{ "Event": { "analysis": "1", "date": "2026-04-21", "extends_uuid": "", "info": "[Threat Intel] Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence", "protected": false, "publish_timestamp": "1779545801", "published": true, "threat_level_id": "2", "timestamp": "1779545801", "uuid": "4d751f1c-08b8-4de4-89a6-b46700f460e5", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#79655f", "local": false, "name": "misp-galaxy:producer=\"Tencent\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#aad818", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#657ac3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Protocol Tunneling - T1572\"", "relationship_type": "" }, { "colour": "#327a31", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Binary Padding - T1027.001\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Multi-hop Proxy - T1090.003\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sandworm\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Diplomacy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Research - Innovation\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460422", "to_ids": false, "type": "link", "uuid": "cbe1e70a-b195-4d38-9e9b-1ceb4b6907c3", "value": "https://mp.weixin.qq.com/s/nJpqvXCYV3ZdvNgYGrG4ow" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777460422", "to_ids": false, "type": "text", "uuid": "aea63cd0-b539-4d17-b8af-8fa179e16d38", "value": "APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage targeting government agencies, diplomatic departments, energy enterprises, and research organizations. Recently detected samples reveal the group's use of nested SSH and TOR tunnel architecture to establish covert communication channels. The attack begins with spear-phishing emails delivering malicious LNK files disguised as PDF documents. Upon execution, the payload deploys TOR hidden services mapping internal ports (SMB/445, RDP/3389) to onion domains, while SSH services with public key authentication provide encrypted remote access. The malware employs obfs4 protocol to obfuscate TOR traffic, evading deep packet inspection. Persistence is achieved through scheduled tasks masquerading as legitimate applications like Opera GX and Dropbox, establishing an anonymous shadow management infrastructure for sustained intelligence collection." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777460422", "to_ids": false, "type": "text", "uuid": "40c4229f-644f-4193-9702-0a2dd88b2932", "value": "Name: Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence\nAuthor: AlienVault\nAdversary: APT-C-13\nTags: [\"tor hidden service\", \"covert persistence\", \"spear-phishing\", \"scheduled tasks\", \"sandworm\", \"frozenbarents\", \"obfs4 obfuscation\", \"ssh tunneling\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1053.005\", \"T1036.005\", \"T1204.002\", \"T1497.001\", \"T1021.004\", \"T1566.001\", \"T1119\", \"T1572\", \"T1027.001\", \"T1083\", \"T1547.001\", \"T1090.003\", \"T1562.001\", \"T1573.002\", \"T1070.004\", \"T1071.001\", \"T1105\", \"T1021.001\", \"T1564.001\"]\nIndustries: [\"Government\", \"Energy\", \"Defense\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777685935", "to_ids": false, "type": "threat-actor", "uuid": "3225d28d-8c43-46cb-a7f4-615617c9de97", "value": "APT-C-13", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sandworm\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688654", "to_ids": true, "type": "domain", "uuid": "6949d529-43e8-4107-9640-ec2115b586c9", "value": "2zrek3mkl72d5b6evpkx2rz2glzrltiorgblpfb2ttg6lacwlsdk4iqd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688675", "to_ids": true, "type": "domain", "uuid": "e4a4c780-5bd5-4817-bde8-c268ebf0458b", "value": "3xl6xhboulyuez6fuydyhj7pdvkshzn4ogsmgwbb3ukrkvgi6bcwvfyd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688697", "to_ids": true, "type": "domain", "uuid": "05732c29-dd49-4f3f-ae27-559bb5bb05a5", "value": "e3mnde5uyuxjoztup6t3m7nykbicexbzra76ucligwgsaez65w63y2ad.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688718", "to_ids": true, "type": "domain", "uuid": "816f4a47-da10-4367-aa2f-ee454502fc4e", "value": "imnlyhj4mtmtesqrvf7c4ma6dkxeyxw3ae53w6fuz42spndg7zpat6qd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688739", "to_ids": true, "type": "domain", "uuid": "c3f0df72-03e6-4b4c-b75b-2a90ca4c0cc9", "value": "kvk46su7d2qi6g4n43syp4zbsf2rihnc6ztj77qtc2ojvewjqvqilnqd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688760", "to_ids": true, "type": "domain", "uuid": "e662bdc2-057f-41c2-8708-beae4e4d751a", "value": "nytiplwknkinobjaeb5tajjiglip3vtaccju6ta7d47u5u64ktrwhrqd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545770", "uuid": "056bb38a-b2d3-4c46-9686-85caf7bc938e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545770", "to_ids": true, "type": "md5", "uuid": "b5f98c21-fd4d-46e8-b980-733fd0309707", "value": "0b6f7356919b9632c1158681ee0462f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545770", "to_ids": true, "type": "sha1", "uuid": "b89cd5d4-0864-4f00-9082-b34e74d9287a", "value": "7b50320a005cf68e5c17d51a8fd8422ceef1611a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545770", "to_ids": true, "type": "sha256", "uuid": "152fab4a-9b68-4167-ade0-39d4a06b00a2", "value": "2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687332", "to_ids": true, "type": "ssdeep", "uuid": "d6812a65-0362-4cfc-8cd1-3e25a23e2875", "value": "196608:j0kbfrkMDJePO6TnNLe5n38ey4NsSE4l0IbW+eeuXRCbs3fXvDLkWoXEpXcewU+j:jgm65SpqNSJWrRos3fX7UUtcewcnWjfh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687332", "to_ids": false, "type": "size-in-bytes", "uuid": "80bc87b0-347a-4868-a05c-9610e85a3335", "value": "12524776" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687332", "to_ids": true, "type": "vhash", "uuid": "fe11888e-523b-41b2-a3f1-74fc37e8d11c", "value": "4d15898dc88d8d6882a1afe9e5287fc4" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 22/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687332", "to_ids": false, "type": "text", "uuid": "943d48f6-8d17-4fdf-8e11-f169721791f6", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:37/68\nFirst Submission:2025-12-30T11:04:01.000000+00:00\nLast Submission:2025-12-30T11:04:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545773", "uuid": "1f4e8032-a3e2-41c3-b48f-2a6b7487ac4c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545773", "to_ids": true, "type": "md5", "uuid": "24cbd1b6-243c-4fcc-a685-21b7f4749879", "value": "4d5074d6e0722ceec45a083fa8444164", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545773", "to_ids": true, "type": "sha1", "uuid": "87467754-3f18-42ec-81ce-d17a7b066619", "value": "aba35de9e819396f89f34c03058ebe71a7f98b6b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545773", "to_ids": true, "type": "sha256", "uuid": "4f0bc5a4-35a0-45f8-8984-e66e2eefbdee", "value": "42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687354", "to_ids": true, "type": "ssdeep", "uuid": "a9c71994-f877-495c-8790-b1f447c25f66", "value": "48:8jefAnhjMeYzmxW7xMxkgR7xGxdkHt68HrtTd0vjKlLxM:8jefSjMebWFgkgjukQ8HroW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687354", "to_ids": false, "type": "size-in-bytes", "uuid": "dbe974dd-bcf1-48b2-8023-b665f34e85f3", "value": "2439" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687354", "to_ids": true, "type": "vhash", "uuid": "1d1d6eee-9b41-4f11-900c-23737aab0305", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687354", "to_ids": true, "type": "filename", "uuid": "ca914448-01df-4e42-9783-539b03a8766b", "value": "Scan_Media_1757_dsp_Prikaz_na_perepodgotovku.pdf.lnk" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687354", "to_ids": false, "type": "text", "uuid": "0bf50db0-4b47-4739-9aff-fd004f3f0aa2", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:31/62\nFirst Submission:2025-12-30T11:04:49.000000+00:00\nLast Submission:2026-01-13T05:39:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545776", "uuid": "db5b9e47-b9e3-40c2-b242-cec9b0f3ee99", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545775", "to_ids": true, "type": "md5", "uuid": "5699f59a-c4ea-4df3-815e-19820f2e9452", "value": "6616717dfb2a795113b47d862c5412e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545776", "to_ids": true, "type": "sha1", "uuid": "091370c6-3af3-4f1b-b986-71a5a654577a", "value": "c22150121a13713b395a155af5d55680dde56ac1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545776", "to_ids": true, "type": "sha256", "uuid": "474b759c-a6d5-40ac-99d4-5947d45dc5ed", "value": "a79b5162f9a49df3db4f001325938b9dc7bdc471b71108ed178350c89252e3a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687375", "to_ids": true, "type": "ssdeep", "uuid": "9d6e00bb-81a0-4f5c-a0e8-c2584c2ad567", "value": "48:8PLDfQFnIXcqBjbbYMD0AsrHnd0IRMPe4:8PLDfQ+XRHkMD0dHCIRse" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687375", "to_ids": false, "type": "size-in-bytes", "uuid": "cc048172-6cff-41c6-8891-30fcc4513da1", "value": "2295" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687375", "to_ids": true, "type": "vhash", "uuid": "06c3c327-0ec9-421e-9d94-0b527af9d8ea", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687375", "to_ids": true, "type": "filename", "uuid": "47451234-661b-4ee4-aefa-9a1c56a0ab01", "value": "Scan_125992145_TLG_na_perepodgotovku_dsp.\u200d\u200c\u200d\u200dpdf\u200d\u200d.lnk" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 29/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687375", "to_ids": false, "type": "text", "uuid": "abd647dd-7d88-46a6-9b25-b2a0967a495f", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:34/62\nFirst Submission:2026-01-30T12:13:37.000000+00:00\nLast Submission:2026-01-30T12:13:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545779", "uuid": "a01bdb4e-b67b-49e8-8205-69b51c3c754f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545778", "to_ids": true, "type": "md5", "uuid": "b1a52a19-62a7-440c-b86d-1568901d62db", "value": "99732e49668e56527963742922277459", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545779", "to_ids": true, "type": "sha1", "uuid": "8ab05f19-ebbd-45c2-9dc9-53fb473ffac3", "value": "8e49c3ee98fc722c77b3b37e3abafb3581369b6e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545779", "to_ids": true, "type": "sha256", "uuid": "896a2342-4699-4107-ba28-c3221bc1455b", "value": "111e42c31f8e4ae3764f339d7ad04b20bb21be5d97ede13aaa7c73e72cb7549d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687397", "to_ids": true, "type": "ssdeep", "uuid": "617acfc0-9004-4fef-b63d-239b876f7f45", "value": "393216:f1UZfGlH2Tkx486MPu8DLGR7zQwg7fmrqkY1JtpMrf:WZaHeou2gx/eNtwf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687397", "to_ids": false, "type": "size-in-bytes", "uuid": "5c25e3ac-5613-42ed-91a7-45898d2213bf", "value": "12995440" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687397", "to_ids": true, "type": "vhash", "uuid": "d9093b5c-4041-4b62-aa7c-f52eee22cf68", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 29/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687397", "to_ids": false, "type": "text", "uuid": "97668d2f-3b21-428c-87cc-fd87484208e4", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:36/67\nFirst Submission:2026-01-30T12:12:07.000000+00:00\nLast Submission:2026-01-30T12:12:07.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545782", "uuid": "f68ba733-5cfa-48c6-816b-b98e8a23490f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545781", "to_ids": true, "type": "md5", "uuid": "490ffc5d-66f2-4f20-addf-bfb260d55bca", "value": "2156c270ffe8e4b23b67efed191b9737", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545782", "to_ids": true, "type": "sha1", "uuid": "7887adbf-11f9-47ad-90e3-33eac973a73b", "value": "975d8bdfec6b58ae9004d526fa9f852108026a9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545782", "to_ids": true, "type": "sha256", "uuid": "24ae9e3e-5a09-46a8-b2ea-af8d1a82f4d3", "value": "0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687419", "to_ids": true, "type": "ssdeep", "uuid": "c0e759e6-cff1-4aa5-8fd2-705cefb623d8", "value": "196608:BZked/YGndPectif51wK1C809VDAkxILC/hNEHhqisKSW6In9mNkTn6WktcjKCTc:19GBg1XxWC/hNMTnt6BKnJVc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687419", "to_ids": false, "type": "size-in-bytes", "uuid": "8055c6e7-a36b-4d44-bb44-2cae61d08d79", "value": "12304687" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687419", "to_ids": true, "type": "vhash", "uuid": "c48c6ed8-6079-4dd0-baee-8954ecb8202c", "value": "6d6a3b5b67152c82fb9145b10a846c5f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687419", "to_ids": true, "type": "filename", "uuid": "d714ff47-94f9-46c6-b146-8100650dd953", "value": "Iskhod_7582_Predstavlenie_na_naznachenie.zip" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687419", "to_ids": false, "type": "text", "uuid": "21b65bde-24e6-4d1e-8e49-ebf7a04108c7", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:38/67\nFirst Submission:2026-01-23T05:53:06.000000+00:00\nLast Submission:2026-01-23T05:53:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545785", "uuid": "cd9ec1bc-e940-49f1-9665-c1589134e224", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545784", "to_ids": true, "type": "md5", "uuid": "c1eeb831-5720-4506-94e4-62160a45f608", "value": "a6d095dc0e01f97db7e74cb5bed402dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545785", "to_ids": true, "type": "sha1", "uuid": "a747c46d-206f-4dac-90e1-a31a79b76731", "value": "940658590d938380b71fd5055635c02564a63ef1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545785", "to_ids": true, "type": "sha256", "uuid": "f8bc8f24-8a50-46d8-a545-b303c837b421", "value": "1fbdb99357ace6d6db830c63850a6e8a4ea3607776c4668feb135f3ff0d95151", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687440", "to_ids": true, "type": "ssdeep", "uuid": "f01a3647-072c-49c6-b7ef-5986898a8a61", "value": "48:8VKLfVnkDZF3tbzpLzGxSJUWIwB1SHgd0RQ+:8oLfMr3thuxSapCSHbR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687440", "to_ids": false, "type": "size-in-bytes", "uuid": "9abe5472-2b92-4fdf-822f-eee07805b93f", "value": "2363" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687440", "to_ids": true, "type": "vhash", "uuid": "897e06f0-16ec-4df8-9456-da438f84da1b", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687440", "to_ids": true, "type": "filename", "uuid": "7b3e75c4-5df4-4bc7-8e70-6349d70144a1", "value": "Iskhod_7582_Predstavlenie_na_naznachenie.pdf.lnk" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687440", "to_ids": false, "type": "text", "uuid": "d9f22c0b-fdb1-4da5-831e-6bd9e5adca43", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:34/62\nFirst Submission:2026-01-23T05:53:41.000000+00:00\nLast Submission:2026-02-23T10:29:40.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545788", "uuid": "9134ee29-d6d3-4aaf-ac93-fe8452695a82", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545787", "to_ids": true, "type": "md5", "uuid": "9273e02d-2566-432f-abec-8dc9c6629a1b", "value": "53ac08488544ad1fefd6363db44549cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545787", "to_ids": true, "type": "sha1", "uuid": "f8ae989e-89cc-4bb8-a3f7-2c2b5a5a6c5b", "value": "3dd268fb969eaeb5d9068e185a9e33d5e25073cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545788", "to_ids": true, "type": "sha256", "uuid": "1c056bfe-f525-4617-8f56-db2c272e36de", "value": "63297928883b0dc4e0735963dbcb2b2fa0c1e131af6d486f882070a6eb7e339a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687462", "to_ids": true, "type": "ssdeep", "uuid": "357b6f0a-c772-45b8-a5cb-b43ec9981ca6", "value": "196608:ub+cPJsN1g+0NFlOvwILGLzEB2oYpN5F0XuGdZFFPXEBdnEojL9yUM5rl0AK4+0E:eJsm0Sv3vF4uUvFPX26+VM5vH3wOt2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687462", "to_ids": false, "type": "size-in-bytes", "uuid": "9586a737-43b3-487c-907c-7174f462f083", "value": "12753369" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687462", "to_ids": true, "type": "vhash", "uuid": "0e6cf8ee-ce41-40d4-ad97-0c1e1bbd36a0", "value": "6d6a3b5b67152c82fb9145b10a846c5f" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687462", "to_ids": false, "type": "text", "uuid": "2ae809b5-ebb5-4e95-9ef3-c98e69027369", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:37/68\nFirst Submission:2026-01-19T15:16:16.000000+00:00\nLast Submission:2026-01-19T15:16:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545790", "uuid": "bd3a3dfa-d1b1-4b21-af7d-9facf783db94", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545789", "to_ids": true, "type": "md5", "uuid": "86f9ed12-598c-42b3-9ca5-00e6ef9d862b", "value": "227b3fa386cad73f0f388d801060e2c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545790", "to_ids": true, "type": "sha1", "uuid": "a43f0b0b-ec5c-44b6-b6f1-18de32b6cc32", "value": "aaba9f60d81467c27c82f5c6d6cb6accd6890fc4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545790", "to_ids": true, "type": "sha256", "uuid": "f613857e-41a3-4a71-bc8d-24e7f721f963", "value": "bbcdb82918f0decb1d6e20c90e872175cf278006948c5995ffd88033f56a1b71", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687484", "to_ids": true, "type": "ssdeep", "uuid": "96049382-a893-4d54-91a0-e1bd71ecb316", "value": "48:8vNXDfcJJnP9HOrOeajdCjo6rxI1gtMHxd0GjKlLxM:8lXDfGB9H0ooIWMHwN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687484", "to_ids": false, "type": "size-in-bytes", "uuid": "f4192945-b74b-4e4d-88e1-e753339809f4", "value": "2279" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687484", "to_ids": true, "type": "vhash", "uuid": "ab0b892f-6655-480b-a6bb-f933e597759f", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687484", "to_ids": true, "type": "filename", "uuid": "dbd7da1d-57bc-48e6-84a9-c5e381723581", "value": "Proekt_prikaza_681_o_pooshchrenii 22_12.pdf.lnk" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687484", "to_ids": false, "type": "text", "uuid": "e380fa81-8046-4c82-a9c4-b92b8091ac19", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/Etset!rfn\nVT Total Detection:33/63\nFirst Submission:2026-01-19T15:17:20.000000+00:00\nLast Submission:2026-01-19T15:17:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545793", "uuid": "e0fbe7fa-556c-4096-ba95-219eb0d5915c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545792", "to_ids": true, "type": "md5", "uuid": "7f72d562-2a3c-45e3-88ab-5a4e8c3f5a37", "value": "09f402a02b615dcd14786aaa840db0a2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545792", "to_ids": true, "type": "sha1", "uuid": "ad0d24ff-8138-4a36-b041-3fe7846a33d0", "value": "7e6b6b6ebd64d458a3ee0ce58bce0ddbbc0bb5e9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545793", "to_ids": true, "type": "sha256", "uuid": "e748d48a-b4eb-49b8-991d-aaf98d0a220c", "value": "54148383c8a8a5e51cf4892702f14176110beccd377af75cb184805b6a20986b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687505", "to_ids": true, "type": "ssdeep", "uuid": "bc4e2d0a-187c-474c-a60a-e99a9375b156", "value": "196608:O9c7xJZvCmDffEL24wFf+zlU76jIGKBuCgKyMhLa5pSm+EdGLynhKmfmJixUgByx:O9MJNCmDHN4UO0wCQMBa5030GLynPf8F" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687505", "to_ids": false, "type": "size-in-bytes", "uuid": "35269166-7f9c-4694-8502-1d6917a3c214", "value": "12568114" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687505", "to_ids": true, "type": "vhash", "uuid": "6644a961-7695-4b1d-9211-e5f080e3caf1", "value": "6d6a3b5b67152c82fb9145b10a846c5f" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 25/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687505", "to_ids": false, "type": "text", "uuid": "dfe82e2d-af5e-4e37-ae51-519f394f07b5", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:34/67\nFirst Submission:2026-01-21T13:52:22.000000+00:00\nLast Submission:2026-01-21T13:52:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545795", "uuid": "8a84a71e-bfe7-4b21-9f96-4bc38d4bb7da", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545795", "to_ids": true, "type": "md5", "uuid": "f1cb9e76-df4e-47e9-bc99-9bd1b74be839", "value": "1b39fce74193dd2cd5c36b2f8b626273", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545795", "to_ids": true, "type": "sha1", "uuid": "5d5a04ed-f0ad-4f78-bda6-67ccc43c389a", "value": "d2106fa68e2e6416914855bb4898969365441685", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545795", "to_ids": true, "type": "sha256", "uuid": "5b7f6ef9-d5dc-40ff-87a1-5747f6730418", "value": "6df9cb909b321c24656b218a06dad56bb7916d8ce7de2342321f648af0124e56", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687527", "to_ids": true, "type": "ssdeep", "uuid": "3371d507-e60e-4fed-936e-297e817a15eb", "value": "24:86IJzfP95yizyQACWD+/CWzAqS7DZ/Y+3UCokoWFQQsjFKrC3bjb3jWUpZ/Lp1U3:86qfP+nmoDZYlyi/BZN1Hl3d04rRaA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687527", "to_ids": false, "type": "size-in-bytes", "uuid": "6d76b12e-179d-4420-8f64-91475d50cacb", "value": "2265" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687527", "to_ids": true, "type": "vhash", "uuid": "4ffea67e-c206-4cd0-b84b-d1cd78aae825", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687527", "to_ids": true, "type": "filename", "uuid": "a15fd4e0-62e5-4d2e-92fc-133d917940bd", "value": "Predstavlenie_na_naznachenie.pdf.lnk" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687527", "to_ids": false, "type": "text", "uuid": "4427678b-4ba0-459b-9cbb-8851431c7ab7", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:32/63\nFirst Submission:2026-01-21T13:53:02.000000+00:00\nLast Submission:2026-01-21T13:53:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545798", "uuid": "82f123b5-b76f-46a9-a7e3-ff2fd0386f68", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545797", "to_ids": true, "type": "md5", "uuid": "18cb69a6-331e-4bac-b968-5752ff45068f", "value": "487557c9b7288a6b035911a7652ad57c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545798", "to_ids": true, "type": "sha1", "uuid": "dc287812-192f-417d-a906-fc731d4bfed5", "value": "55d477a5c026970e76b435d7fe282d842fe7a6af", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545798", "to_ids": true, "type": "sha256", "uuid": "5b0a57fa-1d86-496c-bae0-137e80b21598", "value": "1359c044951e16438251483290799b83da97af9f73dfd081a862b9edd94d512d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687549", "to_ids": true, "type": "ssdeep", "uuid": "56ea1310-5ae1-4954-90e3-aaf83c7c88e4", "value": "24:8SBlEXF5fpryiiRQA2WD+/CWZS71lm4pUsFNAir5Qh60ca0RUMkWLLgddqVga/29:8STEHf0n/m4pX2450VMRHAd0b2c" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687549", "to_ids": false, "type": "size-in-bytes", "uuid": "02dccc4d-74c5-440b-98ae-9f64048b22ee", "value": "2287" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687549", "to_ids": true, "type": "vhash", "uuid": "d048f02c-a56d-4801-969e-be4e7f32d2c6", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687549", "to_ids": true, "type": "filename", "uuid": "739e0fdd-a0aa-415d-9162-85d5d5903d74", "value": "Media_37498_dokument_29_yanvar_2026.\u200cpdf\u200b\u200c\u200c\u200b.lnk" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687549", "to_ids": false, "type": "text", "uuid": "271d90d4-c3fc-4d60-a3f7-222888954b32", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:30/62\nFirst Submission:2026-01-29T10:59:58.000000+00:00\nLast Submission:2026-01-29T10:59:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545801", "uuid": "c7284e2e-3bc5-48eb-b308-e4efd6b5d1b0", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545800", "to_ids": true, "type": "md5", "uuid": "ea898b7e-5dac-4719-8962-6ec3ca1f40c9", "value": "5db8e71b8e82661408f96b43e7ae8faf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545800", "to_ids": true, "type": "sha1", "uuid": "1c104956-a5ba-4b9d-b081-529709bb765e", "value": "91b0ff5912969e94cf3a80279c42edf366ce1ea6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545801", "to_ids": true, "type": "sha256", "uuid": "bb136e28-7a90-4ac9-9cc9-48fedba17547", "value": "08dcdc76a455838d17645d71aeca5a07f95ac3b6c3b3ee72f2b7c66ed5c4aa0a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687570", "to_ids": true, "type": "ssdeep", "uuid": "172b44aa-9c16-4dce-a840-2ec866dce3f8", "value": "196608:V/U938f1vhGM7f1IJjiH2BfSukew9tx4tG/Td+dvpMSW/BR8tvQpl2gUOUb1q32j:FFjWZq7xwG/Tdca95R85VXWyb3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687570", "to_ids": false, "type": "size-in-bytes", "uuid": "226ecd0d-32b2-44f9-b4aa-48141af0fd60", "value": "12294231" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687570", "to_ids": true, "type": "vhash", "uuid": "a5dfa205-8b1a-4d0a-b2f6-a50e9e9cda5c", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 29/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687570", "to_ids": false, "type": "text", "uuid": "e5929a5b-a84c-4f09-8cc7-2d6af5e8db97", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:29/67\nFirst Submission:2026-01-29T10:58:16.000000+00:00\nLast Submission:2026-01-29T10:58:16.000000+00:00" } ] } ] } }