{ "Event": { "analysis": "1", "date": "2026-03-18", "extends_uuid": "", "info": "[Threat Intel] How to uncover a Horabot campaign and detect this malware", "protected": false, "publish_timestamp": "1774245871", "published": true, "threat_level_id": "2", "timestamp": "1774245871", "uuid": "6a3adaca-3b86-4501-b307-ccacee18939a", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#0c8fe6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Email Collection - T1114.001\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Window - T1564.003\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#98f3da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#ad3992", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server - T1584.004\"", "relationship_type": "" }, { "colour": "#d52b43", "local": false, "name": "misp-galaxy:target-information=\"Mexico\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889207", "to_ids": false, "type": "link", "uuid": "9356e418-45de-4117-934f-a32274f4d0b9", "value": "https://securelist.com/horabot-campaign/119033/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773889207", "to_ids": false, "type": "text", "uuid": "522751bc-2aa4-4a34-b507-a954a9b3da0d", "value": "This report details the discovery and analysis of a Horabot malware campaign targeting primarily Mexican users. The attack chain begins with a fake CAPTCHA page leading to multiple stages of obfuscated scripts, ultimately delivering an AutoIT loader and a Delphi-based banking Trojan. The malware employs sophisticated encryption techniques, anti-VM checks, and a custom protocol for C2 communication. It also includes a spreader component written in PowerShell that harvests and exfiltrates email addresses to distribute phishing emails. The analysis reveals Brazilian Portuguese comments in the code, suggesting the threat actor's origin. The report provides detection opportunities including YARA rules and hunting queries to identify this threat." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773889207", "to_ids": false, "type": "text", "uuid": "3e22d7a6-97ab-497c-bee8-ebe0f30dc1bb", "value": "Name: How to uncover a Horabot campaign and detect this malware\nAuthor: AlienVault\nAdversary: Horabot\nTags: [\"ponteiro\", \"delphi\", \"brazil\", \"zusy\", \"metamorfo\", \"multi-stage attack\", \"email spreader\", \"horabot\", \"casbaneiro\", \"powershell\", \"autoit\", \"mexico\", \"banking trojan\"]\nTgtd countries: [\"Mexico\"]\nMlwr families: [\"Horabot\", \"Metamorfo - S0455\", \"Casbaneiro\", \"Ponteiro\", \"Metamorfo - S0455\", \"Casbaneiro\", \"Zusy\"]\nAttack_ids: [\"T1132.001\", \"T1056.001\", \"T1114.001\", \"T1204.002\", \"T1082\", \"T1140\", \"T1059.001\", \"T1547.001\", \"T1027\", \"T1573.002\", \"T1095\", \"T1012\", \"T1518.001\", \"T1564.003\", \"T1059.003\", \"T1070.004\", \"T1071.001\", \"T1059.005\", \"T1584.004\"]\nIndustries: [\"Finance\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773889207", "to_ids": false, "type": "threat-actor", "uuid": "2af93c70-3fa8-44e5-9e77-829d01f56133", "value": "Horabot" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239461", "to_ids": true, "type": "url", "uuid": "b44276b4-e7da-40da-bee8-edc59b220e59", "value": "http://evs.grupotuis.buzz/0capcha17/DMEENLIGGB.hta", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239483", "to_ids": true, "type": "url", "uuid": "5c6115d3-6c5c-467d-a94a-8d62a722debe", "value": "https://aufal.filevexcasv.buzz/on7/index15.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239505", "to_ids": true, "type": "url", "uuid": "2d6ccf4f-cf2d-4d73-a0c2-44777a9cc5ff", "value": "https://aufal.filevexcasv.buzz/on7all/index15.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239528", "to_ids": true, "type": "url", "uuid": "1cc9d1a0-8646-4629-8ebf-c5c2ff27a90f", "value": "https://cfg.brasilinst.site/a/br/logs/index.php?CHLG", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239550", "to_ids": true, "type": "url", "uuid": "cd69ffde-06f7-456b-b22d-80b8c8758da2", "value": "https://cgf.facturastbs.shop/0725/a/home", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239572", "to_ids": true, "type": "url", "uuid": "65cc4591-15e8-4c29-8a4d-902cade131c9", "value": "https://cgf.facturastbs.shop/a/08/150822/au/app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239594", "to_ids": true, "type": "url", "uuid": "e1050801-f971-4932-a78b-bd5b19be850b", "value": "https://cgf.facturastbs.shop/a/08/150822/au/at.html", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239616", "to_ids": true, "type": "url", "uuid": "e532d1e1-92ae-4b78-adcd-d6afdec83d7c", "value": "https://cgf.facturastbs.shop/a/08/150822/au/gerapdf/blqs1", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239638", "to_ids": true, "type": "url", "uuid": "48ef9047-1ef4-4aab-ac08-fa675956c86f", "value": "https://cgf.facturastbs.shop/a/08/150822/au/gerauto.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239660", "to_ids": true, "type": "url", "uuid": "287e133e-931e-4a46-bc7a-7f2b6d318e08", "value": "https://cgf.midasx.site/a/08/150822/au/au", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239682", "to_ids": true, "type": "url", "uuid": "30425d08-1993-4f83-a6aa-3a9ae7b7f95e", "value": "https://evs.grupotuis.buzz/0capcha17/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239704", "to_ids": true, "type": "url", "uuid": "47224cba-5a8e-42a3-89b0-96e82efe8aba", "value": "https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB.hta", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239727", "to_ids": true, "type": "url", "uuid": "b410a7ea-b77e-4a66-bc8c-e8e4054b461d", "value": "https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB/GRXUOIWCEKVX", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239749", "to_ids": true, "type": "url", "uuid": "21d0fbf6-e1a6-4002-a7c1-26ce13c924f2", "value": "https://labodeguitaup.space/a/08/150822/au/au", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239771", "to_ids": true, "type": "url", "uuid": "e2d83974-28c7-43fc-88d1-61b81d40eddf", "value": "https://pdj.gruposhac.lat/g1/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239793", "to_ids": true, "type": "url", "uuid": "163851c1-fb0c-450d-af4f-5ace5434628d", "value": "https://pdj.gruposhac.lat/g1/auxld1", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239815", "to_ids": true, "type": "url", "uuid": "1ada647c-fc04-4365-ad92-8e397d5c5271", "value": "https://pdj.gruposhac.lat/g1/ctld/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239837", "to_ids": true, "type": "url", "uuid": "b3aecc6d-207e-4127-a092-1345a6a03bfa", "value": "https://pdj.gruposhac.lat/g1/gerador.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239859", "to_ids": true, "type": "url", "uuid": "4ee29a06-8de8-4126-810c-efe55b96a64c", "value": "https://pdj.gruposhac.lat/g1/ld1/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239882", "to_ids": true, "type": "url", "uuid": "176371b9-cb0f-44b0-84ed-fe89c7f6a4d8", "value": "https://thea.gruposhac.space/0out0408", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239904", "to_ids": true, "type": "url", "uuid": "732aa388-27ad-406b-87a8-9f8fda5c197c", "value": "https://upstar.pics/a/08/150822/up/up", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239925", "to_ids": true, "type": "domain", "uuid": "46e1758e-a932-49b0-b8f6-3999848fb7ca", "value": "labodeguitaup.space", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239947", "to_ids": true, "type": "domain", "uuid": "f13dff84-c134-4346-9701-5dc6e04d4646", "value": "lifenews.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239969", "to_ids": true, "type": "domain", "uuid": "3b78701d-af56-45f5-bdb7-e791bb93fc9e", "value": "upstar.pics", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774239991", "to_ids": true, "type": "hostname", "uuid": "3a9b75f1-372a-4aab-ae88-49974be4805d", "value": "aufal.filevexcasv.buzz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240013", "to_ids": true, "type": "hostname", "uuid": "188755b1-1984-45be-97a0-a43e1e155641", "value": "cfg.brasilinst.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240036", "to_ids": true, "type": "hostname", "uuid": "90a43a79-7161-47d5-9ced-ff7db8dc3df1", "value": "cgf.facturastbs.shop", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240058", "to_ids": true, "type": "hostname", "uuid": "12b805f3-4e27-4a81-b562-3a85da12431c", "value": "cgf.midasx.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240081", "to_ids": true, "type": "hostname", "uuid": "d07833a4-565b-4790-862f-471f78b1f8fa", "value": "evs.grupotuis.buzz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240102", "to_ids": true, "type": "hostname", "uuid": "a037a49b-74cf-400b-9e37-ccb31839d530", "value": "pdj.gruposhac.lat", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240124", "to_ids": true, "type": "hostname", "uuid": "bf6b1dd3-98d9-4ad3-a4a7-7cb20d80f671", "value": "thea.gruposhac.space", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240146", "to_ids": true, "type": "ip-dst", "uuid": "772e5fa8-6081-4921-a41c-783b225f91e7", "value": "64.177.80.44", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1774230231", "uuid": "254c46af-2e35-4c1b-9ac9-73211c7fc1af", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1774230231", "to_ids": false, "type": "text", "uuid": "1dc11d7c-86d2-440f-aee6-c28c636aa208", "value": "Horabot_Delphi_Trojan" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1774230231", "to_ids": false, "type": "comment", "uuid": "54ed2bdb-5a7d-49e6-92fe-f3d5b6e54936", "value": "Detects Horabot payload/trojan (Delphi DLL)" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1774230231", "to_ids": true, "type": "yara", "uuid": "cf13972b-0c8e-4c3f-aa2c-f51e7a75c4cc", "value": "rule Horabot_Delphi_Trojan\r\n{\r\n meta:\r\n author = \"maT\"\r\n description = \"Detects Horabot payload/trojan (Delphi DLL)\"\r\n hash_01 = \"6272ef6ac1de8fb4bdd4a760be7ba5ed\"\r\n hash_02 = \"4caa797130b5f7116f11c0b48013e430\"\r\n hash_03 = \"c882d948d44a65019df54b0b2996677f\"\r\n \r\n condition:\r\n uint32be(0) == 0x4d5a5000 and \r\n filesize < 150MB and \r\n pe.is_dll() and\r\n pe.number_of_exports == 4 and\r\n pe.exports(\"dbkFCallWrapperAddr\") and\r\n pe.exports(\"__dbk_fcall_wrapper\") and\r\n pe.exports(\"TMethodImplementationIntercept\") and\r\n pe.exports(/^[A-Z][0-9]{6}_[A-Z0-9]$/)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1774230258", "uuid": "631376d4-9f46-42b2-8038-ca65d3a43bf2", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1774230258", "to_ids": false, "type": "text", "uuid": "5526bc3a-5779-4ca3-8a99-fec4be5eccd6", "value": "Horabot_AutoIT_Loader" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1774230258", "to_ids": false, "type": "comment", "uuid": "a5fd88c0-468e-4aca-9d71-6da715b4b92a", "value": "Detects AutoIT script used as a loader by Horabot" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1774230258", "to_ids": true, "type": "yara", "uuid": "2b20a71f-17ca-4ab8-921d-05536fa0e3b5", "value": "rule Horabot_AutoIT_Loader\r\n{\r\n meta:\r\n author = \"maT\"\r\n description = \"Detects AutoIT script used as a loader by Horabot\"\r\n \r\n strings:\r\n $winapi_01 = \"Advapi32.dll\"\r\n $winapi_02 = \"CryptDeriveKey\"\r\n $winapi_03 = \"CryptDecrypt\"\r\n $winapi_04 = \"MemoryLoadLibrary\"\r\n $winapi_05 = \"VirtualAlloc\"\r\n $winapi_06 = \"DllCallAddress\"\r\n \r\n $str_seed = \"99521487\"\r\n $str_func01 = \"B080723_N\"\r\n $str_func02 = \"A040822_1\"\r\n \r\n $opt_hexstr01 = { 20 3D 20 22 ?? ?? ?? ?? ?? ?? ?? 5F ?? 22 20 0D 0A 4C 6F 63 61 6C 20 24} // = \"B080723_N\" CRLF Local $\r\n $opt_aes192 = \"0x0000660f\" // CALG_AES_192\r\n $opt_md5 = \"0x00008003\" // CALG_MD5 \r\n \r\n condition:\r\n filesize < 100KB and\r\n all of ($winapi*) and\r\n (\r\n 1 of ($str*) or\r\n all of ($opt*)\r\n )\r\n \r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774240168", "uuid": "cbcc1da4-d680-48a2-9fce-e7b247518604", "Attribute": [ { "category": "Payload delivery", "comment": "Horabot payload/trojan (Delphi DLL)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774240168", "to_ids": true, "type": "md5", "uuid": "dc5f53fe-1f91-4d26-861f-ac607317441f", "value": "4caa797130b5f7116f11c0b48013e430", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Horabot payload/trojan (Delphi DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774235054", "to_ids": true, "type": "sha1", "uuid": "45a27a0f-d691-4b3b-a3cc-119872ed232c", "value": "b6144f80b32b37393b2da565326cd5085c6842e1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Horabot payload/trojan (Delphi DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774235055", "to_ids": true, "type": "sha256", "uuid": "70a4a29a-4ed2-4b8c-81a7-5773f1c7bfcf", "value": "474b25badb40f524a7b2fe089e51eb7dbafd2e3e03a9f6750f72055d05b13d76", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774233128", "to_ids": true, "type": "ssdeep", "uuid": "f17967d0-430f-40a5-8331-3ffce2ac57be", "value": "98304:Ir0Be8ZnHnAVB3x59TZG4b8XNNg3CbpVeP0PWD7EeA//oGv65y:IrgJuhFGGSKP0+D7EeAqy" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774233128", "to_ids": false, "type": "size-in-bytes", "uuid": "111250ee-19e7-4c6e-be45-af7d98d5fa50", "value": "38614016" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774233128", "to_ids": true, "type": "vhash", "uuid": "4c8f27b4-0bb8-4a2e-bb9a-c198e69854c5", "value": "1370a6666d6c0d5d151510323z65003402013zb035z21z102041z18z4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774233128", "to_ids": true, "type": "filename", "uuid": "39d07efb-28a2-413c-8040-6314d3e43c84", "value": "_upyqta2_J.ia.a1" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 19/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774233128", "to_ids": false, "type": "text", "uuid": "35bd1108-3ea4-4695-a5a9-9e446a8a6986", "value": "Horabot payload/trojan (Delphi DLL)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:46/71\nFirst Submission:2023-03-07T10:23:52.000000+00:00\nLast Submission:2023-04-17T12:11:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774240190", "uuid": "9ed07906-fe53-46ff-9436-11573b1e7900", "Attribute": [ { "category": "Payload delivery", "comment": "Delphi DLL sample", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774240190", "to_ids": true, "type": "md5", "uuid": "ed759d4d-3963-4227-998c-2788477b9a9c", "value": "6272ef6ac1de8fb4bdd4a760be7ba5ed", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Delphi DLL sample", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774235057", "to_ids": true, "type": "sha1", "uuid": "232e319b-6ae5-4638-a489-e2a91f2ca519", "value": "fe1f2ad0155a66a383a5880bb80991e4308b9726", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Delphi DLL sample", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774235057", "to_ids": true, "type": "sha256", "uuid": "b37215ca-ba52-4feb-bdec-1f8b708381b2", "value": "e359584a0afbbaeffbac58df83385d1676afaddabb35935fbaa036a8c1af70ac", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774233151", "to_ids": true, "type": "ssdeep", "uuid": "609f7c5a-4321-428d-98b4-398c34538f1a", "value": "393216:0OlpLW6lPrq4q43pFezmX7sMKrNl+/gWti:J1jf7sMKxl5Wt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774233151", "to_ids": false, "type": "size-in-bytes", "uuid": "68dd27e3-b97e-4f65-a1b5-6fd8725f1e27", "value": "15979520" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774233151", "to_ids": true, "type": "vhash", "uuid": "abe766d3-c83d-4bb7-bf72-15d1f6c21b80", "value": "1170a6666d1c0d5d151510322z166002b12013zb035z23z2031z18z4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774233151", "to_ids": true, "type": "filename", "uuid": "802ea208-1d9c-4f0b-944b-fb583b8874b7", "value": "decrypted_payload.bin" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774233151", "to_ids": false, "type": "text", "uuid": "6652cb37-19f8-4c6d-8df5-618ec17120f9", "value": "Delphi DLL sample\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Alevaul!rfn\nVT Total Detection:45/71\nFirst Submission:2025-09-30T11:18:36.000000+00:00\nLast Submission:2025-09-30T11:18:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774240212", "uuid": "db6a01a1-5518-4432-a5e7-70bb9a9ba897", "Attribute": [ { "category": "Payload delivery", "comment": "Horabot payload/trojan (Delphi DLL)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774240212", "to_ids": true, "type": "md5", "uuid": "e48153f7-be4d-47e9-9269-3cbe935761fb", "value": "c882d948d44a65019df54b0b2996677f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Horabot payload/trojan (Delphi DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774235058", "to_ids": true, "type": "sha1", "uuid": "c2ead7f6-1eed-44d3-9399-d1fba7cfe631", "value": "1c8b310bb5386223103f54f6f3a5f99216fc4ebf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Horabot payload/trojan (Delphi DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774235059", "to_ids": true, "type": "sha256", "uuid": "e04a4d9e-8932-4de4-af98-b0f78edb0d93", "value": "a73291dfbc66894f28b23c94c51b8fb9d0bd49975fbd1934f0c7dd046c1cf1ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774233175", "to_ids": true, "type": "ssdeep", "uuid": "2fb465e9-1466-4862-91fd-620603c2c123", "value": "98304:EIsU40cgsefqh/Tkx0t6UtAUEVH+hnWmKU3pLoHIGHrFisvt5gYgbgYgPgYgvgY1:EIJKl4eBWmHZLir8+t63fi8R" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774233175", "to_ids": false, "type": "size-in-bytes", "uuid": "87622e11-89b9-421a-b6da-5382762fd721", "value": "119123968" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774233175", "to_ids": true, "type": "vhash", "uuid": "1d684933-ca2b-4458-9e51-9dda0e12054d", "value": "1180a6666d5c0d5d5515103242z91003402013zc035z43z2031z28z4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774233175", "to_ids": true, "type": "filename", "uuid": "8f105b11-0ae8-4129-894d-5cfa9f9c2755", "value": "_jzpfcd5_J.ia.a1" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 19/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774233175", "to_ids": false, "type": "text", "uuid": "cdf403fc-2633-4217-9397-9eba24a3958a", "value": "Horabot payload/trojan (Delphi DLL)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:32/69\nFirst Submission:2025-07-12T20:57:14.000000+00:00\nLast Submission:2025-07-12T20:57:14.000000+00:00" } ] } ] } }