{ "Event": { "analysis": "2", "date": "2022-09-06", "extends_uuid": "", "info": "[Threat Intel] Worok: The big picture", "protected": false, "publish_timestamp": "1780040006", "published": true, "threat_level_id": "1", "timestamp": "1780040006", "uuid": "e60b03e4-6fdb-44a6-b237-da64fc86ec53", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#8675c7", "local": false, "name": "misp-galaxy:producer=\"ESET\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"018 - Southern Africa\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"030 - Eastern Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"035 - South-eastern Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Bank\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Maritime\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Telecoms\"", "relationship_type": "" }, { "colour": "#c55f42", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive via Library - T1560.002\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Digital Certificates - T1587.003\"", "relationship_type": "" }, { "colour": "#82eae0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploits - T1588.005\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hardware - T1592.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"IP Addresses - T1590.005\"", "relationship_type": "" }, { "colour": "#c295b4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Proxy - T1090.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "relationship_type": "" }, { "colour": "#eadc12", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Encoding - T1132.002\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server - T1583.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software - T1592.002\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steganography - T1001.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#1a8d0c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Time Discovery - T1124\"", "relationship_type": "" }, { "colour": "#6fe7f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"TA428\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Worok\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740758524", "to_ids": false, "type": "link", "uuid": "a2ff9d0a-5d4a-45b9-86e4-253a4b4230e1", "value": "https://www.welivesecurity.com/2022/09/06/worok-big-picture/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740758823", "to_ids": false, "type": "vulnerability", "uuid": "4193d87b-f6e8-4659-b139-c6010b797d60", "value": "CVE-2021-34523" }, { "category": "Payload delivery", "comment": "PowHeartBeat 2.1.3.0003. No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791824", "to_ids": true, "type": "sha1", "uuid": "d4655258-7a51-4de1-9b1e-c7d53b434211", "value": "757aba12d04fd1167528fdd107a441d11cd8c427", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1740758823", "to_ids": true, "type": "ip-dst|port", "uuid": "2137db1f-f1d3-41d3-ad16-9d2ab5bc172d", "value": "118.193.78.22|443" }, { "category": "Payload delivery", "comment": "PowHeartBeat 2.4.3.0003. No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791826", "to_ids": true, "type": "sha1", "uuid": "15d5088e-fcd1-4b31-b368-479bd44769eb", "value": "3a47185d0735cdecf4c7c2299eb18401bfb328d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PowHeartBeat 2.4.3.0003. No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791827", "to_ids": true, "type": "sha1", "uuid": "7a01b37d-a2be-4263-89fa-6f8c7789a9d7", "value": "27abb54a858ad1c1ff2863913bda698d184e180d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PowHeartBeat 2.4.3.0003. No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791828", "to_ids": true, "type": "sha1", "uuid": "65dd928d-a355-498f-8190-f3884ff07dee", "value": "678a131a9e932b9436241402d9727aa7d06a87e3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PowHeartBeat 1.1.3.0002. No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791829", "to_ids": true, "type": "sha1", "uuid": "8cb4aeb8-7bc9-400a-bb22-0763b94a2963", "value": "54700a48d934676fc698675b4ca5f712c0373188", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PowHeartBeat 1.1.3.0002. No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791830", "to_ids": true, "type": "sha1", "uuid": "91b0ebd1-2bcb-4844-b408-1be4569e06a9", "value": "c2f53c138cb1b87d8fc9253a7088db30b25389af", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PowHeartBeat 2.4.3.0004. No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791831", "to_ids": true, "type": "sha1", "uuid": "91289ef9-b76f-4749-8bbc-5a21c9393c84", "value": "c2f1954de11f72a46a4e823de767210a3743b205", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PowHeartBeat 2.1.3.0004. No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791833", "to_ids": true, "type": "sha1", "uuid": "daadc0dc-f1c6-4ebd-a00c-870b2b9552bb", "value": "ce430a27df87a6952d732b4562a7c23bef4602d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PowHeartBeat 2.4.3.0003. No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791834", "to_ids": true, "type": "sha1", "uuid": "4b30aa8d-3ec7-4776-9980-dea0be512be8", "value": "ede5ab2b94ba85f28d5ee22656958e4ecd77b6ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PNGLoader No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791835", "to_ids": true, "type": "sha1", "uuid": "37f16a23-e67d-439f-99cb-f2296c0bf0b9", "value": "4721eeba13535d1ee98654efce6b43b778f13126", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PNGLoader No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791836", "to_ids": true, "type": "sha1", "uuid": "5225b2d2-533b-4ab7-b621-a7d5ddc28d88", "value": "728a6cb7a150141b4250659cf853f39bfdb7a46c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PNGLoader No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791837", "to_ids": true, "type": "sha1", "uuid": "54ea9f69-913d-4d88-9f9e-dbd7e04b5452", "value": "864e55749d28036704b6ea66555a86527e02af4a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PNGLoader No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791839", "to_ids": true, "type": "sha1", "uuid": "0bc47916-2868-41f6-ab1a-fae05ffd819d", "value": "8da6387f30c584b5fd3694a99ec066784209ca4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PNGLoader No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791840", "to_ids": true, "type": "sha1", "uuid": "848acef2-bc5b-45e4-b339-a81b91c25716", "value": "aa60fb4293530fbff00d200c0d44eeb1a17b1c76", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PNGLoader No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791841", "to_ids": true, "type": "sha1", "uuid": "f5a9aeb2-8ecb-42e7-a35b-f90a6c32a6df", "value": "cdb6b1cafee098615508f107814179deaed1ebcf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CLRLoad No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791842", "to_ids": true, "type": "sha1", "uuid": "1f32e57d-3fcf-47cc-b2e7-26320aa8a9b0", "value": "4f9a43e6cf37ff20ae96e564c93898fda6787f7d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CLRLoad No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791843", "to_ids": true, "type": "sha1", "uuid": "edd17604-7112-4838-8acf-ddb0de8f54c0", "value": "f181e87b0cd6aa4575fd51b9f868ca7b27240610", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CLRLoad No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791844", "to_ids": true, "type": "sha1", "uuid": "ed88a4ae-ba57-44eb-835a-460b2efc3587", "value": "4ccf0386bde80c339efe0cc734cb497e0b08049c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CLRLoad No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791846", "to_ids": true, "type": "sha1", "uuid": "226d8566-016f-4713-b6a1-96ffa9c0f3e8", "value": "5cfc0d776af023dcfe8eded5cada03c6d7f9c244", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CLRLoad No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791846", "to_ids": true, "type": "sha1", "uuid": "44bdb640-2bfe-49e8-b0ea-18259e657759", "value": "05f19ebf6d46576144276090cc113c6ab8ccec08", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CLRLoad No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791847", "to_ids": true, "type": "sha1", "uuid": "8a2fb982-c91d-4f25-a7f0-1badaa4e915a", "value": "a5d548543d3c3037da67dc0da47214b2c2b15864", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CLRLoad No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746791848", "to_ids": true, "type": "sha1", "uuid": "19bbebf7-488d-4737-b56d-a15ee0b4d26e", "value": "cbf42dcaf579af7e6055237e524c0f30507090f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780040001", "to_ids": true, "type": "ip-dst", "uuid": "f51f27fd-e02d-43d3-865c-642f50d65891", "value": "118.193.78.22", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780040003", "to_ids": true, "type": "ip-dst", "uuid": "f26dd4fb-e549-4ca2-bbf5-ef2c27a32b8c", "value": "118.193.78.57", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747020226", "to_ids": true, "type": "hostname", "uuid": "9115335e-eec2-4a5f-85e0-f003dfdfe051", "value": "airplane.travel-commercials.agency", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780040004", "to_ids": true, "type": "ip-dst", "uuid": "bf58076c-8c4b-4017-ba89-34c9a1556f20", "value": "5.183.101.9", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#15dbfe", "local": false, "name": "asn:asn=\"212238\"", "relationship_type": "" }, { "colour": "#1f1556", "local": false, "name": "asn:as-owner=\"CDNEXT\"", "relationship_type": "" }, { "colour": "#e1449b", "local": false, "name": "asn:as-country=\"GB\"", "relationship_type": "" }, { "colour": "#b7c1b9", "local": false, "name": "misp-galaxy:country=\"united kingdom\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747020268", "to_ids": true, "type": "hostname", "uuid": "281eaa61-6731-43af-98fb-fe58a1797145", "value": "central.suhypercloud.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780040006", "to_ids": true, "type": "ip-dst", "uuid": "7a8149f4-3968-4bd2-8809-7eff1f4746ff", "value": "45.77.36.243", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747019426", "to_ids": false, "type": "mutex", "uuid": "1c228895-d287-4a5a-b083-7fb5cf37f6ec", "value": "Wo0r0KGWhYGO" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747019454", "to_ids": false, "type": "mutex", "uuid": "875bcbeb-a6f1-4b41-bfd6-c0c3d990d47b", "value": "oERiQtKLgPgK" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747019454", "to_ids": false, "type": "mutex", "uuid": "48c3cf13-0439-49b4-9c6b-2b0afb984624", "value": "zYCLBWekRX3t" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747019454", "to_ids": false, "type": "mutex", "uuid": "c3e817f5-c0a2-4aa2-bc8f-df689731fd00", "value": "aB82UduGX0EX" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747019454", "to_ids": false, "type": "mutex", "uuid": "282c61b5-16c9-48df-9eab-92895fd8ad23", "value": "U37uxsCsA4Xm" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747019454", "to_ids": false, "type": "mutex", "uuid": "e60f5a87-6161-43dd-a3e6-910b310ef3be", "value": "xBUjQR2vxYTz" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747019454", "to_ids": false, "type": "mutex", "uuid": "f15e35e9-d80c-4c86-8efe-ac7f362aa665", "value": "Mr2PJVxbIBD4" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747019454", "to_ids": false, "type": "mutex", "uuid": "544f889d-9ee6-46c4-a309-6d12688399bb", "value": "ad8TbUIZl5Ga" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747019454", "to_ids": false, "type": "mutex", "uuid": "7f566560-1cfd-4d7d-8f6a-5684eda16e06", "value": "9xvzMsaWqxMy" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1747019454", "to_ids": false, "type": "mutex", "uuid": "b2852ac4-1b04-4d85-9126-c265e470b4d6", "value": "3c3401ad-e77d-4142-8db5-8eb5483d7e41" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981510", "uuid": "460d0259-6ba4-4fb0-9f9b-4b0a0fcc8a5b", "Attribute": [ { "category": "Payload delivery", "comment": "PNGLoader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981510", "to_ids": true, "type": "md5", "uuid": "c90324b1-f021-4a35-830c-67717805cb28", "value": "047cb0a376094509219c9f56359f92b9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PNGLoader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746760748", "to_ids": true, "type": "sha1", "uuid": "6729a39e-c57d-4e61-b978-512dd0f20c12", "value": "b2eaec695dd8bb518c7e24c4f37a08344d6975be", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PNGLoader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746760749", "to_ids": true, "type": "sha256", "uuid": "bd1c5977-db6a-4866-a513-b9263fb00586", "value": "abf4924189449f138e2c317801980bf678fcf41dc3439da1165b0e0bc0338b5e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746760748", "to_ids": true, "type": "ssdeep", "uuid": "36edb29d-e34f-4e56-affb-b06ee7f57fb0", "value": "1536:YzujvFNGb79sxFCRW0H8sGNZtPNNGWi30wr0Ck01OrlTSwAp3H0qO:YzmQJUu7H8dNHz60wHfOrWH0X" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746760748", "to_ids": false, "type": "size-in-bytes", "uuid": "4c334f51-69ba-4d21-a35e-76724646986f", "value": "115200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746760748", "to_ids": true, "type": "vhash", "uuid": "1a22ea5a-f32f-43bf-ba64-5c58073f4065", "value": "3150465d55151f0b72361030" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746760748", "to_ids": true, "type": "filename", "uuid": "d20a34ac-b779-4923-b588-744296f69b2e", "value": "msvbvm80.dll" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 21/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746760748", "to_ids": false, "type": "text", "uuid": "e05f4276-1a98-49f2-8e42-7f2ed2a94cbf", "value": "PNGLoader\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:45/72\nFirst Submission:2020-11-28T12:20:13.000000+00:00\nLast Submission:2024-03-23T20:23:22.000000+00:00" } ] } ] } }