{ "Event": { "analysis": "1", "date": "2025-10-29", "extends_uuid": "", "info": "[Threat Intel] Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed", "protected": false, "publish_timestamp": "1780041281", "published": true, "threat_level_id": "3", "timestamp": "1772902064", "uuid": "e2b56848-b740-4d4f-b2bd-1a6687393bfa", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#7adb57", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation of Remote Services - T1210\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#098efb", "local": false, "name": "misp-galaxy:target-information=\"British Indian Ocean Territory\"", "relationship_type": "" }, { "colour": "#52d590", "local": false, "name": "misp-galaxy:target-information=\"China\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#f9cdc4", "local": false, "name": "misp-galaxy:target-information=\"Indonesia\"", "relationship_type": "" }, { "colour": "#26fab6", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#15cd0b", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1762216756", "to_ids": false, "type": "link", "uuid": "3b2c4ad3-15cb-4571-b5a4-f862f1f77dfd", "value": "https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1762216756", "to_ids": false, "type": "text", "uuid": "0959bd10-c254-43dc-948e-6254fe071ec4", "value": "A new component of PolarEdge's infrastructure, RPX_Client, has been discovered, revealing insights into the threat actor's relay operations. The investigation uncovered 140 VPS nodes acting as RPX Servers and over 25,000 infected devices serving as RPX Clients. The system uses a multi-hop design to conceal attack sources, with compromised IoT devices and VPS servers forming robust barriers. RPX_Client functions as a jumpserver in the Operational Relay Box (ORB) network, providing proxy services and enabling remote command execution. The analysis also revealed connections between previously known PolarEdge infrastructure and the newly discovered components, confirming the attribution to this threat actor." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1762216756", "to_ids": false, "type": "text", "uuid": "7e35ebb9-3dd3-42e1-9896-380daf78ccbe", "value": "Name: Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed\nAuthor: AlienVault\nAdversary: PolarEdge\nTags: [\"proxy\", \"infrastructure\", \"orb\", \"vps\", \"polaredge\", \"command execution\", \"iot\", \"cve-2023-20118\", \"evasion\", \"rpx_server\", \"rpx_client\", \"botnet\"]\nTgtd countries: [\"United States of America\", \"British Indian Ocean Territory\", \"China\", \"India\", \"Indonesia\", \"Israel\", \"Malaysia\", \"Russian Federation\", \"Thailand\"]\nMlwr families: []\nAttack_ids: [\"T1133\", \"T1082\", \"T1071\", \"T1016\", \"T1090\", \"T1059\", \"T1497\", \"T1102\", \"T1528\", \"T1210\", \"T1571\", \"T1095\", \"T1046\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1762216756", "to_ids": false, "type": "threat-actor", "uuid": "9e669a13-5bde-4d64-978a-f5f8e316a16c", "value": "PolarEdge" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:05/11/2025", "deleted": false, "disable_correlation": false, "timestamp": "1762342446", "to_ids": true, "type": "md5", "uuid": "e9e24144-bb3a-4584-9039-c24d85ae3393", "value": "7fa5fb15098efdf76e4c016e2e17bb38", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:05/11/2025", "deleted": false, "disable_correlation": false, "timestamp": "1762342447", "to_ids": true, "type": "sha256", "uuid": "72fe8879-df18-4f5d-9e18-9031da7670ee", "value": "3f00058448b8f7e9a296d0cdf6567ceb23895345eae39d472350a27b24efe999", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:05/11/2025", "deleted": false, "disable_correlation": false, "timestamp": "1762342448", "to_ids": true, "type": "sha256", "uuid": "9ae5be3b-9ade-4fb4-8909-6c218bd1901e", "value": "e234e102cd8de90e258906d253157aeb7699a3c6df0c4e79e05d01801999dcb5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1762348426", "to_ids": true, "type": "domain", "uuid": "8336fd8c-acec-44a3-9d45-47ce07503f38", "value": "beastdositadvtofm.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1762348447", "to_ids": true, "type": "domain", "uuid": "7e7e9eb8-c30c-478b-a464-cebd20e58ecb", "value": "centrequ.cc", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1762348468", "to_ids": true, "type": "domain", "uuid": "69656ab6-c66d-4313-8083-d9f1e5075d67", "value": "icecreand.cc", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1762348490", "to_ids": true, "type": "hostname", "uuid": "d978dcb7-c468-41ff-821e-7d2a3b6fb42b", "value": "blog.sekoia.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762348511", "uuid": "5d38365a-3974-4cfd-ab69-2f585ce1ff46", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762348511", "to_ids": true, "type": "md5", "uuid": "2affb6bf-4b2b-4095-8ea9-ae2cc416ddb6", "value": "1fb2dfb09a31f0e8c63cc83283532f06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762342442", "to_ids": true, "type": "sha1", "uuid": "3a9292a5-af5a-41d0-a075-1a942d936317", "value": "2c0184a1eb37fe0c26a76b96466d6ba44028632f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762342442", "to_ids": true, "type": "sha256", "uuid": "10ef51bf-7589-49ac-b7bd-04a60629c8d7", "value": "827797a9bff728ae6f46abd505e67a15e40b0ba69a8dc92a36fd90d9974c9593", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762335813", "to_ids": true, "type": "ssdeep", "uuid": "621f8b54-d7fb-4249-a39a-e49aaeea6a8d", "value": "49152:EUSgS/o1UujkdavrJqU2aQnkHvLk/fTa:Enb8yGrJqU2aQnkHvLufT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762335813", "to_ids": false, "type": "size-in-bytes", "uuid": "8fffa95b-4df3-47c1-8181-78da69619800", "value": "2013872" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762335813", "to_ids": true, "type": "vhash", "uuid": "2a76a239-3f1d-484b-9a7a-9f08a20e9503", "value": "4ac18f6e1309ba577d41d2b95f00e2d1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762335813", "to_ids": true, "type": "filename", "uuid": "3b39343a-92df-4303-9367-534a397edee7", "value": "2025-09-02_1fb2dfb09a31f0e8c63cc83283532f06_helldown" }, { "category": "Other", "comment": "Checked: 05/11/2025\nLast-scan\t: 05/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762335813", "to_ids": false, "type": "text", "uuid": "ce79f2ba-eb5d-4876-a2a7-205beb9ec527", "value": "Type Description: ELF\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:9/65\nFirst Submission:2025-08-25T15:26:55.000000+00:00\nLast Submission:2025-09-02T15:00:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762348533", "uuid": "03106e3b-6bbd-485f-92a6-a14e3c1d4123", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762348533", "to_ids": true, "type": "md5", "uuid": "eaaf3874-36fe-49a2-9354-6e14f2f77290", "value": "3e5e99b77012206d4d4469e84c767e6b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762342443", "to_ids": true, "type": "sha1", "uuid": "3b726762-93c7-4e6a-a647-06ad944fbc74", "value": "7fd4a8a95bcfe30efa51b3e83cb426baa23a66ae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762342443", "to_ids": true, "type": "sha256", "uuid": "54d20f37-0310-402f-bce7-4e5a3352a19b", "value": "f564cc807bb663f814eec5a47ba0279dbcfea8002f2bf45c7aa400b82aa3788d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762335835", "to_ids": true, "type": "ssdeep", "uuid": "e786899b-3274-4123-8e6b-57c6ba3b9a27", "value": "12288:aMTo6ngjKjTo5AXgnO1xGZpLepbEay3cM8RpXc:aifonY+ehEVHEXc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762335835", "to_ids": false, "type": "size-in-bytes", "uuid": "2444f337-d77a-47cf-8b1a-c48609306686", "value": "654280" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762335835", "to_ids": true, "type": "vhash", "uuid": "9ffa8b54-9481-445e-a708-19e44b798c5f", "value": "bc5e06a14083112f36b123dadd73e9ac" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762335835", "to_ids": true, "type": "filename", "uuid": "73ded0e0-413a-4bac-aa91-61a04df301f6", "value": "WebClientd" }, { "category": "Other", "comment": "Checked: 05/11/2025\nLast-scan\t: 01/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762335835", "to_ids": false, "type": "text", "uuid": "96fced58-6183-4e81-8375-3ad33d7f74ab", "value": "Type Description: ELF\nMicrosoft: None\nVT Total Detection:27/64\nFirst Submission:2024-06-13T21:08:23.000000+00:00\nLast Submission:2024-06-13T21:08:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762348555", "uuid": "ad3e7c03-3020-476a-a8f4-5b7efce00b09", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762348555", "to_ids": true, "type": "md5", "uuid": "d4fedafd-2731-4afb-af16-ecc4f4ad6f62", "value": "571088182ed7e33d986b3aa2c51efd27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762342444", "to_ids": true, "type": "sha1", "uuid": "d2d3ae3e-4c44-4c47-b5b5-33f40a358282", "value": "5612c6546685bd86eb8effba89aa1e8942d5c120", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762342445", "to_ids": true, "type": "sha256", "uuid": "ed3b9140-e049-47e9-abea-87e903305ef3", "value": "51a9d90a021c8a2a77658a3eca8f1a2297db52c13c17be3b5a08867a7d73d1ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762335856", "to_ids": true, "type": "ssdeep", "uuid": "70ea7b85-e04a-4b46-ae6e-3ea975b568c2", "value": "12288:GlAexybH7LikR21BHrv3KGibxDUa0t5pKYr25WbsV:5/D+r81IHr25NV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762335856", "to_ids": false, "type": "size-in-bytes", "uuid": "5a03f0ab-21c3-4022-a49a-63f5be5a47c0", "value": "937744" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1762335856", "to_ids": true, "type": "vhash", "uuid": "0a23e925-5b4e-4cef-975c-5401fc0cd38c", "value": "0f8dba264b0433ef88759a2723e69685" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762335856", "to_ids": true, "type": "filename", "uuid": "cb1748df-18b5-4a2e-a853-27eed97e224a", "value": "check_ui_lock" }, { "category": "Other", "comment": "Checked: 05/11/2025\nLast-scan\t: 05/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762335856", "to_ids": false, "type": "text", "uuid": "656ddc50-706e-42d3-aeac-12004d0ff440", "value": "Type Description: ELF\nMicrosoft: None\nVT Total Detection:6/64\nFirst Submission:2025-08-06T02:07:44.000000+00:00\nLast Submission:2025-08-06T02:08:12.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1762348576", "uuid": "4c37fd89-f1a7-4fbb-894c-308b8661f011", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1762348576", "to_ids": true, "type": "md5", "uuid": "73a5e0a4-423a-443f-a1da-5a6cb0157525", "value": "96b3be4cf3ad232ca456f343f468da0e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1762342446", "to_ids": true, "type": "sha1", "uuid": "70cf6fbe-121d-41d2-944d-58186ac7f260", "value": "74fb3b1ca6cc1802f47051c3fd270ea150ec0620", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1762342446", "to_ids": true, "type": "sha256", "uuid": "4b21f8b2-4878-44fd-9cdf-36908e4b944a", "value": "c1177f91fa4e6d4f88682ab56d8b92b91b184174d7e0f6decd5c3245417566d0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1762335898", "to_ids": true, "type": "ssdeep", "uuid": "fd4d92d6-549c-48e9-91c5-2fbad06ebf46", "value": "48:rFtOLoswg7WWpASH6HZnClYBj646GcNcdE3OdtAk2CSvr:r8osDta9CBLGcNcKOvkr" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1762335898", "to_ids": false, "type": "size-in-bytes", "uuid": "e2b6c5c8-81fc-4886-a566-d85ebb80f4a8", "value": "4170" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1762335898", "to_ids": true, "type": "filename", "uuid": "75ba3db9-24c8-4fd5-9d87-cd9fede4e0ad", "value": "q_upload_by_xlab" }, { "category": "Other", "comment": "Checked: 05/11/2025\nLast-scan\t: 05/11/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1762335898", "to_ids": false, "type": "text", "uuid": "cc69dd65-07b2-4180-ad36-b7d285d55a64", "value": "Type Description: Shell script\nMicrosoft: None\nVT Total Detection:0/62\nFirst Submission:2025-11-01T10:26:08.000000+00:00\nLast Submission:2025-11-01T10:26:08.000000+00:00" } ] } ] } }