoft: SupportScam:Win32/Screcwon.MA!MTB\nVT Total Detection:40/71\nFirst Submission:2025-06-17T19:45:38.000000+00:00\nLast Submission:2025-06-17T19:45:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762251619", "uuid": "601eda9e-3e79-47b9-9086-b66fdde42438", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762251619", "to_ids": true, "type": "md5", "uuid": "ab7cce05-a7a7-4e4d-b688-27f9d1b0305f", "value": "1c0cb55d3a8d544ab0bd7d81d2985089", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762247531", "to_ids": true, "type": "sha1", "uuid": "669a5a0f-c33d-48a6-92b6-c1726fcb4544", "value": "fa25e7e91750cb789c175dad4bbcfd15cfb87327", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762247531", "to_ids": true, "type": "sha256", "uuid": "57abf187-7fa3-4e24-b411-01721ca360d3", "value": "dbe9ed8e8e8cdff3670e7205cb9f11b5a0fa9d1983a6c6bab67527d8775c4ffd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762240921", "to_ids": true, "type": "ssdeep", "uuid": "d53482e8-96d1-4a13-af4e-9d242c743704", "value": "98304:0tqrmNRdHj9y7E5KypHoKQ1zuHrEfxao9LNlCXvJSJqu:0wrmzdDXcypHoKQ1zuHrED/MRSJR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762240921", "to_ids": false, "type": "size-in-bytes", "uuid": "af509ab4-eb7b-4a7f-ad02-81a3a04e290a", "value": "5254656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762240921", "to_ids": true, "type": "vhash", "uuid": "f3001706-aa0d-4bce-ba1f-02809b4a98e8", "value": "0560976d15755c0d5d1dbz48311z2@z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762240921", "to_ids": true, "type": "filename", "uuid": "fa0b8836-c90a-4a6d-99a7-414be80127de", "value": "2025-07-08_1c0cb55d3a8d544ab0bd7d81d2985089_elex_qilin" }, { "category": "Other", "comment": "Checked: 04/11/2025\nLast-scan\t: 31/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762240921", "to_ids": false, "type": "text", "uuid": "c2f3073d-0f40-4177-a94a-85dd32af3fa9", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Qilinloader.AL!MTB\nVT Total Detection:57/71\nFirst Submission:2025-07-08T12:36:25.000000+00:00\nLast Submission:2025-07-08T12:36:25.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762251640", "uuid": "2a42a222-b270-4e82-9f02-c1da96404cb6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762251640", "to_ids": true, "type": "md5", "uuid": "768d783c-3931-475c-a5c1-89a62ce227fb", "value": "e2c059083926ec2c219cebcfa4a49453", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762247532", "to_ids": true, "type": "sha1", "uuid": "dc82569e-3912-4240-af36-c4c8d66ee911", "value": "a21e701f2f1113d2d60601b2570508ef62a2626a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762247532", "to_ids": true, "type": "sha256", "uuid": "4753d2ee-8145-4e84-a3d5-935e12239d70", "value": "e129dd5cc80f39b24db489df999c847335d169910bd966814d2f81b0b1bbc365", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762240964", "to_ids": true, "type": "ssdeep", "uuid": "c1711ed2-5729-49df-b400-ab973dc6a120", "value": "6144:BkNJEC3eY8H8CMEtgpdmuTwgadoqq0KYg:hY8H8sgogat" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762240964", "to_ids": false, "type": "size-in-bytes", "uuid": "cda2025c-41f9-418a-9959-fdc6c0fecdad", "value": "297984" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762240964", "to_ids": true, "type": "vhash", "uuid": "8050825a-8a6f-4148-9b54-275adfcfb083", "value": "025076655d1d6d05551034z17005d9z3az5gz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762240964", "to_ids": true, "type": "filename", "uuid": "734e4b13-9e4c-433e-8a4a-4247690994a2", "value": "2025-06-15_e2c059083926ec2c219cebcfa4a49453_amadey_elex_smoke-loader_stealc_stop_tofsee" }, { "category": "Other", "comment": "Checked: 04/11/2025\nLast-scan\t: 03/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762240964", "to_ids": false, "type": "text", "uuid": "3983eb58-3ade-4313-b079-338dcd5e2311", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Seheq!rfn\nVT Total Detection:50/72\nFirst Submission:2025-06-13T10:44:57.000000+00:00\nLast Submission:2025-06-15T10:10:34.000000+00:00" } ] } ] } }