{ "Event": { "analysis": "1", "date": "2026-04-30", "extends_uuid": "", "info": "[Threat Intel] Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "protected": false, "publish_timestamp": "1779546039", "published": true, "threat_level_id": "2", "timestamp": "1779546039", "uuid": "327326e7-354a-45ba-b25e-363984f01010", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#717bc3", "local": false, "name": "misp-galaxy:producer=\"Trend Micro\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"ShadowPad\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Myanmar\"", "relationship_type": "" }, { "colour": "#670cf4", "local": false, "name": "misp-galaxy:target-information=\"Pakistan\"", "relationship_type": "" }, { "colour": "#09ea0d", "local": false, "name": "misp-galaxy:target-information=\"Sri Lanka\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"iox\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Vshell\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Nood RAT\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777759674", "to_ids": false, "type": "link", "uuid": "c8be751a-3ce7-4ed0-89e6-b90b394f35fd", "value": "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777759683", "to_ids": false, "type": "threat-actor", "uuid": "d8388ac1-2571-4454-8cbd-c7198a07774c", "value": "Shadow-Earth-053" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777759812", "to_ids": false, "type": "threat-actor", "uuid": "d44ffbc0-8def-420d-a02d-3990f830b1fc", "value": "SHADOW-EARTH-054" }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545982", "to_ids": true, "type": "sha256", "uuid": "110b4f4d-c392-491c-8b17-14bd17ad9fb4", "value": "f43748a809680a23272ec684a8cce9af071ad165c3b01acdcd7fe501a0949745", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545984", "to_ids": true, "type": "sha1", "uuid": "fecd24a6-2480-4320-9bfb-b4f792c4ece9", "value": "2dc1ad07b7529af3ba5c11a58519681909971a81", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545986", "to_ids": true, "type": "sha256", "uuid": "66eb4ad4-f1f6-45dc-988c-9e1639126d1d", "value": "0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545988", "to_ids": true, "type": "sha1", "uuid": "1ef831a8-953f-4825-84e3-f8537c11f770", "value": "3229ba46dd54802093c81e6e2123fd1520faf960", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545989", "to_ids": true, "type": "sha256", "uuid": "09333663-579f-4d3b-bc93-209fbdd882ee", "value": "0fff684fa209cb79ab1104da3cfbbf4c950078e14e54c2564d130abbd4e464a9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545991", "to_ids": true, "type": "sha1", "uuid": "a626c2cc-79a5-462e-a883-b5064b6466dc", "value": "128f3ad395f86be6569ef2a957d42902a910de6c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545993", "to_ids": true, "type": "sha256", "uuid": "5f37b369-972f-4ba5-a143-c7968b459b4f", "value": "4f77b4fcfde7abb7e6d0e36104e433abfed3a9d9938bf7fbe0e9d1a0b2ccf265", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545994", "to_ids": true, "type": "sha256", "uuid": "391bc8cc-9b0a-4fd0-acbc-155acc6e6e15", "value": "a5477ff2b3d6d475558abf03878dff0cca98c20c17aae35a8ad8e99e03293f89", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545996", "to_ids": true, "type": "sha256", "uuid": "01b33fc4-2b44-4e8b-8875-2e3a4b4917df", "value": "83e9f99a377566cf30df0ad71ca8522613b14d45e3e2eaead4a336509d26bef3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545998", "to_ids": true, "type": "sha1", "uuid": "8d04de71-64a8-4181-a787-ba52411978b3", "value": "9a83466f6c34e588ba3e99d6cbfac0102e173cdd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546000", "to_ids": true, "type": "sha256", "uuid": "f89db733-0ecc-4061-9736-7559bf67c4bd", "value": "996fb4f7d1b3150490380c4ce9c7c3d60fac33bd6a7c1e3a46487021964cf3bb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546002", "to_ids": true, "type": "sha1", "uuid": "23d84d6f-a704-4f13-9038-774fa8d02d74", "value": "9244cd99a27a8741a78e0b449cea063fdcfb0090", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546004", "to_ids": true, "type": "sha256", "uuid": "a64cc461-c361-4650-bb7b-a5f3cf7e137c", "value": "3dffbfcb825a70e477474e88b18679557ef467de37fc26e45ddbe572f520c52a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546006", "to_ids": true, "type": "sha1", "uuid": "3042e346-820c-4430-9211-0872e25decba", "value": "8a5ac2682d70eacff7eb554e242227c82e2baa94", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546008", "to_ids": true, "type": "sha256", "uuid": "bd9c7c60-ce70-46d4-a62d-9304e8c3a4cc", "value": "2dd93edc8cc64747a7ca94b6827dc4e5b1e385d493ed4450272dd1dfc52a6255", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546009", "to_ids": true, "type": "sha1", "uuid": "e3e7e86f-1d71-4c29-89f4-939dbf3bca74", "value": "579bc9a640ac939b1f75eda852815f063cebd332", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546011", "to_ids": true, "type": "sha256", "uuid": "e01f9d3b-f815-41da-ba50-1dc454d58033", "value": "5eb2122c4c645543966b07b94faccb5b4697561163382f21fb3b793b0d5cc9fe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546013", "to_ids": true, "type": "sha1", "uuid": "e709964a-98be-4ac7-8c1f-cf6cd5233e34", "value": "ec38a56f9368eac67106a4ad61538e12053f03d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546015", "to_ids": true, "type": "sha256", "uuid": "2bcfdbda-c29e-4cab-b582-9996f5552a65", "value": "eff699456ed4c5938d53afdb8df0836d7cb953ed933ed1a2899ec43f6f9e540b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 uxtheme.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546017", "to_ids": true, "type": "sha256", "uuid": "1dd11310-f2d5-408c-85ba-d3c6b71f07d9", "value": "75d0d5080afd091114818d082babc418ccb43d545d9fda1fb715af6c129b6e51", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 uxtheme.dll No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546019", "to_ids": true, "type": "sha1", "uuid": "b3f9605a-3b27-46f9-9a4f-d06224c5ecd3", "value": "35cc0b684b0906aed9d672a1a8635510fe91aa67", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SHADOW-EARTH-053 \u2014 Mdync.exe No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546020", "to_ids": true, "type": "sha256", "uuid": "3cb08bba-5493-47f7-80a5-9c4ed6fb6176", "value": "3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Possible RDP Launcher No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546022", "to_ids": true, "type": "sha256", "uuid": "ed59f932-de28-455c-96d5-1a07fd2ac751", "value": "26f4c7f37448911310adf20e6e74aac60e92b97591f4ac9e5e21cc503be8da16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Privileged Process Launcher No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546024", "to_ids": true, "type": "sha256", "uuid": "f7ff117e-156f-45ea-9915-73b3b33370e2", "value": "8df8282da75ebe6cf1a535739991e3f298f903974a05966503d7fd2919ecea4e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "data.aspx webshell No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546026", "to_ids": true, "type": "sha256", "uuid": "0dae37ed-fc66-4c0a-a6e9-ace55b6afdbf", "value": "03a89ea5a8604e8bc09a4249211e20404a2c7047adda65a57deeb46abb1fb116", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ExchangeExport.exe No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546028", "to_ids": true, "type": "sha256", "uuid": "8ac9d813-f8c3-484f-9f95-b45058a82d63", "value": "d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Newdcsync.exe No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546030", "to_ids": true, "type": "sha256", "uuid": "d60d1003-aa69-45c4-85f3-2d17d7767e94", "value": "0c8c562ed7343d28c76d93a88bd0534440d0e71292ebcee66314d6d5c2f34403", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SHADOW-EARTH-054 malware No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546031", "to_ids": true, "type": "sha256", "uuid": "6358325f-b865-454b-a915-fde5fbc58fc4", "value": "55e929971a7975c7f9dfa4d677d5ec357af23a4ca208ef8f920804743e9011cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SHADOW-EARTH-054 malware No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546033", "to_ids": true, "type": "sha1", "uuid": "03ceb25b-1dd2-4429-ab12-6efe06dfd19d", "value": "b8d586d376b342b08b3dd8a77c788480e025ad12", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DomainMachines.exe \u2014 Custom discovery tool No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546035", "to_ids": true, "type": "sha256", "uuid": "e9fa021f-b73d-4438-ad3f-e6d13b227dd1", "value": "165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOX (code.exe) No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546037", "to_ids": true, "type": "sha256", "uuid": "bf692237-80b1-4071-b935-2a93bfb7669b", "value": "1a5da90175ff7b55ddafcdb816adf574b92a112604019b219d82adab820fb3a2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Unknown proxy (code.exe / tunnel-core.exe) No sample in VT\r\nLast check:03/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546039", "to_ids": true, "type": "sha256", "uuid": "dde51dee-b27d-4219-9f72-e7888906d115", "value": "4173c218efe31a6b36df714cf4e1073696f3acbe7edd1b7fcba01e4a2d923a27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad C&C \u2014 TrendAI telemetry", "deleted": false, "disable_correlation": false, "timestamp": "1777768765", "to_ids": true, "type": "hostname", "uuid": "c63f20c0-4d19-49aa-ba81-c8ea20c12d5f", "value": "time.microsofttrends.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ShadowPad C&C \u2014 TrendAI telemetry", "deleted": false, "disable_correlation": false, "timestamp": "1777768787", "to_ids": true, "type": "hostname", "uuid": "a1fdf3f0-86ac-4586-840e-b6637275c7df", "value": "erp.kaspersky.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777768808", "to_ids": true, "type": "hostname", "uuid": "92bf1e0c-3e1a-4835-b324-bbd18d4e44eb", "value": "dns.dnsmap.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777768829", "to_ids": true, "type": "hostname", "uuid": "f6a85072-29ee-47df-835b-89f59b10de95", "value": "cert.kaspersky.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777768850", "to_ids": true, "type": "hostname", "uuid": "0213ac19-9854-4613-80da-6ef30e38fb57", "value": "news.kaspersky.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777768871", "to_ids": true, "type": "hostname", "uuid": "46443982-382c-40ad-8865-96b1b3027421", "value": "ns1.kaspersky.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777768892", "to_ids": true, "type": "hostname", "uuid": "a795949c-9484-4757-a543-d91d5a5011b0", "value": "ns2.kaspersky.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777768913", "to_ids": true, "type": "hostname", "uuid": "e4a0884e-4f42-4fb0-841d-3b4b4f92b318", "value": "www.kaspersky.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777768935", "to_ids": true, "type": "hostname", "uuid": "69f251d1-efc7-4e9e-bf9c-03f209014b2b", "value": "dns.dnserver.life", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777768956", "to_ids": true, "type": "hostname", "uuid": "65451a8d-e050-4cb6-a0f3-6e3530a3ac7e", "value": "nslookup.dnserver.life", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777768977", "to_ids": true, "type": "hostname", "uuid": "3bffd01b-5d86-4bfe-8655-9a9c033b26d5", "value": "router.dnserver.life", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777768998", "to_ids": true, "type": "hostname", "uuid": "0d2438df-3b38-4452-a640-87722bbf22f6", "value": "ww12.dnserver.life", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777769019", "to_ids": true, "type": "hostname", "uuid": "454b89a6-c0d7-4686-b2eb-10460e86cf43", "value": "ns1.group-ib.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777769040", "to_ids": true, "type": "hostname", "uuid": "48829927-8fe8-4451-a75c-d4750e39ef8a", "value": "ns2.group-ib.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777769062", "to_ids": true, "type": "hostname", "uuid": "10910dbc-c7a7-47c4-abf5-8606edf65c2d", "value": "www.group-ib.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1777769083", "to_ids": true, "type": "hostname", "uuid": "f74383e3-d7a4-4dfe-961f-d12a58af6ebb", "value": "check.dnsmaps.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Infrastructure Hunting \u2014 Malware Hosting", "deleted": false, "disable_correlation": false, "timestamp": "1777769104", "to_ids": true, "type": "hostname", "uuid": "ac3be535-7a59-4e89-a2a5-11cb6f8326c7", "value": "update.kaspersky.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "NOODLERAT C&C", "deleted": false, "disable_correlation": false, "timestamp": "1777769125", "to_ids": true, "type": "hostname", "uuid": "6588c6bb-cdbd-455f-aae4-bc7669af413b", "value": "check.office365-update.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SHADOW-EARTH-054 C&C", "deleted": false, "disable_correlation": false, "timestamp": "1777769146", "to_ids": true, "type": "domain", "uuid": "1d7209b7-e73f-4279-bd85-131b788cb617", "value": "zimbra-beta.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SHADOW-EARTH-054 C&C", "deleted": false, "disable_correlation": false, "timestamp": "1777769167", "to_ids": true, "type": "domain", "uuid": "a36b1125-d271-4071-98b2-67287921e29d", "value": "zimbra.life", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SHADOW-EARTH-054 C&C", "deleted": false, "disable_correlation": false, "timestamp": "1777769188", "to_ids": true, "type": "domain", "uuid": "948d765a-8dfd-4438-96cc-1de403674f55", "value": "microsi0ft.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SHADOW-EARTH-053 C&C", "deleted": false, "disable_correlation": false, "timestamp": "1777769209", "to_ids": true, "type": "ip-dst", "uuid": "c612f3f4-13b4-4f9d-87ab-d5fc0553fcd5", "value": "141.164.46.77", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SHADOW-EARTH-053 C&C", "deleted": false, "disable_correlation": false, "timestamp": "1777769230", "to_ids": true, "type": "ip-dst", "uuid": "bbd8247b-6e50-465f-82fa-d38b7fddd96b", "value": "96.9.125.227", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SHADOW-EARTH-053 Malware Hosting \u2014 TrendAI telemetry", "deleted": false, "disable_correlation": false, "timestamp": "1777769252", "to_ids": true, "type": "ip-dst", "uuid": "ba06841f-b547-4b8f-989f-7634845416b6", "value": "194.38.11.3", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SHADOW-EARTH-054 VShell C&C", "deleted": false, "disable_correlation": false, "timestamp": "1777769273", "to_ids": true, "type": "ip-dst", "uuid": "682bee3f-3863-4a83-98d3-d20d130fed91", "value": "209.141.40.254", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SHADOW-EARTH-054 IOX Proxy", "deleted": false, "disable_correlation": false, "timestamp": "1777769295", "to_ids": true, "type": "ip-dst", "uuid": "dc9b8e42-93f1-4b39-bdb9-d71f81f0f36b", "value": "45.61.62.172", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "SHADOW-EARTH-054 VShell C&C", "deleted": false, "disable_correlation": false, "timestamp": "1777769316", "to_ids": true, "type": "url", "uuid": "ba01092f-feba-468b-8671-c22587e81e2a", "value": "http://209.141.40.254:8443/update", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777760311", "to_ids": false, "type": "vulnerability", "uuid": "1addf2da-212a-48d0-95c2-589d1e0a4404", "value": "CVE-2021-26855" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777760311", "to_ids": false, "type": "vulnerability", "uuid": "dea4656f-3526-43fb-a59f-63cae6dbfb0d", "value": "CVE-2021-26857" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777760311", "to_ids": false, "type": "vulnerability", "uuid": "89a7992f-0009-4891-b99e-c756c0237352", "value": "CVE-2021-26858" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777760311", "to_ids": false, "type": "vulnerability", "uuid": "a1d48a30-af98-4f94-a7d4-f0683a2d934e", "value": "CVE-2021-27065" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545946", "uuid": "08c4b1ad-190d-4f28-b382-8467e0282efc", "Attribute": [ { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545945", "to_ids": true, "type": "md5", "uuid": "2252e97a-266c-4121-8047-615b2bbf856e", "value": "efcb90de13a82c10a34e900ab91942c1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545946", "to_ids": true, "type": "sha1", "uuid": "734a542f-3a45-4ba3-b9cc-41b57b959782", "value": "31b3dd9ee46805b0ed6e6dd6a5ee17facadfd2ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 graphics-hook-filter32.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545946", "to_ids": true, "type": "sha256", "uuid": "dae45800-f6c5-49f6-9c28-29ff0d03da06", "value": "a65483b86847995a67de0fcb2a5487cdbc96361cb2e9dea8ab74005c8fef65ce", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766091", "to_ids": true, "type": "ssdeep", "uuid": "9e6c5849-8efe-4670-9803-7d1af6f7f48d", "value": "768:6WPxf5fpajk2riSoQSJcsfPVWzAXiqKAK2IFXtDWokyXoAhQYcfEDDnrJAc6XBZ9:6axf5ByrZv0fPVzdKM8rv5Tj6XB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766091", "to_ids": false, "type": "size-in-bytes", "uuid": "4cd19584-c957-42df-a72e-30405e0ad71d", "value": "65536" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766091", "to_ids": true, "type": "vhash", "uuid": "3c678e01-2102-49fd-baff-de9a313e59bc", "value": "164056655d15555az38!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766091", "to_ids": true, "type": "filename", "uuid": "657cdf0d-684d-4a24-9c24-bcf08d56b69a", "value": "aclht.exe" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766091", "to_ids": false, "type": "text", "uuid": "d5daec81-f977-4c03-ae3c-921561f098a0", "value": "ShadowPad loader \u2014 graphics-hook-filter32.dll\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Etset!rfn\nVT Total Detection:45/71\nFirst Submission:2026-02-26T01:18:16.000000+00:00\nLast Submission:2026-02-26T01:18:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545949", "uuid": "b5314c97-27d1-4525-bbd9-a56b87e77c63", "Attribute": [ { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545948", "to_ids": true, "type": "md5", "uuid": "6a34a7d2-c1b1-464f-a65c-7feb2265fc18", "value": "48370247d5c3c01474f19e172112710a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545948", "to_ids": true, "type": "sha1", "uuid": "e18c527f-7799-438f-9809-35fc71784cc4", "value": "3f858c007d4d49dd7fa260bcc786c34d4f78dbf5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545949", "to_ids": true, "type": "sha256", "uuid": "b4ea03e7-e5e0-4607-8d7f-154e485567e8", "value": "5bf35daaf26508fc136157818ead48cc5c7fa3a3e6273cde2c757673586a78a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766113", "to_ids": true, "type": "ssdeep", "uuid": "949a5d13-6a6e-465f-ab49-8e388569693c", "value": "1536:jvHxkpNtvYmb9i9WvbkRVwAqrufeXIkkt:7RVmhi9mbkV7qruGXIkW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766113", "to_ids": false, "type": "size-in-bytes", "uuid": "5e903fb2-8808-45a7-8193-7cef2b59fed3", "value": "67072" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766113", "to_ids": true, "type": "vhash", "uuid": "aabba52a-2d6b-4ecc-9be5-e2a170e96182", "value": "164056655d15155az39!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766113", "to_ids": true, "type": "filename", "uuid": "00dbe1b6-9145-482d-be96-f2f22c928df8", "value": "Dll.dll" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766113", "to_ids": false, "type": "text", "uuid": "fca70c89-3956-4e24-85a1-d070015df37c", "value": "ShadowPad loader \u2014 imjp14k.dll\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/ShadowPad.B!MTB\nVT Total Detection:51/71\nFirst Submission:2024-06-11T03:25:09.000000+00:00\nLast Submission:2024-06-11T03:25:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545951", "uuid": "6e10beff-ca83-4a10-8a38-12d6af18a940", "Attribute": [ { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545950", "to_ids": true, "type": "md5", "uuid": "f0419727-ae9e-42f6-9054-aef582ba2e1f", "value": "e5b0fd04b03d92d4dfb8e50b9b9b3068", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545951", "to_ids": true, "type": "sha1", "uuid": "e399263a-467e-425a-8303-d8750b05606f", "value": "ccbd7c92cac1ec732e980f128d2f266e9190ff8f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545951", "to_ids": true, "type": "sha256", "uuid": "6cd8798d-5b3e-40cd-8020-0b69fab7ae8b", "value": "41f74c3fc32752b5c7b88e7a5723441cb827958bc21b647fffae469407f1ce99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766135", "to_ids": true, "type": "ssdeep", "uuid": "23fb9841-ed7d-4ec8-9ac2-4dcaac3b085e", "value": "1536:enXgTy/1MZgvfqXLWNEfTFQMT0j4vpEBXwB2ia559BaInPwG7vrVY3MW:ewTy9vfqXrGaOAe559BOKm3M" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766135", "to_ids": false, "type": "size-in-bytes", "uuid": "fd7760da-e863-47a0-b4d2-c3f7de884c30", "value": "149504" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766135", "to_ids": true, "type": "vhash", "uuid": "96ec964d-9980-4f54-8715-12c2f02383e9", "value": "115056655d55555az47!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766135", "to_ids": true, "type": "filename", "uuid": "d1c49812-62d9-4777-ac9c-7f0a14f69854", "value": "imjp14k.dll" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766135", "to_ids": false, "type": "text", "uuid": "5132fede-c33f-4db1-92a8-15bd8c100af5", "value": "ShadowPad loader \u2014 imjp14k.dll\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:46/71\nFirst Submission:2025-07-31T03:41:14.000000+00:00\nLast Submission:2026-03-27T08:04:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545954", "uuid": "3cfed067-79fe-4011-a228-331c75696dad", "Attribute": [ { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545953", "to_ids": true, "type": "md5", "uuid": "86a981ed-662b-47bc-8433-bd9e81192d80", "value": "9daba43a4c2495f596555653c6fe88d2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545953", "to_ids": true, "type": "sha1", "uuid": "2f32234d-7302-4760-b95d-2e8206cdcd36", "value": "824f13f758ce278f72a4aeaf1e15a703d5107dd7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 imjp14k.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545954", "to_ids": true, "type": "sha256", "uuid": "1322b316-5407-4396-b7fa-20bb53b0474d", "value": "f19a67b9c8805b335676f0fc17495839327f8135f791aa11d5d9adba2c83cc1c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766199", "to_ids": true, "type": "ssdeep", "uuid": "5ecbf3b6-ac86-48b4-bcb6-59c2460b7f0f", "value": "3072:jQnqE3/3tYxZ6UuQZfAGjooVFGB1npUsSU:jQnqa/3eP64ZlXV8B1us" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766199", "to_ids": false, "type": "size-in-bytes", "uuid": "858e7a60-be13-424b-ad21-5319f7ccc519", "value": "149504" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766199", "to_ids": true, "type": "vhash", "uuid": "8d36d81e-967c-43df-be38-1f6a2ecbe126", "value": "115056655d55555az47!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766199", "to_ids": true, "type": "filename", "uuid": "eb501a2d-6446-4ecd-a300-68da9d317ef1", "value": "72c8sp8az.exe" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766199", "to_ids": false, "type": "text", "uuid": "36cfbb71-94da-43e5-b731-0b9852e363ca", "value": "ShadowPad loader \u2014 imjp14k.dll\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:44/71\nFirst Submission:2025-11-09T01:37:36.000000+00:00\nLast Submission:2025-11-09T01:37:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545957", "uuid": "880f024e-d8a4-4ad4-af96-581e8808cf8a", "Attribute": [ { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 uxtheme.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545956", "to_ids": true, "type": "md5", "uuid": "9fa2cdd1-8210-45d8-a1a2-d47ef40fc76d", "value": "4b7a47b639a2aca7818d111ee7f23b3e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 uxtheme.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545956", "to_ids": true, "type": "sha1", "uuid": "55319819-42a9-48bf-a26b-069ed08eba18", "value": "2dd614427b80cdd38e8bbe0ace24a484671c0da2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 uxtheme.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545957", "to_ids": true, "type": "sha256", "uuid": "9dec6368-de24-4027-9f1f-bad5f9be7cc2", "value": "0c63857269205f6505c259a56ea53b23b2bf7432aabb8647d59b321232ca7e36", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766325", "to_ids": true, "type": "ssdeep", "uuid": "c6f2d688-e83d-4209-b018-2a0156d4dedf", "value": "768:7+JqwbggNFLor7KvLMLVP3PrW2yTZC0cf7FAhDmdkBdhHqxYrfEDDnBJAc/7eFpZ:iqwb1NFEr7KvLO3PsFojsNQtU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766325", "to_ids": false, "type": "size-in-bytes", "uuid": "6269ae4b-a1eb-4490-9baa-1c49bc142940", "value": "65536" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766325", "to_ids": true, "type": "vhash", "uuid": "383a9aed-1f85-4613-bc3b-3c9f9e1d59f9", "value": "164056655d15555az38!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766325", "to_ids": true, "type": "filename", "uuid": "8990ea03-0164-43ec-a0f4-c1e326482f02", "value": "0c63857269205f6505c259a56ea53b23b2bf7432aabb8647d59b321232ca7e36.dll" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766326", "to_ids": false, "type": "text", "uuid": "cb661e89-557f-4ef8-bf39-1209a54c2c9f", "value": "ShadowPad loader \u2014 uxtheme.dll\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Etset!rfn\nVT Total Detection:49/71\nFirst Submission:2024-11-20T05:34:09.000000+00:00\nLast Submission:2026-03-13T15:14:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545959", "uuid": "3ab11136-310a-4b8a-a2bb-439230df3ac5", "Attribute": [ { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 MPS.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545959", "to_ids": true, "type": "md5", "uuid": "ed067d54-e04c-4a4f-a499-c4349b92aab0", "value": "c4144edb268001595700b5f27d7d7422", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 MPS.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545959", "to_ids": true, "type": "sha1", "uuid": "eac9e959-e3c0-4a86-9a98-6047b4084716", "value": "4541e55b70ca12ae4a79e38c0b4c31f067eb5cdc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ShadowPad loader \u2014 MPS.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545959", "to_ids": true, "type": "sha256", "uuid": "2bc2bfb1-b646-454d-8d8d-16a721d7b409", "value": "97ea803792929f802388e9d0e75a3c79c28260d589bc2d87902c73c729ed6f9e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766347", "to_ids": true, "type": "ssdeep", "uuid": "f54c0b32-0b03-446d-a3be-28a69f8ddd9f", "value": "3072:cV+hzD2e3dfVN6aiW2C4xuxn1q+Cd/eQh:cV+5F6BzC40xn0" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766347", "to_ids": false, "type": "size-in-bytes", "uuid": "c0ae4b40-37c5-4f47-b804-54f311f64724", "value": "149504" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766347", "to_ids": true, "type": "vhash", "uuid": "836ead3c-f7a5-4b31-8eba-65fc810d6e3f", "value": "115056655d55555az47!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766347", "to_ids": true, "type": "filename", "uuid": "403fb52d-3725-45d6-83e4-c676798bc946", "value": "MPS.dll" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 02/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766347", "to_ids": false, "type": "text", "uuid": "fa7374ec-c020-470a-bf0c-90dab5986dcb", "value": "ShadowPad loader \u2014 MPS.dll\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:38/70\nFirst Submission:2026-02-26T01:36:16.000000+00:00\nLast Submission:2026-02-26T01:36:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545962", "uuid": "e2728a5d-d7a9-4776-a22b-c4ffd5a47167", "Attribute": [ { "category": "Payload delivery", "comment": "IOX Proxy", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545961", "to_ids": true, "type": "md5", "uuid": "c530f0df-e328-4697-8887-0a29716ebe6d", "value": "be328739e97303b2e72fe36feae358d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOX Proxy", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545962", "to_ids": true, "type": "sha1", "uuid": "9081960a-0d30-46b3-a5ec-cfb6cc4cf017", "value": "36061be6ccd17e87e3d1ef15f8e7058f279439d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOX Proxy", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545962", "to_ids": true, "type": "sha256", "uuid": "95af623e-3cb0-45bb-93bf-b85cbbfa19a2", "value": "b8a2a9ca58fb2b383a52f8be75cae44f08f2c3f8907bd8661ee8a4a78fd7dda3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766369", "to_ids": true, "type": "ssdeep", "uuid": "148c8665-0825-4836-8bd4-f318ef6d6653", "value": "49152:FeWhJoVmdnlk5c6h915OB2b9bhm8sJHHXvwvwvZ:FtD/CxOBKth5s1f22Z" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766369", "to_ids": false, "type": "size-in-bytes", "uuid": "dc2f4b81-cff7-46e8-ac48-bed591b17851", "value": "3446896" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766369", "to_ids": true, "type": "vhash", "uuid": "d5a4efb3-b276-4fd5-9e4c-452a50f3c7bd", "value": "036106655d15551555757az2d!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766369", "to_ids": true, "type": "filename", "uuid": "155f7486-17b6-4f49-b98f-268bd7b9beba", "value": "EXPLORER.EXE" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766369", "to_ids": false, "type": "text", "uuid": "4a2e313d-c16c-4209-b3af-d86b2adae823", "value": "IOX Proxy\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:44/71\nFirst Submission:2024-12-25T12:41:32.000000+00:00\nLast Submission:2024-12-25T12:41:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545964", "uuid": "56188d43-db71-40ed-8f9f-3a986d2e5d04", "Attribute": [ { "category": "Payload delivery", "comment": "EVILCREATEDUMP", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545964", "to_ids": true, "type": "md5", "uuid": "28a19c40-4d67-4bb7-8f42-246641043c45", "value": "531da3715b1e4fc9baeaa034888ac419", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "EVILCREATEDUMP", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545964", "to_ids": true, "type": "sha1", "uuid": "23c0fc0d-12d8-4a88-932f-ed5e298ec1f3", "value": "861a686461ad830b268977808ba56730616c7684", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "EVILCREATEDUMP", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545964", "to_ids": true, "type": "sha256", "uuid": "47cc7fb0-2591-4508-a286-547d99851b77", "value": "0eb72c1f1605d999488d903021d82a9ff4b937e6c1a1da50c55440f018e83ad9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766391", "to_ids": true, "type": "ssdeep", "uuid": "3e9795a1-60e4-4b26-a090-fa9abcfe2f45", "value": "3072:TDct6/2G4OubVeEVNypktlWPeGR/GknWc:F2G4XbNuktlWWiCc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766391", "to_ids": false, "type": "size-in-bytes", "uuid": "5411b229-7c1d-4160-b11c-c74b5b54b664", "value": "141312" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766391", "to_ids": true, "type": "vhash", "uuid": "4ef073a1-68b9-48ec-acc2-35907841adcc", "value": "015076655d155515555058z4c!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766391", "to_ids": true, "type": "filename", "uuid": "f114873a-f880-4926-bcbe-8ca1e631e582", "value": "531da3715b1e4fc9baeaa034888ac419.virus" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766391", "to_ids": false, "type": "text", "uuid": "f43c6448-155d-45e1-ab04-8bd0fe137e56", "value": "EVILCREATEDUMP\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:29/71\nFirst Submission:2023-09-22T12:31:39.000000+00:00\nLast Submission:2023-09-22T12:31:39.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545967", "uuid": "d3b982f8-f2d9-4c08-9b49-2f9f98cae28e", "Attribute": [ { "category": "Payload delivery", "comment": "SHADOW-EARTH-053 loader \u2014 found by infrastructure pivoting", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545966", "to_ids": true, "type": "md5", "uuid": "560f0df3-5180-41b4-aac4-a2316ee66574", "value": "a85459a1ec90a52b5c1f2f5a12bb2d10", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SHADOW-EARTH-053 loader \u2014 found by infrastructure pivoting", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545967", "to_ids": true, "type": "sha1", "uuid": "32fd2fe9-32da-415f-b103-78b3dc0f938b", "value": "95015643ecb3ba321b8cff8eca2907e5356e8659", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SHADOW-EARTH-053 loader \u2014 found by infrastructure pivoting", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545967", "to_ids": true, "type": "sha256", "uuid": "52a37769-1676-4d9c-b715-610eafbcf86f", "value": "884601e54fc2e6833167d33436b68e952020cdb99507b2807feec1bc086027c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766433", "to_ids": true, "type": "ssdeep", "uuid": "c4824f19-b231-4636-a8db-470def8a50d0", "value": "384:gtQfVE8+JGlqvGX1FoBohjmQQxLlTtzHEX+Pkwpc:bVE8+fm7ouLQxZTNkXf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766433", "to_ids": false, "type": "size-in-bytes", "uuid": "1cd5ab8c-31ec-49ec-9ff1-20f59b5b673c", "value": "18432" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766433", "to_ids": true, "type": "vhash", "uuid": "3775bbff-2f1d-4d6e-8a74-28d87bf66e40", "value": "114056651d15155az1618$z25" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766433", "to_ids": true, "type": "filename", "uuid": "eaa7062b-8aa2-4da9-8f75-94b73c810461", "value": "110.dll" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766433", "to_ids": false, "type": "text", "uuid": "af4901b0-df93-49e8-9ba0-e937c4672806", "value": "SHADOW-EARTH-053 loader \u2014 found by infrastructure pivoting\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:45/71\nFirst Submission:2024-08-11T14:38:19.000000+00:00\nLast Submission:2025-11-26T14:56:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545970", "uuid": "acfc0831-15bd-4df8-86ea-7834b7f1adf1", "Attribute": [ { "category": "Payload delivery", "comment": "TosBtKbd.dll Custom Registry Loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545969", "to_ids": true, "type": "md5", "uuid": "1de2b53b-1858-4109-b42b-e5c5529df224", "value": "29015d3fa89c75ee576b14849133d6d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TosBtKbd.dll Custom Registry Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545969", "to_ids": true, "type": "sha1", "uuid": "814a2067-deda-4662-bee5-02fd9c97512c", "value": "ac7ffce58c70fb9f837e11a44d655d6c28e276f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TosBtKbd.dll Custom Registry Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545970", "to_ids": true, "type": "sha256", "uuid": "026052fb-b872-47f7-9e90-145a9326605d", "value": "e12c2682a7949661fa99bf46723a1405c658d109411de3bf6cb04c57337cc020", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766497", "to_ids": true, "type": "ssdeep", "uuid": "d5749e5e-6036-4e93-84be-f69109649e50", "value": "384:qj0kJdSTfpiyCxAEdpSbNBhSl73Gg7fcf93txyodFVaquR+cAy8oP+BnK:qXiTBivaEQHSlCg7GDJFVaqBy8oPW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766497", "to_ids": false, "type": "size-in-bytes", "uuid": "256e74a0-52f0-4c4e-8783-d2bc5dc01dd5", "value": "45056" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766497", "to_ids": true, "type": "vhash", "uuid": "e53285b4-2a85-411b-9c71-230018e2df47", "value": "144046551d151028z33nz1ez6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766497", "to_ids": true, "type": "filename", "uuid": "73d5cb07-ac11-49cb-a76c-273d9a7c23b7", "value": "TosBtKbd.dll" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766497", "to_ids": false, "type": "text", "uuid": "ffcea4a7-e821-42f2-80e7-0d98a62af47b", "value": "TosBtKbd.dll Custom Registry Loader\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:28/71\nFirst Submission:2023-02-10T05:19:46.000000+00:00\nLast Submission:2024-11-06T09:00:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545973", "uuid": "480c289d-6c90-44d3-9297-af6f8da95680", "Attribute": [ { "category": "Payload delivery", "comment": "RingQ.exe", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545972", "to_ids": true, "type": "md5", "uuid": "62c93acc-182d-496c-88d3-6cf0544779e8", "value": "2616e7ec2d6c4b86a7fa1f4a762ae918", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RingQ.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545972", "to_ids": true, "type": "sha1", "uuid": "507ebf2c-8521-471b-ad7b-efabb0645bb4", "value": "e1bcf36ed2f7a60dd0dde52abf11c942e2657e31", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RingQ.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545973", "to_ids": true, "type": "sha256", "uuid": "7cc30685-83c6-481c-b6ce-61f7ce68e2b2", "value": "23c2ebc8f9bac96b2fbbb9b00b457c48d65a9f66ec24fbfba339eeefd0539ad7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766582", "to_ids": true, "type": "ssdeep", "uuid": "baeb8df4-5935-46c0-81c8-ef6d1847e3b9", "value": "6144:wKv8MuGM08RgAEe/XfMbAt0RAwK7el7nBFRDtPqw+dN6vGRGdijZ6:vZucAdPt0RAwKoRDtyw+dN6S4" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766582", "to_ids": false, "type": "size-in-bytes", "uuid": "bd6e2358-ceee-4c7e-a52b-080128075921", "value": "716800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766582", "to_ids": true, "type": "vhash", "uuid": "560fc9ca-216c-4fa7-a6d5-cb304f48cc49", "value": "075066655d15555517z1003252kz181z4bz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766582", "to_ids": true, "type": "filename", "uuid": "907a9066-6996-4b62-812b-3b848a8167c2", "value": "rq.exe" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766582", "to_ids": false, "type": "text", "uuid": "002b7e50-3d24-4a04-beee-c500f8d15333", "value": "RingQ.exe\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Kepavll!rfn\nVT Total Detection:51/71\nFirst Submission:2024-09-01T11:56:19.000000+00:00\nLast Submission:2026-02-13T02:02:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545975", "uuid": "6a8cadf0-b85e-4da7-b254-7dc00c38ef23", "Attribute": [ { "category": "Payload delivery", "comment": "SHADOW-EARTH-054 loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545975", "to_ids": true, "type": "md5", "uuid": "15b5e891-c7f5-4f3d-aefa-ed2cfabd6e1f", "value": "7b2590be24290eb4b51bed2af1744b04", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SHADOW-EARTH-054 loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545975", "to_ids": true, "type": "sha1", "uuid": "1c45067f-6649-478a-9c6d-179d199a6a11", "value": "4ed658583208dcc524e58231382d2ae23961b522", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SHADOW-EARTH-054 loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545975", "to_ids": true, "type": "sha256", "uuid": "f098f148-141f-492b-aea9-f107f1ef22a1", "value": "c935ded2729f0513672e261170d73d4e0e13a9b837f104d840c44a39b84c0d71", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766646", "to_ids": true, "type": "ssdeep", "uuid": "b86ef552-bce0-46a5-b971-d949b060a47a", "value": "3072:j/psVo7Y2Km21Q8MQ7Z1YlIiiaz1UXsMbJ/QdGZkjqYQYD:jBsVoUl+8MQ7Z1YEazOXcPj" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766646", "to_ids": false, "type": "size-in-bytes", "uuid": "67cb1bf5-a0d9-4fdb-bcd7-86ae15437e1d", "value": "201216" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766646", "to_ids": true, "type": "vhash", "uuid": "60555458-7db0-4d74-8f65-7450e7e5ff5a", "value": "025086655d15555515155az7dmz433z29z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766646", "to_ids": true, "type": "filename", "uuid": "0d1dd46c-b65c-4751-9962-4d323b54311d", "value": "Eupelroed.exe" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 02/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766646", "to_ids": false, "type": "text", "uuid": "31809ca0-655a-4f8b-90f1-849ff48e968f", "value": "SHADOW-EARTH-054 loader\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/MildTailor.A!dha\nVT Total Detection:38/71\nFirst Submission:2026-02-24T02:38:24.000000+00:00\nLast Submission:2026-02-25T05:00:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545978", "uuid": "4ca28c82-eb55-4b94-9ca2-ffeb574bc18c", "Attribute": [ { "category": "Payload delivery", "comment": "GOST tunnel (gost.exe)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545977", "to_ids": true, "type": "md5", "uuid": "bf4560c8-1e6e-4dfa-9de1-f8500e0c500c", "value": "0933fbd16c7a8b70199f5612e147a22c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GOST tunnel (gost.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545978", "to_ids": true, "type": "sha1", "uuid": "468947b8-044a-4a10-9199-63e067e4d40c", "value": "211e1fc502152ea272edb5a81a5b4405a28c48f9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GOST tunnel (gost.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545978", "to_ids": true, "type": "sha256", "uuid": "2f4ec839-bdc1-49dd-a09d-e5c9018e57bb", "value": "188c72b101cd8ad96ef971e8943bddb3acd9dc45fe1d8719217d171e600a29aa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766731", "to_ids": true, "type": "ssdeep", "uuid": "a2db0915-03db-49a7-9a55-b1ba9d2f2e8a", "value": "98304:eCiHEeYcm/rTxY8DfuX+QQl5WFSDvG/kEo4E+eDiHOAc7H:eocCTxY8Dw+Qe5WGx+BOP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766731", "to_ids": false, "type": "size-in-bytes", "uuid": "7cf21102-5160-4771-a182-b270cea6934c", "value": "13270016" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766731", "to_ids": true, "type": "vhash", "uuid": "8e16939f-714a-4ebd-8e19-3cd1eb94c943", "value": "017086655d55551d15541az31!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766731", "to_ids": true, "type": "filename", "uuid": "c3623049-939c-4ce9-bec1-142c3336d1fb", "value": "gost.exe" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766731", "to_ids": false, "type": "text", "uuid": "5fd45eff-1239-42f1-8b95-f118f6fa104e", "value": "GOST tunnel (gost.exe)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:48/71\nFirst Submission:2024-11-18T03:08:53.000000+00:00\nLast Submission:2026-04-28T15:20:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545981", "uuid": "6ebec65a-a275-4841-8ba2-7c0665889b72", "Attribute": [ { "category": "Payload delivery", "comment": "Wstunnel (wt.exe)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545980", "to_ids": true, "type": "md5", "uuid": "007abb2d-ebb6-4efb-abcf-f4eb7dc128b6", "value": "fc751b0416d4dc320eb175cea5a9e4dd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Wstunnel (wt.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545980", "to_ids": true, "type": "sha1", "uuid": "4116ef7a-29ae-4b3e-ad47-d4356c35963e", "value": "ebfd92291714e6d7e57cf4830aa8f87950b796bb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Wstunnel (wt.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545981", "to_ids": true, "type": "sha256", "uuid": "3f648e73-18da-4022-8d73-723f5d257554", "value": "9dda789b85fce6294f91a79b7271a93de36dfcef21fc680dc2bf4235141e47df", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777766752", "to_ids": true, "type": "ssdeep", "uuid": "52ea6291-6a39-470a-a131-9bafd0c6611a", "value": "98304:gkh+55KV/mgQrLVSF3UoX5YJxg7q9L6v1gL1yUVc++:irh66xsq96g1a/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777766752", "to_ids": false, "type": "size-in-bytes", "uuid": "7d6af887-7c57-4612-9dc7-abf30dbe1b6a", "value": "9249792" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777766752", "to_ids": true, "type": "vhash", "uuid": "9380a653-cd79-446b-9495-878613b30df2", "value": "096056656d15655013zd2z473z6oz186z9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777766752", "to_ids": true, "type": "filename", "uuid": "d26a53bf-8e9a-4399-bc62-4a705f1fa52c", "value": "wstunnel.exe" }, { "category": "Other", "comment": "Checked: 03/05/2026\nLast-scan\t: 02/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777766752", "to_ids": false, "type": "text", "uuid": "6c9e9cd4-4c76-47fd-8b40-4fee0ce2f837", "value": "Wstunnel (wt.exe)\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:3/71\nFirst Submission:2026-02-05T12:25:54.000000+00:00\nLast Submission:2026-04-21T01:30:14.000000+00:00" } ] } ] } }