{ "Event": { "analysis": "1", "date": "2026-03-12", "extends_uuid": "", "info": "[Threat Intel] \"Handala Hack\" - Unveiling Group's Modus Operandi", "protected": false, "publish_timestamp": "1774022030", "published": true, "threat_level_id": "2", "timestamp": "1774011130", "uuid": "b0e1480e-1356-4edb-abae-c37e88a9eec3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#5dfed4", "local": false, "name": "misp-galaxy:producer=\"Check Point\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#f8140a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disk Structure Wipe - T1561.002\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#8efd0f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Account Manager - T1003.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1087.002\"", "relationship_type": "" }, { "colour": "#657ac3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Protocol Tunneling - T1572\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484.001\"", "relationship_type": "" }, { "colour": "#07ff3c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#1acf09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Trusted Relationship - T1199\"", "relationship_type": "" }, { "colour": "#70b0b5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Brute Force - T1110\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#e66f0c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Accounts - T1078.002\"", "relationship_type": "" }, { "colour": "#7a060d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Logon Script - T1037.003\"", "relationship_type": "" }, { "colour": "#a05856", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#26fab6", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#d9210a", "local": false, "name": "misp-galaxy:target-information=\"Albania\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Handala\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Void Manticore\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Handala\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658823", "to_ids": false, "type": "link", "uuid": "b234e170-d0f1-4e9b-9187-c81885ac41a1", "value": "https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773658823", "to_ids": false, "type": "text", "uuid": "dcb58dde-c950-45c8-8b55-805c39474a04", "value": "Handala Hack, an online persona operated by Void Manticore, is affiliated with Iranian intelligence services. The group, known for destructive wiping attacks and hack-and-leak operations, has targeted organizations in Israel, Albania, and the US. Their tactics include supply chain attacks, credential theft, and manual intrusions. The group deploys multiple wiping methods simultaneously, including custom malware, PowerShell scripts, and disk encryption. Recent activities show expanded targeting and some new techniques, such as using NetBird for tunneling and AI-assisted wiping scripts. Despite some operational security lapses, Handala continues to pose a significant threat, primarily through hands-on, opportunistic attacks." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773658823", "to_ids": false, "type": "text", "uuid": "fbfe81ec-eb2f-467f-9d6f-6f823376b7bd", "value": "Name: \"Handala Hack\" - Unveiling Group's Modus Operandi\nAuthor: AlienVault\nAdversary: Handala Hack (Void Manticore)\nTags: [\"supply chain\", \"credential theft\", \"iranian threat actor\", \"handala wiper\", \"wiping attacks\"]\nTgtd countries: [\"Israel\", \"Albania\", \"United States of America\"]\nMlwr families: [\"Handala Wiper\"]\nAttack_ids: [\"T1053.005\", \"T1047\", \"T1561.002\", \"T1133\", \"T1003.002\", \"T1087.002\", \"T1572\", \"T1484.001\", \"T1003.001\", \"T1059.001\", \"T1199\", \"T1110\", \"T1486\", \"T1078.002\", \"T1037.003\", \"T1485\", \"T1105\", \"T1021.001\"]\nIndustries: [\"Government\", \"Telecommunications\", \"Healthcare\", \"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773658823", "to_ids": false, "type": "threat-actor", "uuid": "86cbf272-833c-48af-9232-030ad94c8ed4", "value": "Handala Hack (Void Manticore)" }, { "category": "Network activity", "comment": "VPN exit node used by Handala", "deleted": false, "disable_correlation": false, "timestamp": "1774001338", "to_ids": true, "type": "ip-dst", "uuid": "101cad48-9673-469e-ae94-1d14c65f366e", "value": "146.185.219.235", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Handala Powershell Wiper No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999171", "to_ids": true, "type": "md5", "uuid": "be07aa92-bea1-4e31-8b2d-7d38158b5dce", "value": "3cb9dea916432ffb8784ac36d1f2d3cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Handala Wiper No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999173", "to_ids": true, "type": "md5", "uuid": "e060db4d-c31f-4d57-b0b0-4f6f450928b0", "value": "5986ab04dd6b3d259935249741d3eff2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Handala VPS", "deleted": false, "disable_correlation": false, "timestamp": "1774001360", "to_ids": true, "type": "ip-dst", "uuid": "9d61afc1-626e-4891-accf-69b92800a6c4", "value": "107.189.19.52", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Handala VPS", "deleted": false, "disable_correlation": false, "timestamp": "1774001381", "to_ids": true, "type": "ip-dst", "uuid": "ed5bb267-49e8-48ad-bf4a-8f6009af7908", "value": "31.57.35.223", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Handala VPS", "deleted": false, "disable_correlation": false, "timestamp": "1774001403", "to_ids": true, "type": "ip-dst", "uuid": "01511f41-a99a-47ae-95cf-e38d3ca410f0", "value": "82.25.35.25", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Starlink IP range used by Handala", "deleted": false, "disable_correlation": false, "timestamp": "1774001424", "to_ids": true, "type": "ip-dst", "uuid": "624fc192-cdc7-404a-83bb-fd2e64f2312c", "value": "188.92.255.0/24", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Starlink IP range used by Handala", "deleted": false, "disable_correlation": false, "timestamp": "1774001445", "to_ids": true, "type": "ip-dst", "uuid": "54d662d4-42f6-4be4-a90b-c6398ef56df1", "value": "209.198.131.0/24", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Commercial VPN IP range used by Handala", "deleted": false, "disable_correlation": false, "timestamp": "1774001466", "to_ids": true, "type": "ip-dst", "uuid": "fa6ea6bd-71d7-4b0d-9ef4-5425c859e48d", "value": "149.88.26.0/24", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Commercial VPN IP range used by Handala", "deleted": false, "disable_correlation": false, "timestamp": "1774001487", "to_ids": true, "type": "ip-dst", "uuid": "2d6c10c8-5fb4-41a0-9f79-07b3be204c73", "value": "169.150.227.0/24", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "ad9daabd-e074-4f7e-9dc2-361d18b72122", "value": "WIN-P1B7V100IIS" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "f117cbc9-42f6-40d4-91d3-475c1d893353", "value": "DESKTOP-FK1NPHF" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "7637b5e4-bb4b-4459-8caa-fa3fc725a270", "value": "DESKTOP-R1FMLQP" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "147b73ca-3074-47d4-98eb-de10b53dc662", "value": "WIN-DS6S0HEU0CA" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "960bdb39-1b6c-472c-a1d5-d2b8b870718a", "value": "DESKTOP-T3SOB36" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "63a42b47-8bdd-43c9-860e-df391f795212", "value": "WIN-GPPA5GI4QQJ" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "3e292a1b-27b6-45ba-b8d7-7ab58ed422bf", "value": "VULTR-GUEST" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "fd212d0d-478b-451d-9e03-816255b78862", "value": "DESKTOP-HU45M79" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "9f2edb11-a5fa-42c2-9906-2740468083cb", "value": "DESKTOP-TNFP4JF" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "96d4ee2a-09a5-4a0b-b29f-ef61c07d624c", "value": "DESKTOP-14O69KQ" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "21608477-22b5-4a40-9c04-4e92249982b9", "value": "DESKTOP-9KG46L1" }, { "category": "Targeting data", "comment": "Handala Machine Name", "deleted": false, "disable_correlation": false, "timestamp": "1773996904", "to_ids": false, "type": "target-machine", "uuid": "63e6ef67-4b32-43f5-a54c-36c0d919fbe5", "value": "DESKTOP-G2MH4KD" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001509", "uuid": "0ee606e2-1900-4deb-beea-87732182d61a", "Attribute": [ { "category": "Payload delivery", "comment": "VeraCrypt Installer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001509", "to_ids": true, "type": "md5", "uuid": "8ce8bcd0-914c-4c69-bdca-6036effae601", "value": "3236facc7a30df4ba4e57fddfba41ec5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VeraCrypt Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999167", "to_ids": true, "type": "sha1", "uuid": "1b3aa30d-0e8e-4299-831d-5be17f5027e1", "value": "f3e6e0c1fb3886dfe01019e312ee1c663920ff4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VeraCrypt Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999167", "to_ids": true, "type": "sha256", "uuid": "2d8505f0-8c1e-4b86-8c05-0305d5a46ebb", "value": "08b80ab6a6c4eca08e18096c9468fe0bd2e33fc23142730e59177e6fcd7c902d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998787", "to_ids": true, "type": "ssdeep", "uuid": "178f25b9-89d2-4422-8d44-acfc8291fd13", "value": "786432:CSXRZElYZRAq82AJ5wlIZQ6jOOma+2xYYX0HR98U4wcgkYf1uX+EGyW4oyDmE0dj:CSXRZElYZRAq82AJ5wlIZQ6jOOma+2xC" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998787", "to_ids": false, "type": "size-in-bytes", "uuid": "efa0f323-65dd-4250-865b-9c3e6517debd", "value": "40643880" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998787", "to_ids": true, "type": "vhash", "uuid": "4f48c252-8477-4c84-a6ce-adf9ed1c0cf0", "value": "047076655d1d1d05656az9e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998787", "to_ids": true, "type": "filename", "uuid": "cdbf6b0b-cd8e-49ba-9b21-d744beab59ca", "value": "VeraCrypt Setup.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998787", "to_ids": false, "type": "text", "uuid": "1d0f2d6c-a986-4d42-9f7d-770ba8ad93fa", "value": "VeraCrypt Installer\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2025-05-30T04:08:20.000000+00:00\nLast Submission:2026-03-20T09:10:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001531", "uuid": "aec40d69-014f-4eb2-a436-7618eb112010", "Attribute": [ { "category": "Payload delivery", "comment": "NetBird Installer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001531", "to_ids": true, "type": "md5", "uuid": "bd67ecca-59b3-4ba6-93bc-afeb1953d537", "value": "3dfb151d082df7937b01e2bb6030fe4a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NetBird Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999169", "to_ids": true, "type": "sha1", "uuid": "18b04122-7cc2-4709-852f-b8b231360d78", "value": "b810dd8727c81aca93e6f7ce1bf1afb6d44802e9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NetBird Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999169", "to_ids": true, "type": "sha256", "uuid": "625ef42d-a638-4da8-9762-6e5f7e776dd5", "value": "d969ff9fe6099db8f6ef3977a849b1757aa221669387eb29a2c6c0ce4b4abe70", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998832", "to_ids": true, "type": "ssdeep", "uuid": "4ddf45d4-b571-44d0-b248-525277d5fd87", "value": "786432:BY9eYd//kqE56oHcvoOppDB0B0kodbCc9eom3mK89dJpcOW:BeDt/kj697pDq0SSJm5+dvcJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998832", "to_ids": false, "type": "size-in-bytes", "uuid": "6af6ec63-9466-41b1-b509-f610950d37a4", "value": "31791136" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998832", "to_ids": true, "type": "vhash", "uuid": "bae5aecf-f666-4304-bcd3-aa85778ed836", "value": "037056655d1c0510c043z800417z57z52z4gz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998832", "to_ids": true, "type": "filename", "uuid": "5432d2c2-af2e-489b-8255-1fb0b83e1db4", "value": "f_00070f" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998832", "to_ids": false, "type": "text", "uuid": "34a0e247-940b-4d6a-8402-0d2c1e3baef8", "value": "NetBird Installer\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2026-03-09T20:41:24.000000+00:00\nLast Submission:2026-03-11T07:26:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001553", "uuid": "74a95f3b-93f6-4d0a-af62-239554911ed2", "Attribute": [ { "category": "Payload delivery", "comment": "NetBird", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001553", "to_ids": true, "type": "md5", "uuid": "74e72341-2728-40dc-9d89-0661faf131db", "value": "e035c858c1969cffc1a4978b86e90a30", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NetBird", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999170", "to_ids": true, "type": "sha1", "uuid": "82a84d9c-23ad-4611-a039-b3971e1cd2a6", "value": "b9930eda0091790c563226549e734a903e1baf7c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NetBird", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999170", "to_ids": true, "type": "sha256", "uuid": "2a89d9c0-07d6-4d11-9996-fcb032b0d464", "value": "1ab1586975779b7d1ce09315b1312b939a194de6df7c5e92aea4f963835f7b08", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998876", "to_ids": true, "type": "ssdeep", "uuid": "1262cd63-add4-4d6d-a403-b5c599b42942", "value": "393216:5DOwbtgyVIq3EFqoi8rFoUIOrGB3Zdp1uPGiSPWw1JLs:5Dpbtgy2q3/OrGVfp1uVS+w1O" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998876", "to_ids": false, "type": "size-in-bytes", "uuid": "58d674f5-e26d-470f-96e6-e5df86f699a9", "value": "39745688" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998876", "to_ids": true, "type": "vhash", "uuid": "03fc8ae8-117e-4cc5-8a2e-1565036c8b62", "value": "037076655d656d051557zd0049hz42z5ez16" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998876", "to_ids": true, "type": "filename", "uuid": "75dcd779-16e3-45b3-b425-6ac5ea8acf02", "value": "netbird-ui.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998876", "to_ids": false, "type": "text", "uuid": "c1235cbf-2252-4954-a298-d239542b47b1", "value": "NetBird\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:1/71\nFirst Submission:2026-03-09T20:42:43.000000+00:00\nLast Submission:2026-03-10T10:07:18.000000+00:00" } ] } ] } }