{ "Event": { "analysis": "1", "date": "2026-04-28", "extends_uuid": "", "info": "[Threat Intel] VECT: Ransomware by design, Wiper by accident", "protected": false, "publish_timestamp": "1779545819", "published": true, "threat_level_id": "2", "timestamp": "1779545818", "uuid": "771eae11-c991-4f46-bad6-b984310c35e9", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#5dfed4", "local": false, "name": "misp-galaxy:producer=\"Check Point\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#f8140a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#4cf626", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Linux or Mac System Logs - T1070.002\"", "relationship_type": "" }, { "colour": "#aad818", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#fa3e60", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Command History - T1070.003\"", "relationship_type": "" }, { "colour": "#f4b62b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Time Based Checks - T1497.003\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#5affe5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Remote Management - T1021.006\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disk Content Wipe - T1561.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"vect\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460426", "to_ids": false, "type": "link", "uuid": "fe194569-d87f-4876-b193-b9f2a221d000", "value": "https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777460426", "to_ids": false, "type": "text", "uuid": "ba3d9bd5-4ade-4c32-bfa4-abdde83c4085", "value": "Check Point Research discovered critical flaws in VECT 2.0 ransomware affecting Windows, Linux, and ESXi platforms. A fundamental encryption implementation error causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware uses ChaCha20-IETF cipher but only saves one of four decryption nonces required for large files, making recovery impossible even after ransom payment. VECT's encryption speed modes are non-functional, thread scheduling degrades performance, and anti-analysis code is unreachable. Despite partnerships with TeamPCP and BreachForums for distribution, the technical implementation demonstrates amateur execution behind a professional facade. The nonce-handling flaw exists across all platform variants since initial deployment, effectively transforming this ransomware into a wiper for enterprise assets including VM disks, databases, and backups." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777460426", "to_ids": false, "type": "text", "uuid": "c0884422-6fce-424c-905e-1aa80b0c795f", "value": "Name: VECT: Ransomware by design, Wiper by accident\nAuthor: AlienVault\nAdversary: VECT\nTags: [\"esxi\", \"multi-platform\", \"raas\", \"teampcp\", \"vect\", \"lateral movement\", \"wiper\", \"chacha20\", \"encryption flaw\"]\nTgtd countries: []\nMlwr families: [\"VECT\"]\nAttack_ids: [\"T1047\", \"T1489\", \"T1497.001\", \"T1070.002\", \"T1021.004\", \"T1135\", \"T1106\", \"T1070.003\", \"T1497.003\", \"T1021.002\", \"T1021.006\", \"T1070.001\", \"T1059.001\", \"T1027\", \"T1486\", \"T1059.003\", \"T1018\", \"T1021.001\", \"T1490\", \"T1561.001\", \"T1529\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777460426", "to_ids": false, "type": "threat-actor", "uuid": "67f43cad-a8c5-4879-b084-aa56d26f2726", "value": "VECT" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689041", "to_ids": true, "type": "domain", "uuid": "26d150d3-3574-4ca3-84ea-a8c5b6f18c26", "value": "vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689062", "to_ids": true, "type": "url", "uuid": "abe51dbf-7d72-4bdf-aada-4081720d22e9", "value": "http://vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion/chat/REDACTED", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545805", "uuid": "4d8ce056-700c-44d1-b205-fd0fc71a6ca0", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545805", "to_ids": true, "type": "md5", "uuid": "976627de-fb90-4825-a4aa-41e3cdcfc81c", "value": "207b1a60f803d348c795d382f5aed9c3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545805", "to_ids": true, "type": "sha1", "uuid": "61161d05-9e0e-4450-9838-53ca8b41a8a9", "value": "f4b904fb6ba8474cb87f26302b74c4b82c106003", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545805", "to_ids": true, "type": "sha256", "uuid": "9473b38f-153c-4a16-b507-44aacffb67db", "value": "8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687593", "to_ids": true, "type": "ssdeep", "uuid": "300d127a-60b8-4e44-bd2b-8244f72cc755", "value": "24576:1MSdEmDpXzQqjBJv1ZULIOnwAzWLsuyg13TCGjhHRCRfJ+lCy:1MSdXDpXzNjBJvgLIOnwAzUFRhHRWf2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687593", "to_ids": false, "type": "size-in-bytes", "uuid": "b10aaa76-94e8-42ca-a96d-9ecad58ac097", "value": "1453056" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687593", "to_ids": true, "type": "vhash", "uuid": "0b3a4d86-9665-4332-99fa-5625e72644e3", "value": "0160a76d1565555c0d1d10c5zc00715d037z19z55z37z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687593", "to_ids": true, "type": "filename", "uuid": "d578f10e-c210-4e1b-8b78-f4c9809a3e63", "value": "8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d.exe.bin" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 02/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687593", "to_ids": false, "type": "text", "uuid": "78b7bb04-7510-4c06-a151-80fe112c89f6", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Avaddon.P!MSR\nVT Total Detection:39/71\nFirst Submission:2026-02-13T14:48:50.000000+00:00\nLast Submission:2026-03-02T10:47:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545808", "uuid": "888a09ba-1d8d-4105-bc0f-7062ef05f2a5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545807", "to_ids": true, "type": "md5", "uuid": "1bd99c7d-6201-40a3-9937-d9344c4ab24c", "value": "4cc6e614e0b766ced936a7e44976f10a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545808", "to_ids": true, "type": "sha1", "uuid": "f494ca91-233a-41c0-8265-07b4cc6263d4", "value": "ecba8e27fe57953fa43818f141cee17db4ba6a07", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545808", "to_ids": true, "type": "sha256", "uuid": "7bddcc44-d82e-4500-b117-9868d9dd0ba6", "value": "e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687615", "to_ids": true, "type": "ssdeep", "uuid": "1b896c54-a51a-402e-9e33-78eb5e04cbab", "value": "24576:DBe1gUP9r0vBhIKmvxIHDZ6XxI3R6UU4k/0kUdsTddNEatKqbUzKekD3:FvsIzItEDZ6XvUU4k8kcMdr1AqbUz1M" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687615", "to_ids": false, "type": "size-in-bytes", "uuid": "f00b41c8-f3c5-451d-a388-f79935c0e105", "value": "1820552" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687615", "to_ids": true, "type": "vhash", "uuid": "e1b996ab-5819-4b41-a858-701e4ea23842", "value": "0a62b3f50edd75a46a4c0c0b4ad4e4b5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687615", "to_ids": true, "type": "filename", "uuid": "28cdb0ce-d94d-4246-bb5d-8681d65536a6", "value": "tov78h29.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687615", "to_ids": false, "type": "text", "uuid": "7190440b-eb87-4c20-ac17-2e3a06536619", "value": "Type Description: ELF\nMicrosoft: Ransom:Linux/Vect!AMTB\nVT Total Detection:30/64\nFirst Submission:2026-04-14T11:08:34.000000+00:00\nLast Submission:2026-04-14T11:08:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545811", "uuid": "36e2c7e2-a970-4422-be06-ea33dd93d69e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545810", "to_ids": true, "type": "md5", "uuid": "8feb2d0c-70d1-4252-b553-c0645ec59f76", "value": "7f6670a37338ffcaa61578e24164c540", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545810", "to_ids": true, "type": "sha1", "uuid": "9c4f8ff8-5f1e-441e-a485-6a5d2433ee2d", "value": "fe65bd9073617752460ac3419881c67848381fa3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545811", "to_ids": true, "type": "sha256", "uuid": "ad5ea239-d00e-4b83-8850-6a68591d0a0c", "value": "58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687637", "to_ids": true, "type": "ssdeep", "uuid": "8efd7e1a-d216-4c9b-81d3-8479b3df0ddb", "value": "49152:dVzga/ZXbwAICCyuylt4kgLk7U+FTS0UrqNQ:IalbwsCBYD93UW2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687637", "to_ids": false, "type": "size-in-bytes", "uuid": "82d1f8f9-010d-49b0-bcb3-16cfe71bd5b0", "value": "1861512" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687637", "to_ids": true, "type": "vhash", "uuid": "42609314-bdd8-417a-9081-e0c7baa1ad6f", "value": "280b2af617b094d0d4bad2a642c1abba" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687637", "to_ids": true, "type": "filename", "uuid": "8d9967d8-2ee3-487c-99c2-d289a0c87600", "value": "zqh6v3.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687637", "to_ids": false, "type": "text", "uuid": "a22f8779-309c-46d6-8e16-37050548c66c", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/Multiverze!rfn\nVT Total Detection:29/64\nFirst Submission:2026-04-14T11:08:28.000000+00:00\nLast Submission:2026-04-14T11:08:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545813", "uuid": "fc4a8854-7019-4320-b417-51b54cf2bf71", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545812", "to_ids": true, "type": "md5", "uuid": "53cd1b74-ab9b-448c-bbde-ce07ae99a02c", "value": "aa72609186042f1d7d01ce070306a9f2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545813", "to_ids": true, "type": "sha1", "uuid": "2f55d333-1585-4dfc-aec1-b19b3cb19f5c", "value": "e27f4feffc1ba6bf4e35aec4a5270fccb636e5cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545813", "to_ids": true, "type": "sha256", "uuid": "83f0f2e5-693e-4127-8106-e591ca24574d", "value": "e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687658", "to_ids": true, "type": "ssdeep", "uuid": "24348d3e-7c67-421d-b630-4576ad05ab2b", "value": "24576:kMSdEmDpXzQqjBJv1ZULIOnwAzWLsuyg13TCGjsHRCRfJ+lCy:kMSdXDpXzNjBJvgLIOnwAzUFRsHRWf2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687658", "to_ids": false, "type": "size-in-bytes", "uuid": "c187bbe4-5ab3-44c1-ad50-b27ce33dc453", "value": "1453056" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687658", "to_ids": true, "type": "vhash", "uuid": "ee0250cb-006a-4de1-90ae-fd32c42a79f8", "value": "0160a76d1565555c0d1d10c5zc00715d037z19z55z37z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687658", "to_ids": true, "type": "filename", "uuid": "23ba89d7-4b00-42f3-a31d-e09b2d863f83", "value": "dp6fd66.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 02/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687658", "to_ids": false, "type": "text", "uuid": "8beb3832-4e01-4e8b-805a-9174956e2e93", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:40/71\nFirst Submission:2026-03-26T15:48:41.000000+00:00\nLast Submission:2026-03-26T15:48:41.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545816", "uuid": "15ff7894-cb86-4934-9759-0f336cf8a7cf", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545815", "to_ids": true, "type": "md5", "uuid": "8f7a8d82-4091-4202-b903-4e0f7459a47a", "value": "46fa8d029d3c473125ef6ce5adff3c54", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545815", "to_ids": true, "type": "sha1", "uuid": "99ea0150-580a-46de-be15-1b2a9177e252", "value": "be524f751cf4d1892f7637c527ca36c09955b145", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545816", "to_ids": true, "type": "sha256", "uuid": "9806ea21-ef07-46fc-9d3b-e3e99c969283", "value": "9c745f95a09b37bc0486bf0f92aad4a3d5548a939c086b93d6235d34648e683f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687680", "to_ids": true, "type": "ssdeep", "uuid": "879aaeb3-4e39-4a1d-876b-554a07de4af7", "value": "24576:DuC9IrMxg3Ggy7iTrvxylIzZ08535e3jV0HRCM3m:DuC9+Mxg3Ggy7yvxy+zyelHRN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687680", "to_ids": false, "type": "size-in-bytes", "uuid": "3256780b-3696-4dd8-9fad-39c6efa7c4e5", "value": "1454592" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687680", "to_ids": true, "type": "vhash", "uuid": "81a89ad5-21cf-47c0-b062-61674791b361", "value": "0160a76d1565555c0d1d10c5zc00715d037z19z55z37z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687680", "to_ids": true, "type": "filename", "uuid": "183aba68-9138-4ca3-9d7d-22d882c8f317", "value": "skid_locker.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 02/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687680", "to_ids": false, "type": "text", "uuid": "b440560d-17f9-49ca-86c9-87b80ba053bc", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Avaddon.P!MSR\nVT Total Detection:28/71\nFirst Submission:2026-04-18T22:34:03.000000+00:00\nLast Submission:2026-04-18T22:34:03.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545818", "uuid": "a5ef6237-c963-48b0-b360-a14a289c4f81", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545818", "to_ids": true, "type": "md5", "uuid": "6e11bc17-4358-4f54-b15e-1e52a8092add", "value": "7f6864cf9c616b92898ca92b47c81d1f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545818", "to_ids": true, "type": "sha1", "uuid": "e109a29d-5b52-40fb-afc1-dfa9db086e68", "value": "12f511bce69084b3413b122f82a933eb2f0fe410", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545818", "to_ids": true, "type": "sha256", "uuid": "6c23b141-3af2-4112-b35a-863dc00d4417", "value": "a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687702", "to_ids": true, "type": "ssdeep", "uuid": "168e817c-a32b-40fe-a416-2851daf5097a", "value": "49152:WZ7ANT1OvHOckvrThfcv46ClvkqSkbvfTHT/Wj:GMLOvHOzPmmIkbvG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687702", "to_ids": false, "type": "size-in-bytes", "uuid": "04b07923-454a-420a-b787-9a2bc211da17", "value": "1932504" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687702", "to_ids": true, "type": "vhash", "uuid": "37817114-8916-43da-b90c-f284bac36e53", "value": "1748571876fd16d668242abfe9333ebf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687702", "to_ids": true, "type": "filename", "uuid": "cb7aa38a-87c9-4637-8899-643baa50c1b1", "value": "nuv6nu.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687702", "to_ids": false, "type": "text", "uuid": "838ff03f-9a67-4b09-8eef-6c32c51de8db", "value": "Type Description: ELF\nMicrosoft: Ransom:Linux/Vect!AMTB\nVT Total Detection:24/64\nFirst Submission:2026-02-21T05:02:04.000000+00:00\nLast Submission:2026-02-21T05:02:04.000000+00:00" } ] } ] } }