{ "Event": { "analysis": "1", "date": "2026-03-26", "extends_uuid": "", "info": "[Threat Intel] The Return of the Kinsing", "protected": false, "publish_timestamp": "1775900431", "published": true, "threat_level_id": "3", "timestamp": "1775900430", "uuid": "8d7c4b27-fba2-4068-90c1-36036d8735e8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#a4da83", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cron - T1053.003\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#b24806", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#a0cbec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Systemd Service - T1543.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Kinsing\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774609229", "to_ids": false, "type": "link", "uuid": "c821788d-538d-44b8-ba5b-a39f61131f54", "value": "https://www.vulncheck.com/blog/return-of-the-kinsing" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774609229", "to_ids": false, "type": "text", "uuid": "cea41807-72df-45a1-af82-a716a72dfc78", "value": "A Canary Intelligence team analysis revealed the resurgence of the Kinsing malware, exploiting three CVEs: CVE-2023-46604 (ActiveMQ), CVE-2023-38646 (Metabase), and CVE-2025-55182 (React2Shell). The attacks, originating from IP 212.113.98.30, converged on a shared staging host at 78.153.140.16. The malware's tactics include downloading and installing a Go-based Linux binary and a stealthy libsystem.so component. The exploitation methods involve retrieving and executing malicious scripts, leading to the installation of Kinsing's core components. This cluster of activity demonstrates how older malware families can remain relevant by exploiting new vulnerabilities without significantly changing their core binaries." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774609229", "to_ids": false, "type": "text", "uuid": "43ae2c7d-8240-4dc0-bfa1-fda9262fa7c5", "value": "Name: The Return of the Kinsing\nAuthor: AlienVault\nAdversary: Kinsing\nTags: [\"metabase\", \"activemq\", \"cve-2023-46604\", \"linux\", \"go\", \"kinsing\", \"react2shell\", \"cve-2025-55182\", \"cve-2023-38646\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1053.003\", \"T1082\", \"T1036\", \"T1055\", \"T1070\", \"T1059.004\", \"T1562.001\", \"T1027\", \"T1543.002\", \"T1105\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774609229", "to_ids": false, "type": "threat-actor", "uuid": "94065046-bfbe-4278-9a80-65ab178f1d3a", "value": "Kinsing" }, { "category": "Network activity", "comment": "Attacker IP", "deleted": false, "disable_correlation": false, "timestamp": "1775888482", "to_ids": true, "type": "ip-dst", "uuid": "260097b3-7142-4de8-96f8-91324ebcc9b5", "value": "212.113.98.30", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Staging Host", "deleted": false, "disable_correlation": false, "timestamp": "1775888504", "to_ids": true, "type": "ip-dst", "uuid": "1d0478b6-63fb-49ec-a84b-dc746b0761c8", "value": "78.153.140.16", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ActiveMQ delivery artifact", "deleted": false, "disable_correlation": false, "timestamp": "1775888525", "to_ids": true, "type": "url", "uuid": "e5d7156b-eeab-4aa7-8167-8b52ae6bccfb", "value": "http://78.153.140.16/acb.xml", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Metabase stager", "deleted": false, "disable_correlation": false, "timestamp": "1775888547", "to_ids": true, "type": "url", "uuid": "1b5ffbc0-e5cd-463d-ab08-e6162144f580", "value": "http://78.153.140.16/mt.sh", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CVE-2025-55182 stager", "deleted": false, "disable_correlation": false, "timestamp": "1775888568", "to_ids": true, "type": "url", "uuid": "5ccc02da-e6d3-452a-9b6a-89ef356b5334", "value": "http://78.153.140.16/re.sh", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775879347", "to_ids": false, "type": "vulnerability", "uuid": "110680a3-774f-41be-b2a5-e829cd190a12", "value": "CVE-2025-55182" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775879432", "to_ids": false, "type": "vulnerability", "uuid": "87cb8723-2fee-4cd5-95af-f9e0ab811eaa", "value": "CVE-2023-46604" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775879432", "to_ids": false, "type": "vulnerability", "uuid": "3aa8e7d9-3e95-4217-838f-98bb0c4da017", "value": "CVE-2023-38646" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775888589", "uuid": "60f7f8eb-8788-439d-a731-db93a89f7bec", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775888589", "to_ids": true, "type": "md5", "uuid": "938d0ee0-30e0-4564-bb90-3421b589c974", "value": "b3039abf2ad5202f4a9363b418002351", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884376", "to_ids": true, "type": "sha1", "uuid": "70f4f947-33ff-47c4-837c-1155bd4f4f6b", "value": "0ceb8ffb0be23b808b534d744440f4367e17b9c5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884376", "to_ids": true, "type": "sha256", "uuid": "b0c16e9b-d705-4944-9e0a-c42c33501449", "value": "787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775883763", "to_ids": true, "type": "ssdeep", "uuid": "f51aaff8-04e0-4ec5-a0d0-716513cbb846", "value": "49152:wCe/ydXZSrb/TJvO90dL3BmAFd4A64nsfJvaWi9sglz/KbwLjFfiawr1eAOkzDIK:3eidO9suPF+NL4FiBnIrb3rE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775883763", "to_ids": false, "type": "size-in-bytes", "uuid": "6fdb221e-39e7-490d-a168-02f2baa0d20d", "value": "5967872" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775883763", "to_ids": true, "type": "vhash", "uuid": "01d2cb0c-da39-451a-b7e9-b61bbd1502e0", "value": "83b7e04a4a6d626d7dd712758613d1d5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775883763", "to_ids": true, "type": "filename", "uuid": "d5d297e0-0c37-4d6b-bd51-2f0ecee304cb", "value": "kinsing" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 15/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775883763", "to_ids": false, "type": "text", "uuid": "ae46b1fc-ba7c-428e-ac52-30b24994312d", "value": "Type Description: ELF\nMicrosoft: Exploit:Linux/CVE-2023-32315!MTB\nVT Total Detection:44/65\nFirst Submission:2023-07-30T10:30:15.000000+00:00\nLast Submission:2026-03-11T10:12:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775888611", "uuid": "41e86918-c08a-4ad9-be2a-305ac88e6e47", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775888611", "to_ids": true, "type": "md5", "uuid": "f1b8ca7e-2acf-44c8-8bae-54dc0bd02f07", "value": "ccef46c7edf9131ccffc47bd69eb743b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884378", "to_ids": true, "type": "sha1", "uuid": "2647e503-9ad8-4cf9-b5a9-f26aa0ac114b", "value": "38c56b5e1489092b80c9908f04379e5a16876f01", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884378", "to_ids": true, "type": "sha256", "uuid": "85840481-c007-4e50-af70-4514abf519d0", "value": "c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775883785", "to_ids": true, "type": "ssdeep", "uuid": "19190cf5-df34-46b7-93c1-7d42d46c3c66", "value": "384:GkV8prsuhCY63B9dBRi9JsdgUa/Q1NXJZ6Cb1b:ZaLOVT6E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775883785", "to_ids": false, "type": "size-in-bytes", "uuid": "39af1d8e-e933-4534-ae15-3f05db40d541", "value": "26800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775883785", "to_ids": true, "type": "vhash", "uuid": "e42cec00-fa57-4702-8ec2-3d388679b67d", "value": "fe6bc79726e96c10105967299ddec168" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775883785", "to_ids": true, "type": "filename", "uuid": "6f3fc5bc-c9b7-4b87-8c0a-b0da2e6a9626", "value": "libsystem.so" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 18/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775883785", "to_ids": false, "type": "text", "uuid": "2c740957-94e8-4e9e-a4d8-e5971939eb54", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/Downlodr.AC!MTB\nVT Total Detection:46/65\nFirst Submission:2020-08-12T00:52:08.000000+00:00\nLast Submission:2026-02-10T10:33:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775888632", "uuid": "a2331257-c7e8-46cc-a301-6bf21c34aaea", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775888632", "to_ids": true, "type": "md5", "uuid": "06650e42-50b2-46f0-92c0-e0387f410440", "value": "dbc9125192bd1994cbb764f577ba5dda", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884379", "to_ids": true, "type": "sha1", "uuid": "e5ba0940-efe1-4e06-bb85-e431124d0cde", "value": "6feb75ac62120bae1e92ab16184c1eb0b795e4b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884379", "to_ids": true, "type": "sha256", "uuid": "111c820e-34df-466c-9c1b-ee9b05358e12", "value": "6b9e23cb675be370a18a0c4482dc566be28920d4f1cd8ba6b4527f80acf978d3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775883807", "to_ids": true, "type": "ssdeep", "uuid": "ad673790-c31b-4aae-abd2-ebcb2207ee6f", "value": "49152:4o6QFXZbyTDf3Ef6tBv/lszlIO4HNNnriA8OjCrsKIU6ipJ4jRsQkxMIcgk/ye3f:WKUDf3E2F/xQO+T41sQVIcgk/ywZkqA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775883807", "to_ids": false, "type": "size-in-bytes", "uuid": "cde3d875-21ec-452d-b1fb-37c23db1bee9", "value": "3402712" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775883807", "to_ids": true, "type": "vhash", "uuid": "9a78daad-1460-46e6-8779-5427fe6b00d1", "value": "b157e1bbc340429ab0d804e5a52a766b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775883807", "to_ids": true, "type": "filename", "uuid": "c7c922da-d46f-4e06-a583-6cce632b4ad2", "value": "curl-amd64" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 31/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775883807", "to_ids": false, "type": "text", "uuid": "f6ffbb85-2380-4bcd-a661-c3b788679954", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/KinSing!MTB\nVT Total Detection:26/64\nFirst Submission:2020-12-17T15:56:33.000000+00:00\nLast Submission:2025-12-23T13:49:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775888653", "uuid": "fd06e7ac-b0e0-4b73-b431-6658ebb64d1e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775888653", "to_ids": true, "type": "md5", "uuid": "507ce89b-22d5-41ee-8dc9-af35911d1019", "value": "ad2bc23775f70f5dcc25c8d33bb368b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884380", "to_ids": true, "type": "sha1", "uuid": "b6ef02ec-5d47-46b7-af8e-440a9a788843", "value": "53a1aed3075140e6bc568f093b1f5a151ecc7dc9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884380", "to_ids": true, "type": "sha256", "uuid": "b1ae373f-a05a-43f4-85ad-e33feaa4c64c", "value": "afc7822d9e561982f5ed22faf76b35ad4b432eaa6cac0cd0fcafc9e67314a8fd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775883828", "to_ids": true, "type": "ssdeep", "uuid": "a21f3c2f-a031-4a4c-ac9b-24459a0a9bad", "value": "384:rQ+ihlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwNX:Ma7YJDj8OoJwNX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775883828", "to_ids": false, "type": "size-in-bytes", "uuid": "80a84242-b516-4935-9f96-78941cd22c2c", "value": "17573" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775883828", "to_ids": true, "type": "filename", "uuid": "af88b968-5550-4e4e-8842-9ddd366f3076", "value": "afc7822d9e561982f5ed22faf76b35ad4b432eaa6cac0cd0fcafc9e67314a8fd.sh" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775883828", "to_ids": false, "type": "text", "uuid": "3fd68913-099d-45ff-929c-c44cf70c36b3", "value": "Type Description: Shell script\nMicrosoft: Trojan:Linux/CoinMiner.AF!MTB\nVT Total Detection:35/62\nFirst Submission:2026-03-26T10:01:30.000000+00:00\nLast Submission:2026-04-03T15:08:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775888674", "uuid": "77ce0033-d43c-49bc-ab3c-647f76a540e9", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775888674", "to_ids": true, "type": "md5", "uuid": "e9512915-7a15-4ba1-9106-9cac9deba3cf", "value": "a0792abb7058ce995bbc527935f7edb8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884381", "to_ids": true, "type": "sha1", "uuid": "69250f36-446b-41cb-990f-26a87dfc50d3", "value": "596470fd9031b76eddde02568f7d5dee7a66a910", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884381", "to_ids": true, "type": "sha256", "uuid": "54f3d4f4-471e-470f-93d6-741cfa78762e", "value": "e60e7bd42ea0fd29523f6f27dc8005b6a5c68f23d105fd3952b0275b30325f18", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775883850", "to_ids": true, "type": "ssdeep", "uuid": "3e6cc3ad-9e86-4c46-8b60-6f2d8904b5b7", "value": "12:TMHdxXzY8id/73AC7ikxGWi2jLak9FFFCCZ7UsDCdnn:2dxXzY8kj/8Wi2jtvZNUQc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775883850", "to_ids": false, "type": "size-in-bytes", "uuid": "e99c36a6-610e-4928-8346-d0a1e6e968b1", "value": "656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775883850", "to_ids": true, "type": "filename", "uuid": "3b132ae7-a38d-41c1-b9a1-3cda46100465", "value": "acb.xml" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 07/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775883850", "to_ids": false, "type": "text", "uuid": "5d6de2f8-550c-423d-bee6-21d81dfcda4f", "value": "Type Description: XML\nMicrosoft: None\nVT Total Detection:8/62\nFirst Submission:2026-03-26T10:02:42.000000+00:00\nLast Submission:2026-03-26T10:02:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775888696", "uuid": "ca108572-d8e9-449d-a9e4-3073b5b9355f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775888696", "to_ids": true, "type": "md5", "uuid": "23e6c409-7cb5-482b-91e2-664d769e3f5f", "value": "a6d76633d88529acfe0df3ee4ccbfbc3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884382", "to_ids": true, "type": "sha1", "uuid": "6a26a6fb-7ee9-4bb6-82a8-79099181ba65", "value": "df7367261598cfed1fca9fd11504071937f38350", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884383", "to_ids": true, "type": "sha256", "uuid": "7131537c-1f86-43d2-b632-3e4e9a8d82f8", "value": "f65fba5d584c265f92c3628ed8f3c05c5d0c65fc9947d1af907a2df49fea5cf6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775883871", "to_ids": true, "type": "ssdeep", "uuid": "18487078-cbba-49fe-b1a6-6a9f5c4b9500", "value": "384:rfcMihlH2wx2vUaQa5/eN86704s80ooJQYgykWT4yCtvUsDjdWOoJwt3:zcg7YJDj8OoJwt3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775883871", "to_ids": false, "type": "size-in-bytes", "uuid": "344df2cc-8412-439c-9044-590edd1e66f3", "value": "16878" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775883871", "to_ids": true, "type": "filename", "uuid": "8b58a1c9-8daf-46f9-aa31-cfe335ecf79d", "value": "_f65fba5d584c265f92c3628ed8f3c05c5d0c65fc9947d1af907a2df49fea5cf6.sh" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 05/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775883871", "to_ids": false, "type": "text", "uuid": "59a85896-d867-49fd-a4d2-da0e12747656", "value": "Type Description: Shell script\nMicrosoft: Trojan:Linux/CoinMiner.AF!MTB\nVT Total Detection:37/62\nFirst Submission:2026-03-06T02:45:35.000000+00:00\nLast Submission:2026-03-26T22:55:12.000000+00:00" } ] } ] } }