{ "Event": { "analysis": "1", "date": "2022-06-21", "extends_uuid": "", "info": "[Threat Intel] ToddyCat: Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia", "protected": false, "publish_timestamp": "1780039583", "published": true, "threat_level_id": "1", "timestamp": "1780039583", "uuid": "e5b2340a-7903-4bd9-a019-bba2fc4c1e4a", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#1ebce4", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#03bdda", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1073\"", "relationship_type": "" }, { "colour": "#e2ba37", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Initialization Scripts - T1037\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#1b8479", "local": false, "name": "misp-galaxy:target-information=\"Vietnam\"", "relationship_type": "" }, { "colour": "#86e845", "local": false, "name": "misp-galaxy:target-information=\"Afghanistan\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#20a667", "local": false, "name": "misp-galaxy:target-information=\"Iran\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#670cf4", "local": false, "name": "misp-galaxy:target-information=\"Pakistan\"", "relationship_type": "" }, { "colour": "#15cd0b", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#04e23c", "local": false, "name": "misp-galaxy:target-information=\"Slovakia\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"ToddyCat\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#41c393", "local": false, "name": "misp-galaxy:target-information=\"Kyrgyzstan\"", "relationship_type": "" }, { "colour": "#aad0dc", "local": false, "name": "misp-galaxy:target-information=\"Uzbekistan\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736667406", "to_ids": false, "type": "link", "uuid": "a6a7f54f-8b34-467f-8ca2-38261c0653ce", "value": "https://securelist.com/toddycat/106799/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736667406", "to_ids": false, "type": "text", "uuid": "c4185743-e6e8-43fe-b646-30860ac6ddc1", "value": "A new type of cyber-attack has been detected in Asia since May 2021, and it is believed to be from the same group that first appeared in the US in 2011 and 2014. and is now spreading around the world." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736667406", "to_ids": false, "type": "text", "uuid": "079ec74c-371d-4fc3-a970-8fab25f237d7", "value": "Name: ToddyCat: Unveiling an unknown APT actor attacking high-profile entities in Europe and Asia\nAuthor: AlienVault\nAdversary: ToddyCat\nTags: [\"apt\", \"backdoor\", \"ToddyCat\", \"samurai\", \"ninja\", \"cobalt strike\", \"China Chopper\", \"FunnyDream\"]\nTgtd countries: [\"Taiwan\", \"Viet Nam\", \"Afghanistan\", \"India\", \"Iran, Islamic Republic of\", \"Malaysia\", \"Pakistan\", \"Russian Federation\", \"Slovakia\", \"Thailand\", \"United Kingdom of Great Britain and Northern Ireland\"]\nMlwr families: [\"Samurai\", \"HackTool:MSIL/Ninja\"]\nAttack_ids: [\"T1073\", \"T1037\", \"T1071.001\", \"T1090\", \"T1055\", \"T1053\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1736667406", "to_ids": false, "type": "threat-actor", "uuid": "7098718e-f1c3-42b9-93f3-799eea9bd52d", "value": "ToddyCat" }, { "category": "Payload delivery", "comment": "Samurai Backdoor No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740274739", "to_ids": true, "type": "md5", "uuid": "928bbdfb-a76e-44a0-841c-4a3001d6dcd6", "value": "8a00d23192c4441c3ee3e56acebf64b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Ninja Trojan No sample in VT\r\nLast check:23/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1740274740", "to_ids": true, "type": "md5", "uuid": "48e72c45-fd1c-434f-b9a4-47046c24943f", "value": "5e721804f556e20bf9ddeec41ccf915d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Ninja C2", "deleted": false, "disable_correlation": false, "timestamp": "1780039583", "to_ids": true, "type": "ip-dst", "uuid": "2a4a9759-6256-4a54-9f58-814a8fb2d1e2", "value": "149.28.28.159", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Ninja C2", "deleted": false, "disable_correlation": false, "timestamp": "1740274824", "to_ids": true, "type": "hostname", "uuid": "3a9ee5aa-a44e-4ec9-9897-6bc899ce190b", "value": "eohsdnsaaojrhnqo.windowshost.us", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740271934", "to_ids": false, "type": "malware-type", "uuid": "da4229b1-5272-4b93-9635-dbe068820cba", "value": "Ninja Trojan" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740271969", "to_ids": false, "type": "malware-type", "uuid": "2017bd4d-2834-409d-b63b-6cca4090fc45", "value": "Samurai Backdoor" }, { "category": "Artifacts dropped", "comment": "Mutex name used to guarantee atomic execution. The first element is the mutex name, which could be any string, but usually looks like a GUID value.", "deleted": false, "disable_correlation": false, "timestamp": "1746474919", "to_ids": false, "type": "mutex", "uuid": "c6a75f70-5971-40a0-97c3-ba7470675759", "value": "2B847033-C95F-92E3-D847-29C6AE934CDC" }, { "category": "Other", "comment": "The library decodes the first string and the resulting data are decrypted with a simple single XOR with the key 0x3F and decompressed using Gzip", "deleted": false, "disable_correlation": false, "timestamp": "1746475001", "to_ids": false, "type": "text", "uuid": "49539ed7-e298-4086-b710-86663257e19a", "value": "0x3F" }, { "category": "Other", "comment": "Malware configuration data are encoded with base64 and encrypted with the DES algorithm using this hardcoded key", "deleted": false, "disable_correlation": false, "timestamp": "1746475059", "to_ids": false, "type": "text", "uuid": "f4d9e4bb-372f-4829-a719-48a0c8bd19d8", "value": "90 EE 0C E1 6C 0D C9 0C" }, { "category": "Other", "comment": "All modules must contain a \u201crun\u201d method, which expects two arguments, a dictionary that contains the \u201csamurai\u201d keyword with the current working directory, and a string provided by the attacker.", "deleted": false, "disable_correlation": false, "timestamp": "1746475121", "to_ids": false, "type": "text", "uuid": "5194cf78-5614-4b94-97d3-8dccee6ada89", "value": "samurai" }, { "category": "Other", "comment": "The malware starts operations by retrieving configuration parameters from an encrypted payload embedded in the binary, which is XORed with the constant value \u201c0xAA\u201d and compressed with the LZSS algorithm.", "deleted": false, "disable_correlation": false, "timestamp": "1746475188", "to_ids": false, "type": "text", "uuid": "c71c02a9-6959-4bdf-98e3-3b5335204930", "value": "0xAA" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981191", "uuid": "ad03317b-6015-4d70-b0bc-b0712b36a1ac", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper google.log", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981191", "to_ids": true, "type": "md5", "uuid": "9d185ff8-b172-4b92-a2cb-2339a6953fc7", "value": "5cfdb7340316abc5586448842c52aabc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper google.log", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1747981191", "to_ids": true, "type": "sha1", "uuid": "3a89b6b9-a156-4663-8f8d-ad586f84aa8a", "value": "9afa2afb838caf2748d09d013d8004809d48d3e4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper google.log", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1747981191", "to_ids": true, "type": "sha256", "uuid": "347b59ad-bc53-440a-9e5e-2f56fed144bf", "value": "1609f8ca52b30517ba17160acb9db9bf43d308907cbca9cea62ada76215e86c5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273705", "to_ids": true, "type": "ssdeep", "uuid": "da40cb40-035c-486a-ae54-7beff36c494f", "value": "1536:1Sq9g6vTuW6a4pr7AhA6jyFBlEdkbHu9VcyfJ8GsWddc9dl+s2Y3/93Bt406h:1SmvTX4ZAqM6BlE6bHu9VVJfUqY3/DtB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273705", "to_ids": false, "type": "size-in-bytes", "uuid": "f5fbb4b0-227e-4899-b2f7-5f21f694fd7a", "value": "97280" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273705", "to_ids": true, "type": "vhash", "uuid": "5324fcc6-e7a6-43ca-b97c-dad45acfe41e", "value": "094076655d155515555az49!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273705", "to_ids": true, "type": "filename", "uuid": "a4bf1b55-7803-4b36-ad40-b9cfe21042b4", "value": "1609f8ca52b30517ba17160acb9db9bf43d308907cbca9cea62ada76215e86c5.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 08/07/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273705", "to_ids": false, "type": "text", "uuid": "942d8ff8-5721-4664-90c6-8dbc375feb7a", "value": "Dropper google.log\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win64/CryptAgent.A!dha\nVT Total Detection:56/74" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740274866", "uuid": "8966d7c1-46b3-4444-9c86-603e4be24ddf", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740274866", "to_ids": true, "type": "md5", "uuid": "eef4e2c3-02df-4be7-8aba-856250b13008", "value": "93c186c33e4bbe2abdcc6dfea86fbbff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274720", "to_ids": true, "type": "sha1", "uuid": "26c272b0-b3bb-4be6-b419-e531e1a8426f", "value": "285f84e8aeabcdc0a0ee1349aa9156794dde5e08", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274720", "to_ids": true, "type": "sha256", "uuid": "c335ce1b-8edc-4454-b1b3-f4b88a27c6e8", "value": "8c4eaa88a45e6558c1993f173845fa850c54b7e764074014702d0caa059bf685", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273726", "to_ids": true, "type": "ssdeep", "uuid": "03f62b0e-ab74-414c-ad53-4520b32bfdbe", "value": "1536:TSq9g6vTuW6a4pr7AhA6jyFBlEdkbHu9VcyfJ8GsWddc9dl+s2Y3/93Bt406h:TSmvTX4ZAqM6BlE6bHu9VVJfUqY3/DtB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273726", "to_ids": false, "type": "size-in-bytes", "uuid": "413bbead-39b5-48e3-b328-bf0a83c816df", "value": "97792" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273726", "to_ids": true, "type": "vhash", "uuid": "35a80e47-7ff5-4a0c-8abb-b2dcc980b67b", "value": "094086655d15551555555az49!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273726", "to_ids": true, "type": "filename", "uuid": "7e81684b-2752-4f7d-84f1-31f46cbb6732", "value": "93c186c33e4bbe2abdcc6dfea86fbbff.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 17/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273726", "to_ids": false, "type": "text", "uuid": "2169ca37-0cea-47fe-90af-7400653acf25", "value": "Dropper\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win64/CryptAgent.A\nVT Total Detection:53/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740274888", "uuid": "4d834f5d-ade6-4833-91e1-2cacaad18448", "Attribute": [ { "category": "Payload delivery", "comment": "Dll Loader Stage 2 iiswmi.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740274888", "to_ids": true, "type": "md5", "uuid": "92237675-af82-4fea-a569-0eea615d5988", "value": "5a912beec77d465fc2a27f0ce9b4052b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dll Loader Stage 2 iiswmi.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274721", "to_ids": true, "type": "sha1", "uuid": "5c3718c9-2125-4e07-ab3d-65c2ed5b79c0", "value": "e2bdb39105f9a508ef815855027d4cdb5481e9c7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dll Loader Stage 2 iiswmi.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274722", "to_ids": true, "type": "sha256", "uuid": "5321f303-bdb6-499d-bd41-fe2cdb8e9678", "value": "8e2cd616286a13df82c9639d84e90a3927161000c8204905f338f3a79fe73d13", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273748", "to_ids": true, "type": "ssdeep", "uuid": "e24b11c7-13bc-4f9a-892f-d68ad8a12ad8", "value": "1536:rZG18e9dAplNBRTr+rAHaJrVUJhHrjt/uJDZBdsWTSYWeD5TUCaffI+2fusWkdcL:rXe9dAr5ir+a5VwVjt/uJWWlWeD5TUC5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273748", "to_ids": false, "type": "size-in-bytes", "uuid": "a45cb499-19d2-4a7f-9879-289f0ff534d5", "value": "90624" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273748", "to_ids": true, "type": "vhash", "uuid": "891deea1-49f0-4588-b28e-5d424fb74aa5", "value": "194076655d155515555028z44?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273748", "to_ids": true, "type": "filename", "uuid": "9cb90795-db25-467f-b267-2edcb1acdecc", "value": "iiswmi.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 17/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273748", "to_ids": false, "type": "text", "uuid": "5ce3db71-055f-49ad-9979-8f1fc8b20c25", "value": "Dll Loader Stage 2 iiswmi.dll\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win64/CryptAgent.B!dha\nVT Total Detection:54/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740274909", "uuid": "bd401407-3939-4805-b7fe-c6eb36e7dbb0", "Attribute": [ { "category": "Payload delivery", "comment": "Dll Loader Stage 3 websvc.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740274909", "to_ids": true, "type": "md5", "uuid": "2f877c2d-1f75-49d0-b765-320788011137", "value": "f595edf293af9b5b83c5ffc2e4c0f14b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dll Loader Stage 3 websvc.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274723", "to_ids": true, "type": "sha1", "uuid": "778a71c4-b61c-4239-9d0d-c46604d5eea8", "value": "3399681cfd6f7f2a270d9a543021ed9b93e85675", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dll Loader Stage 3 websvc.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274723", "to_ids": true, "type": "sha256", "uuid": "50287302-0280-4304-9a39-f43ab67de61b", "value": "5a1d4337431be103268ecc0ce2b1b44910da21fbbaec8ed6196f2042d887755a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273770", "to_ids": true, "type": "ssdeep", "uuid": "1059b615-1d39-4ea8-aaee-a0677ee35daf", "value": "48:6quoGRrseKe4dHt88SX3ExUR1HjzdFF77v5K0jicrG1+jf5ibw1+sVtiOl0xqFf:BGhIm8yP/ZW8G1+V31y" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273770", "to_ids": false, "type": "size-in-bytes", "uuid": "d83e4b76-3e3f-45db-ab2d-06c97a52d4cc", "value": "5632" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273770", "to_ids": true, "type": "vhash", "uuid": "549a3ad5-d221-4b99-8caf-2330d02b5ad6", "value": "3530465d1515160812z20" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273770", "to_ids": true, "type": "filename", "uuid": "0e47f590-5d71-4c02-b124-226d5e90854c", "value": "HelperDLL.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 17/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273770", "to_ids": false, "type": "text", "uuid": "0780cde7-1792-4e49-acf7-0b427a95ca5d", "value": "Dll Loader Stage 3 websvc.dll\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/AgentTesla!ml\nVT Total Detection:52/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740274930", "uuid": "09fb86e6-5463-4042-89f3-529c53c02859", "Attribute": [ { "category": "Payload delivery", "comment": "Dll Loader Stage 2 fveapi.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740274930", "to_ids": true, "type": "md5", "uuid": "0e4bd154-266e-4d05-bb6c-86846b9127a7", "value": "5a531f237b8723396bcfd7c24885177f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dll Loader Stage 2 fveapi.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274724", "to_ids": true, "type": "sha1", "uuid": "6d4a4f24-2412-4246-abdf-e7f2f8f402d6", "value": "a71923ff816ecc4dbd87981b9b238f9b92838bdd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dll Loader Stage 2 fveapi.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274725", "to_ids": true, "type": "sha256", "uuid": "1096b3f2-d7bc-4c64-ad70-17670c7dab4c", "value": "3bea76f0819752abc5ff0c3d9f19b0d3ef1405eb8affaba5250b5ce2dc402c3c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273793", "to_ids": true, "type": "ssdeep", "uuid": "5a818e71-b902-491f-8924-b0ba54036bab", "value": "1536:N+E5o1N5g6MYVvU0rJrfjM3BbJU+ymEqoEkECQnTU+jZz0i6//oeWr0VVsWUdc97:N+E6yYVvHrpjkBFWmEqoEkrcI+jZz0iL" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273793", "to_ids": false, "type": "size-in-bytes", "uuid": "3b155958-b499-48d7-a97e-4715ff59487a", "value": "93440" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273793", "to_ids": true, "type": "vhash", "uuid": "493a9d69-84cc-4308-8ee9-f34ca61a6711", "value": "194076655d155515051az45!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273793", "to_ids": true, "type": "filename", "uuid": "8aeba72f-5b9e-4638-8703-47485a9abcbe", "value": "fveapi.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 29/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273793", "to_ids": false, "type": "text", "uuid": "de331ba7-aefd-4d93-8bd0-ea9688f2c1ad", "value": "Dll Loader Stage 2 fveapi.dll\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:53/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740274951", "uuid": "5f9ad4bf-86f5-40c5-bc1d-6220d905584f", "Attribute": [ { "category": "Payload delivery", "comment": "Dll Loader Stage 2 fveapi.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740274951", "to_ids": true, "type": "md5", "uuid": "10685c16-8b77-4de9-998b-d0d14f279425", "value": "1ad6dccb520893b3831a9cfe94786b82", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dll Loader Stage 2 fveapi.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274726", "to_ids": true, "type": "sha1", "uuid": "250b8417-1fee-4dc2-9501-cb643afca5d5", "value": "4ef8ae0fdd3afa3afd88fde1a42e993dd79bef61", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dll Loader Stage 2 fveapi.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274726", "to_ids": true, "type": "sha256", "uuid": "41260875-5acb-467e-a11c-4e714107f60d", "value": "f1922427f27e20f76ae55cdadfbabfa7be802239515a01eacb76061e2dbae23a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273814", "to_ids": true, "type": "ssdeep", "uuid": "d704e530-675a-4aa9-8f63-f2002e7ca1ee", "value": "1536:WCE6h9ROdXIaBnwDClOgBuX+nWFnogpNHA2+jZz0i6//oxAsWhdc9dlgc4pXh:e6h9CJnOClOF+nWtoqHA2+jZz0i6//ou" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273814", "to_ids": false, "type": "size-in-bytes", "uuid": "392ad94a-8810-49a6-9739-8ca1d192c4ca", "value": "90624" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273814", "to_ids": true, "type": "vhash", "uuid": "dcc88df7-5d02-4a5f-90e9-d7ab852d178f", "value": "194076655d151515555az44!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273814", "to_ids": true, "type": "filename", "uuid": "46ace22c-8c2c-49f8-9d41-feb793f0d756", "value": "fveapi.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 23/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273814", "to_ids": false, "type": "text", "uuid": "0890384f-38c2-4d62-a848-9fbfbfb812d3", "value": "Dll Loader Stage 2 fveapi.dll\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Mamson.A!ac\nVT Total Detection:52/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740274972", "uuid": "13bdc3c6-dd34-487c-a182-29ce85dc022f", "Attribute": [ { "category": "Payload delivery", "comment": "Installer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740274972", "to_ids": true, "type": "md5", "uuid": "338e2998-42bd-4f6c-b05b-143a671bb459", "value": "33694faf25f95b4c7e81d52d82e27e7b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274728", "to_ids": true, "type": "sha1", "uuid": "582ba539-8c4a-4a16-b7fb-1be31cc3adf9", "value": "92568d5606ec5cc531f8b13e9d3ce73947a06d0e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274728", "to_ids": true, "type": "sha256", "uuid": "4803ee50-39cd-49ca-ab79-3eb6a0cb2a10", "value": "033a5845b9058e88594a15746fe191532e7dc5c6ebb1d4c2e633b2af664eb6e8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273878", "to_ids": true, "type": "ssdeep", "uuid": "18cc85e3-5761-4de0-8274-b51539205e0a", "value": "1536:pjMMqsnC8O4kHKY7MztUhsgFsPAhP2bWU8TUyzsWLudc9dlQLhxrUpXeX87:pCsaM3ztUhsYGAhP2bD87CUutUxo" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273878", "to_ids": false, "type": "size-in-bytes", "uuid": "9740f8b5-4c8d-40f8-b974-a4225314e9c1", "value": "97792" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273878", "to_ids": true, "type": "vhash", "uuid": "0e70d0b4-e656-45eb-a3c7-bcf1a93ef388", "value": "194076655d155515051az49?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273878", "to_ids": true, "type": "filename", "uuid": "6201d0eb-f363-45b7-9942-209e67b247cf", "value": "1.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 28/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273878", "to_ids": false, "type": "text", "uuid": "0bd6fa49-0bbc-4e22-90a0-fe042977754e", "value": "Installer\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:55/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740274993", "uuid": "ade598e2-d83a-4d84-9346-d8503f0bda17", "Attribute": [ { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740274993", "to_ids": true, "type": "md5", "uuid": "5aee1b00-0beb-4c63-83e6-9520a5319b84", "value": "832bb747262fed7bd45d88f28775bca6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274729", "to_ids": true, "type": "sha1", "uuid": "1b706f1a-d911-42ec-9019-ceb9d9f0b812", "value": "e98c7ec89df0f773b51a94eb64365e7db1a6ea8d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274729", "to_ids": true, "type": "sha256", "uuid": "3ee06b52-3df1-4edc-b9be-66cf9b6f5d0e", "value": "d5863435af5310d2f5fe5cb83e6a0769011696c3cc163673341cb3ea1a6f5ebe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273900", "to_ids": true, "type": "ssdeep", "uuid": "611bee37-7649-4d2b-9da8-625da99374cb", "value": "1536:wF+nm3fdovSYdrQSqTbZlrGTo60INllxhChywEMijTULsW4dc9dlg9SbfTHYy:wF+na+vSXSqTNlrUB/lxhChyBRjQAU6S" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273900", "to_ids": false, "type": "size-in-bytes", "uuid": "fe26f93c-aaa4-4eed-8f47-32f519b31853", "value": "94208" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273900", "to_ids": true, "type": "vhash", "uuid": "ee50bb8c-7254-4b36-9e3f-9491882856f1", "value": "094066655d1515151az49!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273900", "to_ids": true, "type": "filename", "uuid": "0386fce8-3a0e-4e5c-a2bb-c83bcd28cc61", "value": "\u0422\u0435\u0445\u0438\u043d\u0441\u0442\u0440 egov - \u0413\u0426\u041f - \u0410\u043a\u0440\u0430\u043c\u043e\u0432.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 08/05/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273900", "to_ids": false, "type": "text", "uuid": "d48ff912-571c-4c13-a33f-afb9b1f419d0", "value": "Loader\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Multiverze\nVT Total Detection:51/73" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740275014", "uuid": "26b6727c-d5a4-45b1-b67f-b61ff04ac7a2", "Attribute": [ { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740275014", "to_ids": true, "type": "md5", "uuid": "f991ae5d-e193-48fe-a932-dc697e7bcf56", "value": "8fb70ba9b7e5038710b258976ea97c98", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274731", "to_ids": true, "type": "sha1", "uuid": "b87b8802-0abd-4dba-9728-2712d0bf855d", "value": "f89b1cb4514806e099bb38b0477ec0f37f6a01bf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274731", "to_ids": true, "type": "sha256", "uuid": "cb5a4492-a1f8-40ab-8c7a-2b8fdb86db7a", "value": "2b0e66bb1a4877cfe650a027754e18085d0e34ab73025d9458e6136560120ec5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273921", "to_ids": true, "type": "ssdeep", "uuid": "ff3a7bf6-8fc7-4b2f-9702-74e36894d0e7", "value": "1536:sF+nm3fdovSYdrQSqTbZlrGTo60INllxhChywEMijTULsW4dc9dlg8SbfTHYy:sF+na+vSXSqTNlrUB/lxhChyBRjQAUzS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273921", "to_ids": false, "type": "size-in-bytes", "uuid": "0f6ee094-50f6-4c15-9159-1f2bad47df5c", "value": "95232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273921", "to_ids": true, "type": "vhash", "uuid": "d337a3b1-c817-4349-a89d-dd3c48f210f2", "value": "094066655d1515151az49!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273921", "to_ids": true, "type": "filename", "uuid": "9ca5f205-e4eb-4e8f-900b-789e3c007a53", "value": "28.09.2021. \u0423\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0418\u0420 \u0438 \u0418\u0421.exe" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 15/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273921", "to_ids": false, "type": "text", "uuid": "62fc8008-864a-418b-8526-20989ef43bdb", "value": "Loader\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Sabsik.FL.B!ml\nVT Total Detection:56/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740275036", "uuid": "dbe113a1-c232-479a-b3b2-dead85421d79", "Attribute": [ { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740275036", "to_ids": true, "type": "md5", "uuid": "4386a7ff-1319-44e5-aa81-090dfde55b5b", "value": "ee881e0e8b496bb62ed0b699f63ce7a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274732", "to_ids": true, "type": "sha1", "uuid": "60dfc775-fd5e-4679-8fb1-a1e8c48049a1", "value": "66687169db9406e13d0c1d51785890fefc1ac37b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274732", "to_ids": true, "type": "sha256", "uuid": "f85ae7bc-ee98-4838-ac34-25ea6ad1686a", "value": "7e85f7afeac89957c10309bc3cf9155f1a126de3670a3162e333329bc3a4caa9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273943", "to_ids": true, "type": "ssdeep", "uuid": "7b56f05f-d53e-447c-af48-e3134cde39be", "value": "1536:ZF+nm3fdovSYdrQSqTbZlrGTo60INllxhChywEMijTULsW4dc9dlgbSbfTHYy:ZF+na+vSXSqTNlrUB/lxhChyBRjQAUAS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273943", "to_ids": false, "type": "size-in-bytes", "uuid": "15ebd639-9c72-4fb7-9132-7140ad57583b", "value": "97536" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273943", "to_ids": true, "type": "vhash", "uuid": "d6a1d454-73c1-4523-86a5-c1a1efdaeb9a", "value": "094066655d1515151az49!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273943", "to_ids": true, "type": "filename", "uuid": "074e5143-a24c-48d2-99bf-dd533d78c167", "value": "7e85f7afeac89957c10309bc3cf9155f1a126de3670a3162e333329bc3a4caa9.bin" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 27/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273943", "to_ids": false, "type": "text", "uuid": "31e1b5b7-649e-4d9b-902c-1a332992216c", "value": "Loader\r\nType Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:57/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740275057", "uuid": "436410f8-38f3-424b-95b8-366f71b69b76", "Attribute": [ { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740275057", "to_ids": true, "type": "md5", "uuid": "c3a3574a-020b-4421-b234-5e1f14023886", "value": "ae5d2cef136ac1994b63c7f8d95c9c84", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274734", "to_ids": true, "type": "sha1", "uuid": "37aadc20-285c-46c9-98c8-75a6cd0dee4f", "value": "caaf9e7afe82d2ee97135dd97b84300890a75819", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274734", "to_ids": true, "type": "sha256", "uuid": "1dd9e89b-f445-4e73-b230-4ca8f5ffab8a", "value": "0a43b690b6c63c853ecc1dfd34af36f83099a07b0daf3c98c94cec402f91ad3c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273964", "to_ids": true, "type": "ssdeep", "uuid": "e4770a37-1cf5-4e96-9af8-14d3092660ab", "value": "1536:ZkUh3v97fewOibO/mEi6vIbpt72/c3+D1mcOg5Q9sWSudc9dlQ9R/1I2s:ZkUlfe6ODigIbpAc3+ROdHUex1I2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273964", "to_ids": false, "type": "size-in-bytes", "uuid": "f5ec46e5-0cad-4f20-acda-11e05b96da99", "value": "97792" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273964", "to_ids": true, "type": "vhash", "uuid": "e3c849e4-af81-469c-a057-defcd860e927", "value": "194076655d155515551028z4c?z1" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 08/05/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273964", "to_ids": false, "type": "text", "uuid": "e33b56a1-3919-4b1d-bc15-3a1d22bb5d70", "value": "Loader\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:43/73" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740275078", "uuid": "0f56817e-9741-40d8-bc7a-e102a2ad6bc0", "Attribute": [ { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740275078", "to_ids": true, "type": "md5", "uuid": "7e4c6cb7-b42e-4a0e-b72f-c020a319f6d8", "value": "5c3bf5d7c3a113ee495e967f236ab614", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274735", "to_ids": true, "type": "sha1", "uuid": "a6939ece-b199-4fc8-9ec1-28010e833ff6", "value": "3c159cd8614f2226e114c83c6e9224320f37d86c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274735", "to_ids": true, "type": "sha256", "uuid": "e56d0642-b377-44e0-b85a-a2b591b567b3", "value": "be34b508eaf7d58f853fc912d43b0b51e6b963726742e383c2a8b2b0828a736f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740273985", "to_ids": true, "type": "ssdeep", "uuid": "c1c8d3e0-69c1-49eb-9235-176577421bf5", "value": "1536:EQcDq/WvSjWF8V5IwNnQ4Rtj9nBtb9DeMOg5Q9sWSudc9dlQMy1j17GI0+:EvDq/WvSTYsnQ4RTBtb9HOdHUXy15V" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740273985", "to_ids": false, "type": "size-in-bytes", "uuid": "675c40d2-ba91-443c-b939-4dd8179fc988", "value": "100352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740273985", "to_ids": true, "type": "vhash", "uuid": "cd0cf7ad-114e-4e8f-9488-09e18750b5a4", "value": "115066655d1555151028z4c?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740273985", "to_ids": true, "type": "filename", "uuid": "2c9810a9-0388-4bb3-90c1-753fc091dad5", "value": "System.Core.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 08/05/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740273985", "to_ids": false, "type": "text", "uuid": "5a1a8ad5-ff79-44f1-bcd6-95574dbe45bd", "value": "Loader\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:49/73" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740275099", "uuid": "94cb3189-e8c3-463c-885a-d06f05afcb8a", "Attribute": [ { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740275099", "to_ids": true, "type": "md5", "uuid": "a9b1946e-929f-46c9-88fb-7d1fdc7947ea", "value": "bde2073dea3a0f447eeb072c7e568ee7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274736", "to_ids": true, "type": "sha1", "uuid": "450f8e11-d4c1-4d60-8ed0-daf212283b06", "value": "21a52a33e10303a2a0c517452bbec81cdb99568f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274736", "to_ids": true, "type": "sha256", "uuid": "1ff956dc-946b-4fd4-a088-9c82b91cbcd8", "value": "1fbe4fbdfe524eae20528ac37d68fa2de87d09b0a6147d86347e67cbae9eaa2b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274007", "to_ids": true, "type": "ssdeep", "uuid": "565782d1-90fe-4643-8f0e-ea79df5dbb7a", "value": "3072:a6+ATicFIW2K3l4fCGnpVzPgTwV9F1VdpR8yFzUvs0BUTW:XTiBbil4fxnpVzPgTw9pFNEoW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274007", "to_ids": false, "type": "size-in-bytes", "uuid": "b5c5346f-0a41-4273-95e1-3ef4cd8d0f93", "value": "107008" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274007", "to_ids": true, "type": "vhash", "uuid": "396b6c90-9c9f-41d9-b4a0-92b608769fe1", "value": "115066655d1515151058z4a7z106sz1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274007", "to_ids": true, "type": "filename", "uuid": "0cab943e-eb4b-4797-ac1b-75805056f355", "value": "wabext.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 09/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274007", "to_ids": false, "type": "text", "uuid": "8e251a3d-790e-4021-8682-53f46a8f89dc", "value": "Loader\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:42/71" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1740275120", "uuid": "35c046f4-7b03-415b-93f2-38d0e6f73bf3", "Attribute": [ { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1740275120", "to_ids": true, "type": "md5", "uuid": "e3d7b54c-991f-4490-8892-28b9d2116a35", "value": "350313b5e1683429c9ffcbc0f7aebf3b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740274738", "to_ids": true, "type": "sha1", "uuid": "29e1cbce-4601-4285-bb2f-c3f739ee0ac1", "value": "632debeb48d4f119cf3e1d24aa00ab23afa04609", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740274738", "to_ids": true, "type": "sha256", "uuid": "6ea24b5d-0a06-4531-935e-4bed79ad993d", "value": "e9bd74e4609cdcaf77e191628ccde2124be03a8daf38f1615df6fe7d096b0fba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740274028", "to_ids": true, "type": "ssdeep", "uuid": "d6584945-10c2-453f-8ad5-e37d0913717d", "value": "3072:D3yIq+ZziHJtm8WoTW8JIg6OoZ8hzPgTyxOvdTntPge:D3q+Zmj6kNJ5oZ8hzPgTFtP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740274028", "to_ids": false, "type": "size-in-bytes", "uuid": "554c7a8c-19ba-4ccf-8e85-adb4b12c2f97", "value": "130560" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740274028", "to_ids": true, "type": "vhash", "uuid": "46f2da13-1011-49a5-aa28-b15eb384472c", "value": "115066655d1555151068z487z106sz2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740274028", "to_ids": true, "type": "filename", "uuid": "e8cc9892-965f-45bb-97d4-50a671ec8a32", "value": "rcdll.dll" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 28/01/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740274028", "to_ids": false, "type": "text", "uuid": "9bbb2488-7ba1-434b-afcc-c5f6a73d03a8", "value": "Loader\r\nType Description: Win32 DLL\n\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:50/72" } ] } ] } }