{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] An Overview of The Gentlemen's TTPs", "protected": false, "publish_timestamp": "1775231577", "published": true, "threat_level_id": "2", "timestamp": "1775231577", "uuid": "6b864acf-1666-4334-ad3c-875c36e9d4f6", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Group-IB\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#a6d5f3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1136.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484.001\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#71ecdb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Manipulation - T1098\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Password Guessing - T1110.001\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"the gentlemen\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004406", "to_ids": false, "type": "link", "uuid": "3d031afb-efcb-4396-b35c-4d7adc538559", "value": "https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774004406", "to_ids": false, "type": "text", "uuid": "4011cd15-68a9-4ff8-b1f4-7dcd8688bab9", "value": "This intelligence report provides a comprehensive analysis of The Gentlemen, a ransomware group known for its sophisticated tactics, techniques, and procedures (TTPs). The group exploits vulnerabilities in FortiOS/FortiProxy, maintains a database of compromised devices, and employs advanced defense evasion techniques. Their initial access methods include exploiting public-facing applications and brute-force attacks. The Gentlemen utilize various execution, persistence, and privilege escalation techniques, while also focusing on credential access and lateral movement. The group's impact includes data encryption and inhibiting system recovery. The report highlights the group's ongoing efforts to improve their ransomware capabilities by reverse-engineering other malware samples." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774004406", "to_ids": false, "type": "text", "uuid": "19cf0140-4597-4162-b65f-67f1583578ff", "value": "Name: An Overview of The Gentlemen's TTPs\nAuthor: AlienVault\nAdversary: The Gentlemen\nTags: [\"vasa locker\", \"medusa\", \"cve-2024-37085\", \"raas\", \"fortios\", \"data-exfiltration\", \"cve-2025-32463\", \"lockbit 5.0\", \"defense-evasion\", \"babyk\", \"ransomware\", \"cve-2024-55591\", \"the gentlemen\", \"cve-2023-27532\", \"babuk\", \"exploit\", \"lateral-movement\", \"qilin\", \"credential-theft\"]\nTgtd countries: []\nMlwr families: [\"The Gentlemen\", \"Babuk - S0638\", \"Babyk\", \"Vasa Locker\", \"Qilin\", \"LockBit 5.0\", \"Medusa\"]\nAttack_ids: [\"T1068\", \"T1136.002\", \"T1484.001\", \"T1562.001\", \"T1098\", \"T1110.001\", \"T1059.006\", \"T1059.001\", \"T1112\", \"T1053\", \"T1190\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774004406", "to_ids": false, "type": "threat-actor", "uuid": "6dc2934d-60bb-4c0c-817e-d49795b89b05", "value": "The Gentlemen" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004406", "to_ids": false, "type": "vulnerability", "uuid": "34f79ed4-5ce0-4685-ac7b-4164ed90400f", "value": "CVE-2023-27532" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004406", "to_ids": false, "type": "vulnerability", "uuid": "67243495-a51e-4616-9cff-473e35b5e619", "value": "CVE-2024-37085" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004406", "to_ids": false, "type": "vulnerability", "uuid": "aa3a7ac2-a144-43cd-a8ff-e9e32bfc1f37", "value": "CVE-2024-55591" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004406", "to_ids": false, "type": "vulnerability", "uuid": "975d32b9-1ba8-4104-8822-3efd1c1ee704", "value": "CVE-2025-32463" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227080", "to_ids": true, "type": "md5", "uuid": "215b2ad5-ac10-4082-baa0-eb2e9728da2c", "value": "42c062d6299ca9f76554441a29429404", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227081", "to_ids": true, "type": "md5", "uuid": "d0af23d0-4402-419f-984b-05f799bf4d71", "value": "8901ce810f999f79c51c4d4f6c93fe6b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227083", "to_ids": true, "type": "md5", "uuid": "1bd0e778-d880-421b-95e4-fb29d296ef38", "value": "d65c293efb5e6d033c83b2ac472bf0cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227084", "to_ids": true, "type": "md5", "uuid": "0b7cea36-89fc-4474-aac8-a5bc9156e941", "value": "efd5366eb7473d6f7fb97ec7ac59f09d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227085", "to_ids": true, "type": "sha256", "uuid": "3259b60d-344d-46c5-b1cd-f386b9b368b5", "value": "2834114ff7e487c4ca3f50ca39f7d652dea1be98f885c388f01b6ff35309307b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230558", "to_ids": true, "type": "ip-dst", "uuid": "cadb398c-8c0c-497f-b4ba-4e6e6636057e", "value": "194.87.31.69", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230579", "uuid": "c3a6225b-f187-4585-8f43-dc8f0e64ec7e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230579", "to_ids": true, "type": "md5", "uuid": "af0f4e47-68d1-4d19-adf3-e0560b6b1b17", "value": "4200b46a93c6ab059e2b34ce200c4a5b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227077", "to_ids": true, "type": "sha1", "uuid": "d7d227b2-ef85-4e05-913e-3fc7551415d6", "value": "42bcc743c71a9ea083c1c750a398110582796762", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227077", "to_ids": true, "type": "sha256", "uuid": "bf5e7474-a1f3-448d-ae33-d878ecc28437", "value": "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226471", "to_ids": true, "type": "ssdeep", "uuid": "74b10b38-0a53-44b8-9da6-43b59c8dbd1e", "value": "49152:Dl5LxQaoySboC9C5ZtPzKgv5bQgZ3tA5m25ElcY:DHS3EX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226471", "to_ids": false, "type": "size-in-bytes", "uuid": "f1e77cf0-9602-449f-be1e-143a840e4ecf", "value": "2962944" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226471", "to_ids": true, "type": "vhash", "uuid": "4c602e04-1deb-49d8-b2ce-b62d3cbf5812", "value": "026086655d75551d15541az2e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226471", "to_ids": true, "type": "filename", "uuid": "e10490be-5aa6-459b-a619-ee4b6e58d1fa", "value": "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226471", "to_ids": false, "type": "text", "uuid": "8806b30b-db1c-4495-bc51-2559e895c564", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win64/Gentlemen.B\nVT Total Detection:49/71\nFirst Submission:2025-10-19T16:58:34.000000+00:00\nLast Submission:2026-04-03T10:29:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230601", "uuid": "61e8d8c8-d2df-4125-ab70-13d95ad9e0c2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230601", "to_ids": true, "type": "md5", "uuid": "c3f143ab-28bc-4043-af60-d7305f2fabc9", "value": "adf675ffc1acb357f2d9f1a94e016f52", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227079", "to_ids": true, "type": "sha1", "uuid": "fef95675-c369-4bfd-90b3-c0d2a150ccbb", "value": "2cd15d5d4cc58d06cfb6be5eabc681925d0ce5ce", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227079", "to_ids": true, "type": "sha256", "uuid": "89c2d3fd-3e60-49f6-a3b5-f837afd3465c", "value": "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226535", "to_ids": true, "type": "ssdeep", "uuid": "9757af11-9bcc-4a33-8cfb-480988d92218", "value": "196608:0aXETABIUswT55RNYi9t4M/ovDL8j7askQSrR2vPJzsb20RQbJxF9:0oBI6vRyihUY7atHYvPZZR9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226535", "to_ids": false, "type": "size-in-bytes", "uuid": "3a03a1bd-0f9e-4898-86e9-2d321cfc6d9c", "value": "14911488" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226535", "to_ids": true, "type": "vhash", "uuid": "c9f3a667-e44d-40e4-928a-bd227a3f7366", "value": "0170c6050d05050d0504cz1!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226535", "to_ids": true, "type": "filename", "uuid": "a0007719-deb6-4e03-b6b3-fe54584561ee", "value": "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226535", "to_ids": false, "type": "text", "uuid": "46f51ec1-8bcc-402e-998c-2525f15a40af", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:53/72\nFirst Submission:2025-07-17T12:27:07.000000+00:00\nLast Submission:2025-11-24T16:33:40.000000+00:00" } ] } ] } }