{ "Event": { "analysis": "1", "date": "2026-04-23", "extends_uuid": "", "info": "[Threat Intel] fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet", "protected": false, "publish_timestamp": "1779545676", "published": true, "threat_level_id": "2", "timestamp": "1779545676", "uuid": "8960eb7b-35b2-4509-b79d-eac3feef1909", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#75e21e", "local": false, "name": "misp-galaxy:producer=\"SentinelOne\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#91ee5f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Rootkit - T1014\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Services Registry Permissions Weakness - T1574.011\"", "relationship_type": "" }, { "colour": "#da180c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bootkit - T1542.003\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#9651e2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1107\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#5affe5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Remote Management - T1021.006\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#b596f0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Lateral Tool Transfer - T1570\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#98f3da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003f", "local": false, "name": "rectifyq:sub-category=\"tool-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777028431", "to_ids": false, "type": "link", "uuid": "428073c2-1b1f-4b31-8564-e735d0d47044", "value": "https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777028431", "to_ids": false, "type": "text", "uuid": "b223891d-8929-4bd7-aae3-60b5d7d3faa5", "value": "Researchers uncovered fast16, a cyber sabotage framework from 2005 that predates Stuxnet by five years. The toolset includes fast16.sys, a kernel driver that selectively targets high-precision calculation software by patching code in memory to corrupt computational results. Combined with self-propagation mechanisms via a Lua-powered carrier module (svcmgmt.exe), the framework spreads across facilities to produce consistent inaccurate calculations. This operation represents the first documented instance of strategic cyber sabotage targeting ultra-expensive computing workloads in advanced physics, cryptographic, and nuclear research. The framework uses an embedded Lua virtual machine predating Flame by three years and appears in the ShadowBrokers leak of NSA Territorial Dispute components with the evasion signature: 'fast16 *** Nothing to see here \u2013 carry on ***'." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777028431", "to_ids": false, "type": "text", "uuid": "41d3dc0e-74fe-4004-aebe-23ffa3f29e79", "value": "Name: fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet\nAuthor: AlienVault\nAdversary: \nTags: [\"lua virtual machine\", \"fast16\", \"shadowbrokers\", \"cyber sabotage\", \"floating-point corruption\"]\nTgtd countries: []\nMlwr families: [\"fast16.sys\", \"svcmgmt.exe\", \"svcmgmt.dll\"]\nAttack_ids: [\"T1014\", \"T1574.011\", \"T1542.003\", \"T1543.003\", \"T1135\", \"T1082\", \"T1036\", \"T1055\", \"T1021.002\", \"T1107\", \"T1112\", \"T1021.006\", \"T1083\", \"T1068\", \"T1027\", \"T1570\", \"T1070.004\", \"T1059.005\", \"T1018\", \"T1564.001\"]\nIndustries: [\"Aerospace\", \"Defense\", \"Energy\"]" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545655", "to_ids": true, "type": "md5", "uuid": "f36096c7-f3c5-4d4c-b1d2-f533b71abf88", "value": "2717b58246237b35d44ef2e49712d3a2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545657", "to_ids": true, "type": "md5", "uuid": "95ecd76a-4de3-43f4-a70d-914f7e5fd974", "value": "ebff5b7d4c5becb8715009df596c5a91", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545659", "to_ids": true, "type": "md5", "uuid": "558b0274-d7b3-47c9-ace6-44a3426eb059", "value": "f4dbbb78979c1ee8a1523c77065e18a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545660", "to_ids": true, "type": "sha1", "uuid": "81133650-1c0f-41bc-91a9-57947495b320", "value": "829f8be65dfe159d2b0dc7ee7a61a017acb54b7b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545662", "to_ids": true, "type": "sha1", "uuid": "1d97f84a-1d35-4223-9df2-cc1f0479bd0f", "value": "9e089a733fb2740c0e408b2a25d8f5a451584cf6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545664", "to_ids": true, "type": "sha1", "uuid": "5bbe42a1-c009-4188-8b7e-a8d4c6765dcf", "value": "d475ace24b9aedebf431efc68f9db32d5ae761bd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545666", "to_ids": true, "type": "sha256", "uuid": "037cc932-ed8f-4425-8d09-c0bdc58dcee5", "value": "37414d9ca87a132ec5081f3e7590d04498237746f9a7479c6b443accee17a062", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545667", "to_ids": true, "type": "sha256", "uuid": "72b9000e-ad8e-44dc-bb7d-57eec9b6c037", "value": "bd04715c5c43c862c38a4ad6c2167ad082a352881e04a35117af9bbfad8e5613", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545669", "to_ids": true, "type": "sha256", "uuid": "63044388-f6e1-4fa4-ac0d-b44e1f4d4747", "value": "e775049d1ecf68dee870f1a5c36b2f3542d1182782eb497b8ccfd2309c400b3a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545671", "to_ids": true, "type": "sha1", "uuid": "cc286734-327d-4ef8-8645-ed1a11c1cd9d", "value": "3471224e20d7b6912816509b7154e2f24c06425c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545672", "to_ids": true, "type": "sha1", "uuid": "42de38af-d505-40d9-82f0-9baf1b7f8b20", "value": "6f20bd7308ec165af23609dceb7849fedfe6205c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545674", "to_ids": true, "type": "sha1", "uuid": "8e91f912-62a9-45a4-bfa2-82b7541901c6", "value": "79fcf9f8e1db09e5b403b83b9f5910bdda24aff7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545676", "to_ids": true, "type": "sha1", "uuid": "f4916313-aed5-4856-9039-2466c1e2775c", "value": "c9408c1d9bab5974e23584e944819019e2500100", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1777624261", "uuid": "440e28d3-b874-4794-bc6c-a1cff7a163bb", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1777624261", "to_ids": false, "type": "text", "uuid": "76aea5d5-9053-4b66-a017-542d60617087", "value": "apt_fast16_carrier" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1777624261", "to_ids": false, "type": "comment", "uuid": "904cf352-4133-4e6f-af8e-22c1c021015e", "value": "Catches fast16 carrier, its Lua payload, and plaintext variants" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1777624261", "to_ids": true, "type": "yara", "uuid": "902b440a-7e7a-4eaf-950f-787a8645caf7", "value": "import \"pe\"\r\n\r\nrule apt_fast16_carrier {\r\n meta:\r\n author = \"SentinelLABS/vk\"\r\n date = \"2025-04-07\"\r\n description = \"Catches fast16 carrier, its Lua payload, and plaintext variants\"\r\n hash = \"9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525\"\r\n strings:\r\n $lua_magic = { 1B 4C 75 61 } //Lua bytecode magic\r\n\r\n //Decrypted strings\r\n $s1 = \"build_wormlet_table\"\r\n $s2 = \"unpropagate\"\r\n $s3 = \"worm_install_failure_action\"\r\n $s4 = \"implant_install_failure_action\"\r\n $s5 = \"scm_wormlet_propagate_system\"\r\n $s6 = \"scm_wormlet_install\"\r\n $s7 = \"scm_wormlet_init\"\r\n $s8 = \"scm_copy_payload\"\r\n $s9 = \"get_logged_on_user\"\r\n $s10 = \"logged_on_program\"\r\n $s11 = \"phase_1_prop_delay\"\r\n $s12 = \"connotify_pipename\"\r\n $s13 = \"cndll_internal_name\"\r\n $s14 = \"connotify_provider_key\"\r\n $s15 = \"check_implant_reg_values\"\r\n $s16 = \"set_implant_reg_values\"\r\n $s17 = \"install_implant\"\r\n $s18 = \"implant_installed\"\r\n $s19 = \"implant_internal_name\"\r\n $s20 = \"implant_files\"\r\n $s21 = \"implant_owner\"\r\n $s22 = \"install_worm\"\r\n $s23 = \"start_worm\"\r\n $s24 = \"implant_install_failure_action\"\r\n $s25 = \"worm_install_failure_action\"\r\n $s26 = \"ok_to_propagate\"\r\n $s27 = \"no_firewall_check\"\r\n $s28 = \"scm_wormlet\"\r\n $s29 = \"implant_install_failure_action\"\r\n $s30 = \"worm_install_failure_action\"\r\n\r\n //Encrypted strings\r\n $e1 = { 98 18 A1 94 24 E3 A2 4C 61 C8 AE 04 DC 4E 03 CD 0D 9D F0 }\r\n $e2 = { E8 76 53 6D D4 B9 6E 28 6C 5D C2 }\r\n $e3 = { 7D B7 14 73 F0 C0 4D 53 BB F7 0A 4A 3A 63 05 92 EC 0A 11 BC 22 59 99 05 72 05 19 }\r\n $e4 = { 88 5F 1B E4 45 56 75 4B A5 3D 19 0B 3F 30 5A 85 E2 BD D0 E7 1C 13 D0 1D BD D8 CF A1 88 DB }\r\n $e5 = { 88 1E 54 4E 00 C1 EF 79 AA AD 9F 50 27 B5 B8 4C 32 06 D2 7B 32 E3 AF D6 DC D2 BB 83 }\r\n $e6 = { 39 F9 BC E9 27 70 C4 3E 04 2A 7D E1 68 67 B7 ED D4 41 6A }\r\n $e7 = { 13 FC 24 20 1F 20 74 1B E5 5F 59 56 D7 61 3E BD }\r\n $e8 = { EF 94 49 63 33 41 62 F2 26 A6 48 DE 6D 7B A4 CF }\r\n $e9 = { 36 5F 5E E5 C1 1A 17 6A 4E B9 94 52 1B DC C6 60 CA C7 }\r\n $e10 = { B3 9C A3 F1 12 CC 52 74 34 5F 87 43 32 21 36 7B 2A }\r\n\r\n $rk1 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Symantec\\\\InstalledApps\"\r\n $rk2 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Sygate Technologies, Inc.\\\\Sygate Personal Firewall\"\r\n $rk3 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\TrendMicro\\\\PFW\"\r\n $rk4 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Zone Labs\\\\TrueVector\"\r\n $rk5 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\F-Secure\"\r\n $rk6 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Network Ice\\\\BlackIce\"\r\n $rk7 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\McAfee.com\\\\Personal Firewall\"\r\n $rk8 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ComputerAssociates\\\\eTrust EZ Armor\"\r\n $rk9 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\RedCannon\\\\Fireball\"\r\n $rk10 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Kerio\\\\Personal Firewall 4\"\r\n $rk11 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\KasperskyLab\\\\InstalledProducts\\\\Kaspersky Anti-Hacker\"\r\n $rk12 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Tiny Software\\\\Tiny Firewall\"\r\n $rk13 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Look n Stop 2.05p2\"\r\n $rk14 = \"HKEY_CURRENT_USER\\\\SOFTWARE\\\\Soft4Ever\"\r\n $rk15 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Norman Data Defense Systems\"\r\n $rk16 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Agnitum\\\\Outpost Firewall\"\r\n $rk17 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Panda Software\\\\Firewall\"\r\n $rk18 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\InfoTeCS\\\\TermiNET\"\r\n\r\n $c1 = { 86 3A D6 02 } // A crypto constant\r\n $c2 = { 01 E1 F5 05 } // A crypto constant\r\n\r\n $code1 = { 8B 00 // mov eax, [eax]\r\n 2D 2F 34 21 33 // sub eax, 3321342Fh\r\n } // Code to deobfuscate real storage container length\r\n\r\n $stor1 = { CC 00 00 00 05 00 00 00 66 69 6C 65 00 CD 00 00 00 } //Storage record with file string\r\n condition:\r\n ( uint16(0)==0x5a4d and filesize < 10MB and (\r\n ( 3 of ($s*) ) or\r\n ( 12 of ($rk*) ) or\r\n ( any of ($e*) ) or\r\n ( all of ($c*) and @c2-@c1 < 0x100 ) or\r\n ( $code1 ) or\r\n ( $stor1 )) ) or\r\n ( $lua_magic and 7 of ($s*) )\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1777624281", "uuid": "864fa5ba-ba09-48d8-8820-326c9c46323c", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1777624281", "to_ids": false, "type": "text", "uuid": "f472e002-624d-4dad-9178-b1ee8c4dccef", "value": "apt_fast16_driver" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1777624281", "to_ids": false, "type": "comment", "uuid": "2bb5337f-4a27-45bd-bac4-0cce38da4ce4", "value": "Catches fast16 driver or related project files" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1777624281", "to_ids": true, "type": "yara", "uuid": "1faa39a4-33ed-4727-95cb-3497a469bbfb", "value": "rule apt_fast16_driver {\r\n meta:\r\n author = \"SentinelLABS/vk\"\r\n last_modified = \"2026-04-15\"\r\n description = \"Catches fast16 driver or related project files\"\r\n hash = \"07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529\"\r\n strings:\r\n $a1 = \"@(#)foo.c : \"\r\n $a2 = \"@(#)par.h : \"\r\n $a3 = \"@(#)pae.h : \"\r\n $a4 = \"@(#)fao.h : \"\r\n $a5 = \"@(#)uis.h : \"\r\n $a6 = \"@(#)ree.h : \"\r\n $a7 = \"@(#)fir.h : \"\r\n $a8 = \"@(#)fir.c : \"\r\n $a9 = \"@(#)par.h : \"\r\n $a10 = \"@(#)pae.h : \"\r\n $a11 = \"@(#)fao.h : \"\r\n $a12 = \"@(#)uis.h : \"\r\n $a13 = \"@(#)ree.h : \"\r\n $a14 = \"@(#)fir.h : \"\r\n $a15 = \"@(#)myy.h : \"\r\n $a16 = \"@(#)fic.h : \"\r\n $a17 = \"@(#)ree.h : \"\r\n $a18 = \"@(#)ree.c : \"\r\n $dev1 = \"\\\\Device\\\\fast16\"\r\n $dev2 = \"\\\\??\\\\fast16\"\r\n $pdb1 = \"C:\\\\buildy\\\\\"\r\n $pdb2 = \"driver\\\\fd\\\\i386\\\\fast16.pdb\"\r\n $devtype = { 68 7C A5 00 00 } // push 0A57Ch ; DeviceType\r\n $api1 = {50 C6 45 D4 16 C6 45 D5 2B C6 45 D6 12 C6 45 D7 3F C6 45 D8 3F C6 45 D9 3C C6 45 DA 30 C6 45 DB 32 C6 45 DC 27 C6 45 DD 36 C6 45 DE 03 C6 45 DF 3C C6 45 E0 3C C6 45 E1 3F C6 45 E2 53 } // push xored \"ExAllocatePool\"\r\n $api2 = {C6 45 A8 16 C6 45 A9 2B C6 45 AA 12 C6 45 AB 3F C6 45 AC 3F C6 45 AD 3C C6 45 AE 30 C6 45 AF 32 C6 45 B0 27 C6 45 B1 36 C6 45 B2 03 C6 45 B3 3C C6 45 B4 3C C6 45 B5 3F C6 45 B6 04 C6 45 B7 3A C6 45 B8 27 C6 45 B9 3B C6 45 BA 07 C6 45 BB 32 C6 45 BC 34 C6 45 BD 53} // push xored \"ExAllocatePoolWithTag\"\r\n $api3 = {C6 45 E4 16 C6 45 E5 2B C6 45 E6 15 C6 45 E7 21 C6 45 E8 36 C6 45 E9 36 C6 45 EA 03 C6 45 EB 3C C6 45 EC 3C C6 45 ED 3F C6 45 EE 53} // push xored \"ExFreePool\"\r\n $api4 = {C6 45 C0 16 C6 45 C1 2B C6 45 C2 15 C6 45 C3 21 C6 45 C4 36 C6 45 C5 36 C6 45 C6 03 C6 45 C7 3C C6 45 C8 3C C6 45 C9 3F C6 45 CA 04 C6 45 CB 3A C6 45 CC 27 C6 45 CD 3B C6 45 CE 07 C6 45 CF 32 C6 45 D0 34 C6 45 D1 53} // push xored \"ExFreePoolWithTag\"\r\n condition:\r\n filesize < 10MB and \r\n ( uint16(0)==0x5a4d and\r\n ( ( 2 of ($pdb*) ) or\r\n ( $pdb1 and 1 of ($a*) ) or\r\n ( #devtype == 3 and\r\n pe.machine == pe.MACHINE_I386 and\r\n pe.subsystem == pe.SUBSYSTEM_NATIVE) or\r\n any of ($api*) or\r\n 2 of ($dev*))) or \r\n ( 6 of ($a*))\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1777624308", "uuid": "ee1eaba5-5e8b-4a51-8a98-cf01c3ee1f9f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1777624308", "to_ids": false, "type": "text", "uuid": "a06727e3-2db8-4c44-9db2-af83064c4b20", "value": "clean_fast16_patchtarget" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1777624308", "to_ids": false, "type": "comment", "uuid": "d99fe97f-485f-420c-a194-f14bee6bacf1", "value": "Detects fast16 patch target software (most probably clean)" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1777624308", "to_ids": true, "type": "yara", "uuid": "df125210-b6a0-4c87-a91c-269146c0bf82", "value": "rule clean_fast16_patchtarget {\r\n meta:\r\n author = \"SentinelLABS/vk\"\r\n last_modified = \"2026-04-15\"\r\n description = \"Detects fast16 patch target software (most probably clean)\"\r\n hash = \"8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9\"\r\n strings:\r\n $el0 = { 48 89 84 24 9C 00 00 00 4B 0F 8F 79 FF FF FF 00 }\r\n $el10 = { D8 E1 D9 5D FC D9 04 00 }\r\n $el12 = { 55 8B EC 83 EC 14 53 56 57 8B 3D ?? ?? ?? ?? 8B 0D 00 }\r\n $el13 = { 89 4D C8 8B FB 8B C8 00 }\r\n $el14 = { 8B 4C 24 0C 8B 01 83 F8 63 00 }\r\n $el16 = { 39 2D ?? ?? ?? ?? 0F 84 F4 00 00 00 8B 35 ?? ?? ?? ?? 2B 35 }\r\n $el2 = { 7C 02 89 C6 89 35 ?? ?? ?? ?? 89 B4 24 D0 }\r\n $el23 = { 83 3D ?? ?? ?? ?? 00 0F 84 70 BD FF FF 00 }\r\n $el25 = { BE 07 00 00 00 BF 04 00 00 00 BB 02 00 00 00 00 }\r\n $el26 = { 8B 4D 10 C1 E2 04 8B 19 83 EA 30 8B CB 49 }\r\n $el28 = { 8D 1D ?? ?? ?? ?? 52 8D 05 ?? ?? ?? ?? 51 8D 15 ?? ?? ?? ?? 8D 0D ?? ?? ?? ?? 53 50 52 51 56 57 E8 ?? ?? ?? ?? 83 C4 38 EB 0E 83 EC 04 00 }\r\n $el3 = { 0F 8F A5 00 00 00 A1 ?? ?? ?? ?? 83 F8 14 7D 0D }\r\n $el30 = { 8B 5D B0 0F 85 ?? ?? ?? ?? 8D 34 9D ?? ?? ?? ?? 8D 14 9D 00 0F 8E 1B 03 00 00 D9 05 }\r\n $el31 = { 8B 45 44 6B 00 04 D9 05 ?? ?? ?? ?? D8 B0 }\r\n $el32 = { E9 7E 04 00 00 8B 74 24 1C 8B 54 24 14 85 }\r\n $el33 = { 83 39 63 0F 85 21 03 00 00 8B EE 85 F6 0F }\r\n $el34 = { 85 DB 8B 55 D4 75 2C 89 35 00 }\r\n $el36 = { 75 18 8D 35 ?? ?? ?? ?? 56 8D 3D 00 }\r\n $el37 = { 8D 1D ?? ?? ?? ?? 52 8D 05 ?? ?? ?? ?? 51 8D 15 ?? ?? ?? ?? 8D 0D ?? ?? ?? ?? 53 50 52 51 56 57 E8 ?? ?? ?? ?? EB 0E 83 EC 04 56 57 53 E8 95 00 }\r\n $el39 = { D8 34 85 ?? ?? ?? ?? 8B 44 ?? ?? 8B CA 00 }\r\n $el4 = { 8B 5D 0C 8B 55 08 8B 36 8B 00 }\r\n $el40 = { 8D 04 BD ?? ?? ?? ?? 03 DF 00 }\r\n $el41 = { 8B EE 85 F6 0F 8E ?? ?? ?? ?? 8D 1C BD 00 }\r\n $el42 = { D9 04 9D ?? ?? ?? ?? 83 ED 04 05 10 00 00 00 D8 0D 00 }\r\n $el43 = { 75 2C 89 35 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? 89 15 }\r\n $el45 = { 89 55 F4 8B F9 8B D3 03 FB C1 E2 02 89 35 }\r\n $el46 = { 40 23 72 65 63 24 65 69 69 6E 20 2E 30 24 D9 5D 00 D9 03 D8 0D ?? ?? ?? ?? D8 0D 00 }\r\n $el49 = { DF E0 F6 C4 41 A1 ?? ?? ?? ?? 74 5A }\r\n $el51 = { FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 9D D9 E0 D9 1D ?? ?? ?? ?? 8B 4C }\r\n $el53 = { 6A 46 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 03 }\r\n $el56 = { D8 05 ?? ?? ?? ?? D9 55 00 9C }\r\n $el59 = { C2 08 00 A1 ?? ?? ?? ?? 8B 0C 85 ?? ?? ?? ?? 89 0E 00 }\r\n $el6 = { 83 EC 04 53 E8 ?? ?? ?? ?? EB 09 83 EC 04 53 00 }\r\n $el61 = { D8 1D ?? ?? ?? ?? DF E0 F6 C4 41 B8 00 00 00 00 75 05 B8 01 00 00 00 85 C0 74 11 6A 29 00 }\r\n $el63 = { 2B DA 89 3C 03 83 3D 00 }\r\n $el68 = { D9 5D C0 8B 4D C0 D9 45 E0 89 0E 00 }\r\n $el70 = { 8B 05 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 0F 85 7E 00 00 00 0F AF 15 00 }\r\n $el73 = { B9 01 00 00 00 C1 E7 02 8B BF ?? ?? ?? ?? 8B D7 85 FF 8B 55 30 8B 45 30 D8 C9 8B 75 2C 00 9A 8B 00 00 00 1B 00 90 0F 94 C3 0B D8 33 D2 83 3D 00 }\r\n $el75 = { 2B FB 8B DE C1 E3 02 89 7D A0 03 5D A0 8B 03 F7 F7 DB 0C 02 89 35 }\r\n $el80 = { 0F 0F 94 C0 23 C3 33 D2 }\r\n $el81 = { 8B 55 30 8B 75 2C D8 C9 8B 45 30 00 }\r\n $el83 = { DD 05 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 0F AF 05 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 0F AF 15 }\r\n $el89 = { 68 28 00 00 00 57 E8 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 0F AF 1D ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8B 05 }\r\n $el94 = { 8B 75 38 8B 4D 34 D8 C9 8B 00 }\r\n $el96 = { 8B 55 88 8B 5D B0 83 7D 84 01 }\r\n $el97 = { 55 8B EC 83 EC 2C 33 D2 53 56 57 8B }\r\n $el99 = { 55 8B EC 83 EC 2C B9 46 00 00 00 53 56 57 8B 00 }\r\n condition:\r\n filesize < 20MB and\r\n uint16(0) == 0x5A4D and\r\n 2 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1777624368", "uuid": "ba54ed7d-e4e3-41ec-afc0-1d4c324cffe5", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1777624368", "to_ids": false, "type": "text", "uuid": "5c68e6a7-5255-405b-831d-5c468dd9048f", "value": "apt_fast16_patch" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1777624368", "to_ids": false, "type": "comment", "uuid": "5d3b6e12-85e1-4ec8-9387-18bf1b5a271e", "value": "Detects the fast16 patch code. May be present in statically patched files or memory dumps" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1777624368", "to_ids": true, "type": "yara", "uuid": "7fb3848e-4fd9-47b3-8f39-480c63f12f7f", "value": "rule apt_fast16_patch {\r\n\tmeta:\r\n\t\tauthor = \"SentinelLABS/vk\"\r\n\t\tlast_modified = \"2026-04-15\"\r\n\t\tdescription = \"Detects the fast16 patch code. May be present in statically patched files or memory dumps.\"\r\n\t\thash = \"0ff6abe0252d4f37a196a1231fae5f26\"\r\n\tstrings:\r\n\t\t$p1 = { 55 88 50 53 52 51 8D 64 24 94 DD 34 24 51 E8 ?? ?? ?? ?? 59 81 E9 14 00 00 00 8B 99 50 0F 00 00 83 FB 28 76 04 6A 31 }\r\n\t\t$p2 = { 59 81 E9 EE 00 00 00 6A 02 BB B4 05 00 00 01 CB C6 03 EB 43 C6 03 15 8B 44 24 78 83 C0 07 89 81 EC 07 00 00 E9 BF 02 00 00 }\r\n\t\t$p3 = { 50 53 52 51 E8 ?? ?? ?? ?? 59 81 E9 78 01 00 00 D9 99 C4 0F 00 00 8D 64 24 94 DD 34 24 FF B1 C4 0F 00 00 6A 02 EB 2D }\r\n\tcondition:\r\n\t\tany of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545623", "uuid": "b1f7cfd4-4354-4182-a2e0-a9cb88c60e2c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545622", "to_ids": true, "type": "md5", "uuid": "609f6c8b-620a-442f-8f04-9ad178c17972", "value": "cb66a4d52a30bfcd980fe50e7e3f73f0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545623", "to_ids": true, "type": "sha1", "uuid": "87edfa16-9ff2-48a2-b55b-51c88ed326ee", "value": "e6018cd482c012de8b69c64dc3165337bc121b86", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545623", "to_ids": true, "type": "sha256", "uuid": "840d4913-bb80-42f7-94a6-f2db855a9fc6", "value": "66fe485f29a6405265756aaf7f822b9ceb56e108afabd414ee222ee9657dd7e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626724", "to_ids": true, "type": "ssdeep", "uuid": "78b3ea57-135e-406c-8986-ab607107e008", "value": "196608:VLEJpTEwrZGNVC9Dem/KxKepaN21k7cDqmw5EDq4luMZ3KMMBDxUMdv:VIJpTESZGNVC9Demix7pac1k7cD9w5Ea" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626724", "to_ids": false, "type": "size-in-bytes", "uuid": "eaa91b17-0043-4e05-8800-e0e513b55f4e", "value": "9219072" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626724", "to_ids": true, "type": "vhash", "uuid": "cfade34b-831d-45c8-bfc6-2c5e327d4d9a", "value": "0960866d5c0d5c051565603162z41z32z13z1035z23z40305bz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626724", "to_ids": true, "type": "filename", "uuid": "4c11b9d1-b74a-4822-b20e-f572d00382e0", "value": "4y4i8.exe" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626724", "to_ids": false, "type": "text", "uuid": "727ba34e-c768-4155-b946-8df5ebcdb8ea", "value": "Type Description: Win32 EXE\nMicrosoft: Worm:Win32/AutoRun!atmn\nVT Total Detection:64/71\nFirst Submission:2022-09-23T01:07:05.000000+00:00\nLast Submission:2022-09-24T00:28:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545625", "uuid": "1c93a14a-cb13-4e9d-a467-ee29c8d39fca", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545625", "to_ids": true, "type": "md5", "uuid": "02464675-a5c0-4f11-b069-696dee55a58f", "value": "075b4aa105e728f2b659723e3f36c72c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545625", "to_ids": true, "type": "sha1", "uuid": "e45b9c60-8c6b-4532-b349-c187c5de76dd", "value": "145ef372c3e9c352eaaa53bb0893749163e49892", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545625", "to_ids": true, "type": "sha256", "uuid": "97ee1487-504b-45d3-85f4-d827bf5ea280", "value": "c11a210cb98095422d0d33cbd4e9ecc86b95024f956ede812e17c97e79591cfa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626746", "to_ids": true, "type": "ssdeep", "uuid": "3a7f7fd0-680a-424c-b3d3-b337f4427fed", "value": "196608:IMDyQ+79QkgLerLFXs8bwjzz5cviIEHU2UF:IMDyQ+79QkgarLFXvbwjv5cviIx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626746", "to_ids": false, "type": "size-in-bytes", "uuid": "511b2470-c29c-48ee-9565-48c34d31e4b7", "value": "6852608" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626746", "to_ids": true, "type": "vhash", "uuid": "ded54e52-e2bd-4976-af1b-d23e26400ddd", "value": "06606e655d5d05656090606003e009c1z1dz32z814z157z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626746", "to_ids": true, "type": "filename", "uuid": "4b6d2a60-1c43-4e22-af58-ff820140f81d", "value": "Epda_p.EXE" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626746", "to_ids": false, "type": "text", "uuid": "c68410c5-7492-43c1-869d-f21ea5f7e7fc", "value": "Type Description: Win32 EXE\nMicrosoft: Virus:Win32/Almanahe.B\nVT Total Detection:64/71\nFirst Submission:2015-08-06T16:34:15.000000+00:00\nLast Submission:2023-04-04T16:40:57.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545628", "uuid": "d6ca4a62-2890-42b4-b4e5-7937aaf49eb9", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545628", "to_ids": true, "type": "md5", "uuid": "c6393bfb-7bdb-478d-a9e0-be0aa3e8fdcc", "value": "0ff6abe0252d4f37a196a1231fae5f26", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545628", "to_ids": true, "type": "sha1", "uuid": "3764f6fd-75f3-4954-9610-3ff592d4e008", "value": "92e9dcaf7249110047ef121b7586c81d4b8cb4e5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545628", "to_ids": true, "type": "sha256", "uuid": "d4737efc-cae4-4e73-8a7f-24b81733d156", "value": "07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626767", "to_ids": true, "type": "ssdeep", "uuid": "242b53be-9964-461e-b487-27367e08af39", "value": "384:sdSiaLb/N8c7FX9X7vnwApsb69uGENx9uGENvisRj3aOf7JhpIHohwIHuENv7i6U:sIF8c7Ft73psb4nfV/IHkwIKPv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626767", "to_ids": false, "type": "size-in-bytes", "uuid": "7285e1ef-7fd2-45bd-81a3-59b923fd846d", "value": "44580" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626767", "to_ids": true, "type": "vhash", "uuid": "c9363923-2f32-485c-b807-504f55cbc487", "value": "044056651d1e5559z36z22xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626767", "to_ids": true, "type": "filename", "uuid": "31b08856-2ccb-4647-8c6c-024955a856f0", "value": "07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529.exe" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626767", "to_ids": false, "type": "text", "uuid": "9cd6ff41-c0b3-45d3-988b-cb32a7330c50", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:WinNT/FastSixteen.A!dha\nVT Total Detection:38/71\nFirst Submission:2016-10-08T09:09:30.000000+00:00\nLast Submission:2026-04-28T17:26:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545631", "uuid": "1e1db17d-588a-47e9-8fa0-864dfd76b6a7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545630", "to_ids": true, "type": "md5", "uuid": "8ad63818-8486-4e51-ab49-fdfc01652e51", "value": "1d2f32c57ae2f2013f513d342925e972", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545631", "to_ids": true, "type": "sha1", "uuid": "32f32989-ad5e-4d00-ac3a-fdbf4134dc03", "value": "2fa28ef1c6744bdc2021abd4048eefc777dccf22", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545631", "to_ids": true, "type": "sha256", "uuid": "68503009-7cd0-4f86-88cf-e4daef963b2c", "value": "5966513a12a5601b262c4ee4d3e32091feb05b666951d06431c30a8cece83010", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626789", "to_ids": true, "type": "ssdeep", "uuid": "31c63f54-dee3-408a-b9a3-a6d9d4624f9d", "value": "98304:Im23//w7mbrcSjb086DliVyouRuO55OoxvdPhpNUtKNtRyIWRk1yd6jaMbflertb:Ij3//w78rBb08OLhpNUtKNtRyIWRk1ny" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626789", "to_ids": false, "type": "size-in-bytes", "uuid": "0d3ca749-2255-403b-bd8b-81518cb14e34", "value": "5225591" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626789", "to_ids": true, "type": "vhash", "uuid": "a929d1fa-413d-4514-aa06-4d7823f5696e", "value": "056076650d0d050d05|z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626789", "to_ids": true, "type": "filename", "uuid": "bc19a523-59c6-49d4-8f43-b14f1e3e7e01", "value": "36vz3.exe" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626789", "to_ids": false, "type": "text", "uuid": "1d99caec-b331-436b-82a2-98d5a2c60728", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2016-08-17T14:20:09.000000+00:00\nLast Submission:2016-08-17T14:20:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545634", "uuid": "c8d46c6f-8a53-47bc-a908-ea4880c93f6a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545633", "to_ids": true, "type": "md5", "uuid": "0af17eb9-6fcb-48d3-8d73-6d7053ab18a8", "value": "2740a703859cbd8b43425d4a2cacb5ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545633", "to_ids": true, "type": "sha1", "uuid": "1daf9f09-69f2-449a-9da1-6d611c894cf1", "value": "ca665b59bc590292f94c23e04fa458f90d7b20c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545634", "to_ids": true, "type": "sha256", "uuid": "97496c07-0ea5-47ce-bd3f-eea1c9e8e130", "value": "aeaa389453f04a9e79ff6c8b7b66db7b65d4aaffc6cac0bd7957257a30468e33", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626832", "to_ids": true, "type": "ssdeep", "uuid": "dea9fb91-c02b-40b4-9e39-404a8951afac", "value": "393216:iDAKyx8lt0Alkazvc0AxcS+M2K96Pg7dAY5E/P8SP7l:p6kazvc0AxAM2K96Pg7dAYYDP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626832", "to_ids": false, "type": "size-in-bytes", "uuid": "1ec3b874-ad67-4c3b-a8ef-500e99d07a1b", "value": "16568320" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626832", "to_ids": true, "type": "vhash", "uuid": "f2b34e82-50d9-42b3-b8e6-d574a24695c3", "value": "017056655d556550d1a08006400b11z12z3f0a5zb2zc94z157z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626832", "to_ids": true, "type": "filename", "uuid": "52f0c86c-0625-49d7-a7de-b399151afddc", "value": "APSRWC.EXE" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626832", "to_ids": false, "type": "text", "uuid": "6df25b3a-7cb6-4097-82ff-c22bc6b0028c", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2017-01-05T02:37:55.000000+00:00\nLast Submission:2017-01-05T02:37:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545636", "uuid": "d2525095-0271-4302-8e60-2c0a5422991f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545636", "to_ids": true, "type": "md5", "uuid": "07e06707-a1d2-4e5c-9f2e-21cff1958b4a", "value": "410eddfc19de44249897986ecc8ac449", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545636", "to_ids": true, "type": "sha1", "uuid": "f2abb585-48d2-498f-b60f-4f9163bd4826", "value": "675cb83cec5f25ebbe8d9f90dea3d836fcb1c234", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545636", "to_ids": true, "type": "sha256", "uuid": "e362c729-331f-49bd-b8d9-4306d89cf011", "value": "8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626854", "to_ids": true, "type": "ssdeep", "uuid": "e3eed68f-5268-42c7-95b1-f880b3474856", "value": "384:vLstUHEooNdEA9LdHzedBcTGhssu7mpypzg5xACktZLEBuoHJiXScmoPp8X3:sUHEllxydiTUBuyphxACALEBtJSEo6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626854", "to_ids": false, "type": "size-in-bytes", "uuid": "7173ce77-3570-4e14-a911-eda22d5455ea", "value": "45056" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626854", "to_ids": true, "type": "vhash", "uuid": "e2b68c3f-914b-4ef6-b81a-eca7ef92fb2c", "value": "144046551d151az35?z2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626854", "to_ids": true, "type": "filename", "uuid": "b05655d7-4db3-4756-996e-ce746e3a5a86", "value": "8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9.dll" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626854", "to_ids": false, "type": "text", "uuid": "a455d025-ec49-47f3-b728-519b9e454f6d", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:39/71\nFirst Submission:2016-10-08T09:08:05.000000+00:00\nLast Submission:2026-04-29T00:22:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545639", "uuid": "3fead48b-e47f-4da5-b4f9-be1dfcaef196", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545638", "to_ids": true, "type": "md5", "uuid": "005acb4d-c872-4863-ae67-430931767cf1", "value": "49a8934ccd34e2aaae6ea1e6a6313ffe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545639", "to_ids": true, "type": "sha1", "uuid": "5547e36f-1653-4054-a10e-e956be330de9", "value": "3ce5b358c2ddd116ac9582efbb38354809999cb5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545639", "to_ids": true, "type": "sha256", "uuid": "4eeefd85-d259-4c4f-9243-3848b41d4eeb", "value": "8b018452fdd64c346af4d97da420681e2e0b55b8c9ce2b8de75e330993b759a0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626876", "to_ids": true, "type": "ssdeep", "uuid": "46719e1e-bdcb-4967-98e4-e45c5de7e3dd", "value": "196608:ORqDiR4xKT8US+h8Hhlcf5DRFKFY5d5h5D5WdEj:Or4US+zDFKm5d5h5D5WdM" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626876", "to_ids": false, "type": "size-in-bytes", "uuid": "b82cd8f5-5f8c-44ae-a475-8b6d84a4169b", "value": "11849728" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626876", "to_ids": true, "type": "vhash", "uuid": "02090f46-4172-4094-af7a-dd2930b3a2d7", "value": "017046655d1550e1408005c00a91z12z3f0a5z82zc74z157z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626876", "to_ids": true, "type": "filename", "uuid": "6b80de34-73c6-44f4-941c-685a3f49093d", "value": "APSRWC.EXE" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626876", "to_ids": false, "type": "text", "uuid": "5f3ec2d8-13de-4519-8317-1b7a44fb205e", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2023-01-11T17:09:00.000000+00:00\nLast Submission:2023-01-11T17:09:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545642", "uuid": "4a5a6b9a-e252-4f11-b805-1666df4a3c67", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545641", "to_ids": true, "type": "md5", "uuid": "516e5e83-2705-482f-8d4f-9b0f00366c0c", "value": "af4461a149bfd2ba566f2abefe7dcde4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545642", "to_ids": true, "type": "sha1", "uuid": "0153b3fa-8479-4f4e-80c3-2dec61f6174b", "value": "586edef41c3b3fba87bf0f0346c7e402f86fc11e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545642", "to_ids": true, "type": "sha256", "uuid": "8778dc1d-620f-4912-b0ab-e70717dec0b8", "value": "09ca719e06a526f70aadf34fb66b136ed20f923776e6b33a33a9059ef674da22", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626898", "to_ids": true, "type": "ssdeep", "uuid": "bbf31d51-f30a-4df8-9dd6-19ea7d96c616", "value": "196608:woIAoE74N76NXwoZEqwv22QjtAUNIJjrJ8VKhdihi++tg0UubPmqzFG8jDXJa4Yx:woqGjY9fjrAq60QegEOF4cFyNb/bH9hS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626898", "to_ids": false, "type": "size-in-bytes", "uuid": "dcae5f31-1dc4-446e-ae51-0059dd481871", "value": "7716864" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626898", "to_ids": true, "type": "vhash", "uuid": "eb447191-ec85-4462-8cae-5b191c1b384a", "value": "07606e655d556d051090706004400a11z13z17z42z8d4z157z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626898", "to_ids": true, "type": "filename", "uuid": "0da509a6-25d0-40dd-9d86-6cb42024be98", "value": "CcodeShear.EXE" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626898", "to_ids": false, "type": "text", "uuid": "e8a5b63f-420e-4e54-b10b-5d6c96fd9914", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:3/71\nFirst Submission:2015-01-21T00:51:10.000000+00:00\nLast Submission:2015-01-21T00:51:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545645", "uuid": "a963f1a0-4450-473f-8462-4549e30b45ff", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545644", "to_ids": true, "type": "md5", "uuid": "7857512d-1a90-4781-807d-2b91c23ab6c5", "value": "cf859f164870d113608a843e4a9600ab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545645", "to_ids": true, "type": "sha1", "uuid": "c548162c-4fd5-42b4-9d01-7eae3fcf042d", "value": "952ed694b60c34ba12df9d392269eae3a4f11be4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545645", "to_ids": true, "type": "sha256", "uuid": "797fd241-477e-4105-b144-b4d99be991d3", "value": "7e00030a35504de5c0d16020aa40cbaf5d36561e0716feb8f73235579a7b0909", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626920", "to_ids": true, "type": "ssdeep", "uuid": "745a0b6b-c969-4c10-876e-48ed51fb7ce8", "value": "196608:MJpTEwrZGNVC9Dem/KxKepaN21k7cDqmw5EDq4luMZ3KMMBDxUMd:MJpTESZGNVC9Demix7pac1k7cD9w5EDW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626920", "to_ids": false, "type": "size-in-bytes", "uuid": "e23909be-a7ac-40c9-a213-670d3b29853b", "value": "8392704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626920", "to_ids": true, "type": "vhash", "uuid": "43c06574-2f24-4354-89d1-a653f60b7863", "value": "086066655d5d05651090606003e009e1z1dz32z814z156z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626920", "to_ids": true, "type": "filename", "uuid": "8481f0e0-e2a1-40d2-8be7-f6cb2b6836fe", "value": "WinChk.EXE" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626920", "to_ids": false, "type": "text", "uuid": "1d7588cd-5254-4001-8e99-4179c5ce9403", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:1/71\nFirst Submission:2013-08-15T05:22:19.000000+00:00\nLast Submission:2013-08-15T05:23:11.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545648", "uuid": "823dd2d9-8fc8-4a68-8310-f242836c98f4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545647", "to_ids": true, "type": "md5", "uuid": "3231aed3-f746-404d-8d48-5ce234c1ed66", "value": "daea40562458fc7ae1adb812137d3d05", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545647", "to_ids": true, "type": "sha1", "uuid": "970d85e1-3767-4cea-9288-541dc71d317d", "value": "1ce1111702b765f5c4d09315ff1f0d914f7e5c70", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545648", "to_ids": true, "type": "sha256", "uuid": "8e27bd57-06a4-40bc-b828-a28458d07132", "value": "da2b170994031477091be89c8835ff9db1a5304f3f2f25344654f44d0430ced1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626942", "to_ids": true, "type": "ssdeep", "uuid": "5a56c28d-a0b4-4ae8-9bfd-b8a762222f99", "value": "196608:rJpTEwrZGNVC9Dem/KxKepaN21k7cDqmw5EDq4luMZ3KMMBDxUMd:rJpTESZGNVC9Demix7pac1k7cD9w5EDW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626942", "to_ids": false, "type": "size-in-bytes", "uuid": "df18b865-8ba4-4a21-8283-98de546d19f0", "value": "8454144" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626942", "to_ids": true, "type": "vhash", "uuid": "7df6add4-5f89-43dd-b516-1b5830892a5d", "value": "086076655d5d05651e7090606003e009e1z1dz32z814z156z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626942", "to_ids": true, "type": "filename", "uuid": "f1b781ae-465e-41c4-8f3c-93726e56ccbd", "value": "WinChk.EXE" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626942", "to_ids": false, "type": "text", "uuid": "d7b0ef3e-57d6-454a-a898-55204c8c907c", "value": "Type Description: Win32 EXE\nMicrosoft: Virus:Win32/Ramnit.A\nVT Total Detection:66/71\nFirst Submission:2022-09-23T00:22:09.000000+00:00\nLast Submission:2022-09-23T00:22:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545651", "uuid": "9c076142-d228-469b-9bc5-a0faaa646443", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545650", "to_ids": true, "type": "md5", "uuid": "68300a62-243d-497b-9852-e67a5a37f302", "value": "dbe51eabebf9d4ef9581ef99844a2944", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545650", "to_ids": true, "type": "sha1", "uuid": "2c720563-7ff5-4c4d-81c5-af4d46ce2bc5", "value": "de584703c78a60a56028f9834086facd1401b355", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545651", "to_ids": true, "type": "sha256", "uuid": "75bb6d18-c8ab-4932-8f7b-75c04c29e018", "value": "9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626963", "to_ids": true, "type": "ssdeep", "uuid": "c972865e-73f9-47c3-8558-1e8c4e98026f", "value": "6144:m3OWeNij2x1aykBB6MIGg+OkI+pEqX5N3:Ry2fHkKM7g+Okxp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626963", "to_ids": false, "type": "size-in-bytes", "uuid": "b11c50f6-38bf-4560-9521-8c246f706c09", "value": "315392" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626963", "to_ids": true, "type": "vhash", "uuid": "0c37687f-279b-4c05-9d82-5259438cb56e", "value": "035036655d11e8z5b1z2rz97z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626963", "to_ids": true, "type": "filename", "uuid": "91ec3589-84f2-435f-93d9-033b3f1e4fda", "value": "9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525.exe" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626963", "to_ids": false, "type": "text", "uuid": "184c71cf-c325-422d-b71d-44521b953358", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:43/71\nFirst Submission:2016-10-08T09:08:06.000000+00:00\nLast Submission:2026-04-27T14:37:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545653", "uuid": "44b9e471-61fc-4192-b386-36b5f75c91d5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545652", "to_ids": true, "type": "md5", "uuid": "79afe6ab-ce2f-491a-84ec-233eab816b9c", "value": "e0c10106626711f287ff91c0d6314407", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545653", "to_ids": true, "type": "sha1", "uuid": "b7b5b616-26fd-4825-a273-0c03b0dc86ba", "value": "650fc6b3e4f62ecdc1ec5728f36bb46ba0f74d05", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545653", "to_ids": true, "type": "sha256", "uuid": "5c71ada4-8d2e-43c9-8580-3ec042b8bc2a", "value": "06361562cc53d759fb5a4c2b7aac348e4d23fe59be3b2871b14678365283ca47", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777626985", "to_ids": true, "type": "ssdeep", "uuid": "dffd767d-8930-4dbd-a08c-673e32aedd6c", "value": "393216:zdaxxTC3GMLctsLmx3U2VtD3TC4jzFbQmdXXbPrHIcgiWI3:zQ23lix3U2VtD3TC4jzFbQmdXXbProSW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777626985", "to_ids": false, "type": "size-in-bytes", "uuid": "bdfc25ec-0452-4b85-93ee-9de5153c7959", "value": "16355328" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777626985", "to_ids": true, "type": "vhash", "uuid": "82206de9-00a1-47e5-8522-9739340d2e59", "value": "01705e655d556550d1a08006200ad1z12z3f0a5zb2zc64z157z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777626985", "to_ids": true, "type": "filename", "uuid": "25e5d78a-5ca8-489e-9de8-82450d5d4d5b", "value": "APSRWC.EXE" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777626985", "to_ids": false, "type": "text", "uuid": "2dddf189-77a5-4308-aa74-9d985fc315e9", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:1/71\nFirst Submission:2015-01-16T07:51:07.000000+00:00\nLast Submission:2015-01-16T07:51:07.000000+00:00" } ] } ] } }