{ "Event": { "analysis": "1", "date": "2026-04-02", "extends_uuid": "", "info": "[Threat Intel] Cisco Talos: Qilin EDR killer infection chain", "protected": false, "publish_timestamp": "1775975030", "published": true, "threat_level_id": "2", "timestamp": "1775975030", "uuid": "25e5f461-2c64-43d8-9a1c-fdb8b283339e", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#7c6ad9", "local": false, "name": "misp-galaxy:producer=\"Cisco Talos Intelligence Group\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Qilin\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775185211", "to_ids": false, "type": "link", "uuid": "fdfcfc2f-5ac0-41cd-9b68-31dede31b4bb", "value": "https://blog.talosintelligence.com/qilin-edr-killer/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775185211", "to_ids": false, "type": "text", "uuid": "c1665531-5a79-4733-8525-aa664a071da7", "value": "Endpoint detection and response (EDR) tools are widely deployed and far more capable than traditional antivirus. As a result, attackers use EDR killers to disable or bypass them. The malicious \u201cmsimg32.dll\u201d used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. It can terminate over 300 different EDR drivers from almost every vendor in the market." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775185211", "to_ids": false, "type": "text", "uuid": "17f7661c-be98-49d8-ae15-5ccf83896202", "value": "Name: Cisco Talos: Qilin EDR killer infection chain\nAuthor: AlienVault\nAdversary: \nTags: []\nTgtd countries: []\nMlwr families: []\nAttack_ids: []\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775973312", "to_ids": true, "type": "md5", "uuid": "f2ae440a-22da-4b38-b6b1-7ad95e9ee588", "value": "05aa031a007e2f51e3f48ae2ed1e1fcb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775973313", "to_ids": true, "type": "md5", "uuid": "a1b55c1d-f64b-4dcf-906a-3134a87c7d7c", "value": "1305e8b0f9c459d5ed85e7e474fbebb1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775973314", "to_ids": true, "type": "sha1", "uuid": "47d14d95-140e-4649-8c81-436fd907a01d", "value": "84e2d2084fe08262c2c378a377963a1482b35ac5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775973316", "to_ids": true, "type": "sha256", "uuid": "dc1d8e55-388c-46fc-a599-80e684213b34", "value": "12fcde06ddadf1b48a61b12596e6286316fd33e850687fe4153dfd9383f0a4a0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775973646", "uuid": "b5865329-2f4b-437d-a474-ca2f52dd28b3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775973646", "to_ids": true, "type": "md5", "uuid": "633275ed-94c4-4843-84f7-f7f6df38c760", "value": "6bc8e3505d9f51368ddf323acb6abc49", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973309", "to_ids": true, "type": "sha1", "uuid": "756a903f-2af5-4644-9602-895a4a78c396", "value": "82ed942a52cdcf120a8919730e00ba37619661a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973309", "to_ids": true, "type": "sha256", "uuid": "f5a8c29b-990e-46e1-a343-39ad18753de3", "value": "16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775972624", "to_ids": true, "type": "ssdeep", "uuid": "4d4ffcac-296e-43df-8a05-c7f60c0956e5", "value": "768:NtYC8ntVFJD/i4iW4cTzmwi28O3zuv2fT8aKgrEfp33bcmKg:N38tVIdQ3bT8aGftL/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775972624", "to_ids": false, "type": "size-in-bytes", "uuid": "de0940f5-20cd-40b4-b360-a19a3f577ef7", "value": "50216" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775972624", "to_ids": true, "type": "vhash", "uuid": "9985b8e9-fd52-46f2-b4b4-757260139039", "value": "054086651d151666151519z26z33xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775972624", "to_ids": true, "type": "filename", "uuid": "86677d2f-bfc1-41e9-8e3a-1e122ba33a4d", "value": "ThrottleStop.sys" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775972624", "to_ids": false, "type": "text", "uuid": "6a103978-46c1-4c3e-80bd-020ca805cae4", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:7/72\nFirst Submission:2020-10-19T10:49:19.000000+00:00\nLast Submission:2026-04-10T14:20:18.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775973667", "uuid": "9ec5c965-99e5-4747-a443-297d4be82307", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775973667", "to_ids": true, "type": "md5", "uuid": "63b0cdb7-339a-431a-b145-2459366cd4a9", "value": "89ee7235906f7d12737679860264feaf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973310", "to_ids": true, "type": "sha1", "uuid": "edbe8d60-53f1-4688-a2b4-8a3d63dd3663", "value": "01d00d3dd8bc8fd92dae9e04d0f076cb3158dc9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973310", "to_ids": true, "type": "sha256", "uuid": "7d150525-c965-43fc-bc57-84e222149817", "value": "7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775972646", "to_ids": true, "type": "ssdeep", "uuid": "75fdf538-2888-455a-b662-2b03840adc13", "value": "24576:7w30257mOMMo6vaQKiif4GbPdus2NuLjQdBvQZ:U30C7mOL+H4s+dBo" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775972646", "to_ids": false, "type": "size-in-bytes", "uuid": "e98332c0-cd53-4eb3-aea1-3289f7c12521", "value": "1518080" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775972646", "to_ids": true, "type": "vhash", "uuid": "449c93b2-7f82-4eac-9304-71322dbb4cb6", "value": "116066555d55551516z14003b6z1dz1fz5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775972646", "to_ids": true, "type": "filename", "uuid": "8ae30e47-2687-46e3-b512-03e5600dc5f2", "value": "Benjaminite" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775972646", "to_ids": false, "type": "text", "uuid": "f904dee5-8633-42d5-adcb-9bb300230130", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win64/BumbleBee.CA!MTB\nVT Total Detection:51/72\nFirst Submission:2025-06-25T01:07:53.000000+00:00\nLast Submission:2025-06-25T01:07:53.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775973689", "uuid": "17bca9ff-030f-4c16-be1a-0dbd6dab4523", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775973689", "to_ids": true, "type": "md5", "uuid": "17643e01-35c5-454a-ab72-7ae6ee89e929", "value": "cf7cad39407d8cd93135be42b6bd258f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973311", "to_ids": true, "type": "sha1", "uuid": "b5957452-795c-47b1-a3df-6f053d6d03c0", "value": "ce1b9909cef820e5281618a7a0099a27a70643dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973311", "to_ids": true, "type": "sha256", "uuid": "80fd81b0-7000-4778-9c64-52f9eea81b66", "value": "bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775972668", "to_ids": true, "type": "ssdeep", "uuid": "94f181c5-5428-464e-b1c3-a31b8b6b9775", "value": "96:g1GijRwRYg+2XxCKaNgSHWj7H1CT430C0CGTFD:g1ljRwqg+8ggYc71CT430ClGT9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775972668", "to_ids": false, "type": "size-in-bytes", "uuid": "67fc1d84-04f5-4312-ad0c-e934a2fdc7b6", "value": "9216" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775972668", "to_ids": true, "type": "vhash", "uuid": "d6709842-e785-48ef-9252-ebf2d9d07729", "value": "093066551d1516151iz14xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775972668", "to_ids": true, "type": "filename", "uuid": "a29b2349-723d-436f-a5d7-2a355272ca04", "value": "hlpdrv.sys.sample" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 09/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775972668", "to_ids": false, "type": "text", "uuid": "fea7cc9a-122f-4428-9e5f-41eec8140e4a", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/VulnDriver.VGZ!MTB\nVT Total Detection:55/72\nFirst Submission:2025-04-09T11:37:58.000000+00:00\nLast Submission:2026-04-10T02:35:33.000000+00:00" } ] } ] } }