{ "Event": { "analysis": "1", "date": "2026-04-29", "extends_uuid": "", "info": "[Threat Intel] DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet", "protected": false, "publish_timestamp": "1779545861", "published": true, "threat_level_id": "3", "timestamp": "1779545861", "uuid": "2df90aee-926c-4841-8ede-7ec1132546d2", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#cf6788", "local": false, "name": "misp-galaxy:producer=\"Hunt.io\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#4e866e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Traffic Signaling - T1205\"", "relationship_type": "" }, { "colour": "#423494", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify System Firewall - T1562.004\"", "relationship_type": "" }, { "colour": "#280b0e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Proxy - T1090.002\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#7adb57", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation of Remote Services - T1210\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Window - T1564.003\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#c615e8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scanning IP Blocks - T1595.001\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#40fad1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Fallback Channels - T1008\"", "relationship_type": "" }, { "colour": "#056f2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Linux and Mac File and Directory Permissions Modification - T1222.002\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Exhaustion Flood - T1499.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Exhaustion Flood - T1499.003\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#790faf", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Direct Network Flood - T1498.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Generation Algorithms - T1568.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted/Encoded File - T1027.013\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777546806", "to_ids": false, "type": "link", "uuid": "b2beb495-d3a0-4d3f-8e18-9ccd275d6a97", "value": "https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777546806", "to_ids": false, "type": "text", "uuid": "3dbf161c-d6a4-4901-ba2d-e1226dc09f76", "value": "An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of xlabs_v1, a Mirai-derived IoT botnet operated by an actor using the handle Tadashi. The operation provides DDoS-for-hire services specifically targeting game servers and Minecraft hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features bandwidth profiling to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777546806", "to_ids": false, "type": "text", "uuid": "9cc7a331-35d5-47df-96ab-c9a35a8df3ee", "value": "Name: DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet\nAuthor: AlienVault\nAdversary: Tadashi\nTags: [\"minecraft\", \"game server targeting\", \"ddos-for-hire\", \"mirai-derived\", \"vltrig\", \"xlabs_v1\", \"mirai\", \"bandwidth profiling\", \"iot botnet\", \"adb exploitation\"]\nTgtd countries: []\nMlwr families: [\"xlabs_v1\", \"Mirai\", \"VLTRig\"]\nAttack_ids: [\"T1222.002\", \"T1036.005\", \"T1082\", \"T1071\", \"T1106\", \"T1190\", \"T1205\", \"T1562.004\", \"T1090.002\", \"T1057\", \"T1210\", \"T1059.004\", \"T1571\", \"T1564.003\", \"T1070.004\", \"T1595.001\", \"T1027.002\", \"T1105\", \"T1008\"]\nIndustries: [\"Hospitality\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777546806", "to_ids": false, "type": "threat-actor", "uuid": "7007c564-13e2-4be7-af50-de00457e785d", "value": "Tadashi" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689490", "to_ids": true, "type": "ip-dst", "uuid": "bd3dbe6b-0b21-44aa-9472-77424dff42e5", "value": "176.65.139.134", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545851", "to_ids": true, "type": "md5", "uuid": "9eba1406-591e-4896-94f4-5202a4829248", "value": "5c3468e3c7a535b74fa91927fb1572d8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545853", "to_ids": true, "type": "sha1", "uuid": "e59397bc-d309-4da1-9816-52fefaa02fb6", "value": "98182f78f2ee76f3dffa58c268dd9e653c711ce5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545855", "to_ids": true, "type": "sha256", "uuid": "5239b1f2-72fa-47a1-a9ac-d0adef35f045", "value": "079ae4f813939dd96b961ae288fb7f930649dfebb4884c13af95309a71f986f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545857", "to_ids": true, "type": "sha256", "uuid": "8c944974-2528-4716-8cd5-b9efdfe6c022", "value": "31a60f9e0b5b4f0371f4130a184e27f79cefacb080a6273ccb1c9a908dc6ca9d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545859", "to_ids": true, "type": "sha256", "uuid": "5423a674-373b-4a14-ac9b-24c38cdda0ce", "value": "8367daa8ce633724157b8edd21d625de5ac56b8c2d983bbb283836162037f3c1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545860", "to_ids": true, "type": "sha256", "uuid": "ad0eaff1-9f87-43ef-996b-68edd6392c8e", "value": "fa965ed784f7ec99e21475205cc177bb71ac7550b4015b4a4b3e232f032dcb91", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689512", "to_ids": true, "type": "domain", "uuid": "b4eb89a1-c808-417e-8906-1906a6ca13ca", "value": "xlabslover.lol", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689534", "to_ids": true, "type": "hostname", "uuid": "6293c4ae-0c43-4d9e-847c-d070e00b8563", "value": "gate.decodo.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689555", "to_ids": true, "type": "hostname", "uuid": "2b1e0214-3c65-41b1-bbc6-1bb040bd9e48", "value": "pool.hashvault.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689576", "to_ids": true, "type": "ip-dst", "uuid": "40ef7453-0434-457a-b52f-1f6e05a4d588", "value": "176.65.139.9", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689597", "to_ids": true, "type": "ip-dst", "uuid": "30c8f718-fcd7-46c4-8acb-e2cde4a290ed", "value": "176.65.139.44", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689618", "to_ids": true, "type": "ip-dst", "uuid": "5cf662bf-a5fb-4752-a2e1-81ad0380f20d", "value": "176.65.139.42", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689639", "to_ids": true, "type": "ip-dst", "uuid": "67edcfe1-bdf7-44bc-8801-371fb7fe6f7c", "value": "176.65.139.0/24", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545847", "uuid": "17261b4f-0882-443f-a78f-94ce7b95895c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545846", "to_ids": true, "type": "md5", "uuid": "be93186f-40db-4163-891e-af9fcbbd4662", "value": "fac068afc5a0361f323f8b2fdbcbfd41", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545846", "to_ids": true, "type": "sha1", "uuid": "eeb1131c-2492-49e0-b782-5828e1b5cbc5", "value": "da365650e77eaf9d79801d475de7bf2b2a031251", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545847", "to_ids": true, "type": "sha256", "uuid": "4b083014-5b75-4b14-8277-5ded31ff1abd", "value": "f962cb443975065b91d4512a42a529a091726e1815be28ced0ebb9dff997931d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687920", "to_ids": true, "type": "ssdeep", "uuid": "407d115f-6139-49c6-b5b2-6773f277e1ea", "value": "3072:p7cPpTRWn6CZyN7c0/E/RISW06vNaIZMmn/FHU/p3qautQ:p6pMsN//EZfWRvNaIZMmn/FHc8aH" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687920", "to_ids": false, "type": "size-in-bytes", "uuid": "bad53e91-5bf7-4a68-95a4-5c03df0bd575", "value": "163060" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687920", "to_ids": true, "type": "vhash", "uuid": "a0ba0bef-1059-4470-8d62-4015db69bf78", "value": "634fa42059855cee962857fabedeb12b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687920", "to_ids": true, "type": "filename", "uuid": "1317c920-1ba6-4bac-b2c9-a71ee05ea1fc", "value": "78774672884f8cd7593fced3c7d1faa4_arm7.unpacked" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687920", "to_ids": false, "type": "text", "uuid": "e2081192-22c1-4fef-8c00-97b6ed585cd0", "value": "Type Description: ELF\nMicrosoft: Backdoor:Linux/Mirai.FT!MTB\nVT Total Detection:38/63\nFirst Submission:2026-04-05T02:49:00.000000+00:00\nLast Submission:2026-04-05T02:49:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545850", "uuid": "3f74dbf2-22d0-4692-b3fd-c053b2ef414a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545849", "to_ids": true, "type": "md5", "uuid": "aa172988-0a4f-4e7d-84e5-5c64a672c66c", "value": "78774672884f8cd7593fced3c7d1faa4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545849", "to_ids": true, "type": "sha1", "uuid": "55b0c35c-b727-4922-8e5a-446b1f9b94de", "value": "dbcf1c93634010c7e6131bcdfffa72e30da2376a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545850", "to_ids": true, "type": "sha256", "uuid": "7a4810d3-a109-49c2-bec1-0978523c670f", "value": "a03705fc225dbcec7e3c2f06a258afe81b5d88aaff1368d10dd6ba4f0932be7c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687943", "to_ids": true, "type": "ssdeep", "uuid": "f3d45a32-d752-43ec-b30b-2b78b787494c", "value": "1536:1s2BH1aqzhASgdmckDZrMoq/CatIGptr7vNvVcxUqwVy:PBV1zOBkckVMNaSdr7dS9V" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687943", "to_ids": false, "type": "size-in-bytes", "uuid": "074dca19-6f30-4992-89bd-43b97f77bfea", "value": "68276" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687943", "to_ids": true, "type": "vhash", "uuid": "7f6b908c-85ba-4673-996b-de5314543df1", "value": "585d83e7fd11a9925fccde5c422d670e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687943", "to_ids": true, "type": "filename", "uuid": "a273c0fc-9c10-442a-9647-38e5d2d48a37", "value": "arm7" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687943", "to_ids": false, "type": "text", "uuid": "9d39972a-ac60-41b8-bfb1-d0cca626cc6a", "value": "Type Description: ELF\nMicrosoft: Backdoor:Linux/Mirai.FT!MTB\nVT Total Detection:30/64\nFirst Submission:2026-04-05T02:48:59.000000+00:00\nLast Submission:2026-04-05T02:48:59.000000+00:00" } ] } ] } }