{ "Event": { "analysis": "1", "date": "2026-05-11", "extends_uuid": "", "info": "[Threat Intel] Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware", "protected": false, "publish_timestamp": "1779547057", "published": true, "threat_level_id": "2", "timestamp": "1779547057", "uuid": "c9a7d245-784e-435c-8a24-809ff55ecb70", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#60bffd", "local": false, "name": "misp-galaxy:producer=\"The DFIR Report\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#aff0ae", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Permission Groups Discovery - T1069\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#7eb739", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Msiexec - T1218.007\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#07ff3c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#b9e5c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"NTDS - T1003.003\"", "relationship_type": "" }, { "colour": "#f9fe8d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Kerberoasting - T1558.003\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"EtherRAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"the gentlemen\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778583609", "to_ids": false, "type": "link", "uuid": "be57d025-29c3-4f04-930f-19b3cc31caba", "value": "https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778583609", "to_ids": false, "type": "text", "uuid": "ef4a09e5-53a9-4cfb-8fc2-c7d0b8ef61ab", "value": "An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deployed TukTuk malware framework using DLL sideloading techniques with legitimate applications like Greenshot and SyncTrayzor. TukTuk established C2 channels through SaaS platforms including ClickHouse and Supabase, with backup channels via Ably, Dropbox, and GitHub Issues. The actors performed Kerberoasting, credential theft via Mimikatz and LSASS dumping, and deployed GoTo Resolve RMM tooling for lateral movement. Data exfiltration to Wasabi cloud storage was conducted using Rclone before deploying The Gentlemen ransomware domain-wide through a malicious GPO. The intrusion leveraged blockchain infrastructure, SaaS platforms, and decentralized services to evade traditional network defenses." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778583609", "to_ids": false, "type": "text", "uuid": "47f75870-3be7-4632-b2e4-798d7cabbd72", "value": "Name: Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware\nAuthor: AlienVault\nAdversary: \nTags: [\"kerberoasting\", \"ethereum\", \"mimikatz\", \"cve-2025-55182\", \"netexec\", \"the gentlemen ransomware\", \"saas abuse\", \"tuktuk\", \"the gentlemen\", \"rclone\", \"dll sideloading\", \"blockchain c2\", \"etherrat\"]\nTgtd countries: []\nMlwr families: [\"EtherRAT\", \"TukTuk\", \"The Gentlemen\", \"Mimikatz\", \"NetExec\", \"Rclone\"]\nAttack_ids: [\"T1069\", \"T1082\", \"T1218.007\", \"T1567\", \"T1219\", \"T1055\", \"T1021.002\", \"T1070.001\", \"T1003.001\", \"T1087\", \"T1482\", \"T1204\", \"T1059.001\", \"T1547.001\", \"T1566\", \"T1027\", \"T1486\", \"T1059.003\", \"T1018\", \"T1021.001\", \"T1003.003\", \"T1558.003\", \"T1490\"]\nIndustries: []" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778583609", "to_ids": false, "type": "vulnerability", "uuid": "5eac726a-ca5c-4d0a-8c9c-0879fb43e50c", "value": "CVE-2025-55182" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978003", "to_ids": true, "type": "domain", "uuid": "fa482bb5-4248-4abb-a4f6-02fea8cb4aee", "value": "g8way.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978024", "to_ids": true, "type": "hostname", "uuid": "376b6ab5-03d0-4d6f-971e-52c58080e7ff", "value": "witch-skins-lip-coal.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779547048", "to_ids": true, "type": "md5", "uuid": "2056dbf6-894d-4120-8363-1b2ee62d5c33", "value": "77fbe265fd65c7f7b6d323fb6de6a4fd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779547049", "to_ids": true, "type": "md5", "uuid": "46a7d7a7-b604-4fd2-b3dc-4667bbd0613c", "value": "b188fbc6ff5557767e73e4c883a553a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779547051", "to_ids": true, "type": "sha1", "uuid": "23633ac1-8271-4e1c-aa19-3ca4a4353683", "value": "114ec028a3fc4ed50056ee8166b0c39acff6ff03", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779547053", "to_ids": true, "type": "sha1", "uuid": "8de10b92-a063-41ef-b695-d139c9dd8a5c", "value": "aa9218994798ae31a19d3e7e39cfac2e2ee55840", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779547055", "to_ids": true, "type": "sha256", "uuid": "22f572b9-cf22-41bc-a8ca-0d67aa1f2c45", "value": "1795eacd2c58894ccdd6be8854fe6456c3b069a3a873432343b57b475b256aee", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779547057", "to_ids": true, "type": "sha256", "uuid": "129c660c-bfba-4d52-8113-0ecaa723b2f3", "value": "2d4b4bb18b8445e49eeda571982874403befcecf78266e3d405f6529d98bee46", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978045", "to_ids": true, "type": "url", "uuid": "bc064d84-82d7-407d-9b65-e310fdc4925c", "value": "https://afford-effect-construct-tricks.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978066", "to_ids": true, "type": "url", "uuid": "67292585-3e0d-4a5f-9efb-8ff9b7b4efa8", "value": "https://entered-medications-motherboard-advanced.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978087", "to_ids": true, "type": "url", "uuid": "692b1639-789f-4817-adef-48f4a70128f9", "value": "https://fields-pct-easier-vancouver.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978108", "to_ids": true, "type": "url", "uuid": "3cb2cd86-8fc9-4ce1-b10b-fa718d4f5feb", "value": "https://howto-tar-naturals-coordination.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978128", "to_ids": true, "type": "url", "uuid": "9e9afe1f-37a1-46b1-b5b3-461e26a102bb", "value": "https://mode-exit-legendary-trusted.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978149", "to_ids": true, "type": "url", "uuid": "c6fb397d-bc4b-46cd-b006-12e80292e952", "value": "https://rapids-lil-lending-charleston.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978170", "to_ids": true, "type": "url", "uuid": "3bdecff5-4431-4e58-9898-ac20a6ed99e7", "value": "https://seasonal-estimation-heating-necessarily.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978191", "to_ids": true, "type": "url", "uuid": "a9ff2ea0-d6a0-40ce-b067-303003daad21", "value": "https://walt-messaging-affairs-occurring.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978212", "to_ids": true, "type": "url", "uuid": "134a91cb-ac86-4757-9d23-5c50e733f8ab", "value": "https://when-architectural-cdna-faster.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978233", "to_ids": true, "type": "url", "uuid": "e2a5d402-2e7e-445d-8d98-782b87d9b0fe", "value": "https://witch-skins-lip-coal.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978254", "to_ids": true, "type": "url", "uuid": "db97bc7b-c008-4f1b-a65a-1e335ef6a1d9", "value": "https://workshop-lighting-protective-customs.trycloudflare.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978275", "to_ids": true, "type": "domain", "uuid": "9567ef31-9760-4a40-ae89-0a4bd3c8e81b", "value": "borjumaniya.store", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978296", "to_ids": true, "type": "hostname", "uuid": "cd33767d-fb24-4442-9f2a-6228b99f3d1f", "value": "afford-effect-construct-tricks.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978318", "to_ids": true, "type": "hostname", "uuid": "cb4c9426-561f-415f-bbc1-5b4ecd81f6bc", "value": "entered-medications-motherboard-advanced.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978339", "to_ids": true, "type": "hostname", "uuid": "d5e0efc1-567d-4d3e-9ff5-aa3f41049c54", "value": "fields-pct-easier-vancouver.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978360", "to_ids": true, "type": "hostname", "uuid": "bf564418-74f5-4a85-9b01-87c8a59e331e", "value": "howto-tar-naturals-coordination.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978381", "to_ids": true, "type": "hostname", "uuid": "96603b5c-673c-4689-9365-2b0e704ac277", "value": "k135neflez.westus3.azure.clickhouse.cloud", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978402", "to_ids": true, "type": "hostname", "uuid": "5a701689-e0fd-4867-a99f-ea47b9462413", "value": "mode-exit-legendary-trusted.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978424", "to_ids": true, "type": "hostname", "uuid": "49d134fe-267c-47dd-9318-b5130c3499ed", "value": "rapids-lil-lending-charleston.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978445", "to_ids": true, "type": "hostname", "uuid": "df6e783c-0fff-4113-9b74-9887536e9f24", "value": "seasonal-estimation-heating-necessarily.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978466", "to_ids": true, "type": "hostname", "uuid": "27f2c318-08e5-468e-b8fe-840aa7dac233", "value": "vngz3ntdrb.us-east1.gcp.clickhouse.cloud", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978487", "to_ids": true, "type": "hostname", "uuid": "ac064e6c-2394-4410-8b5b-09b8916313c4", "value": "walt-messaging-affairs-occurring.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978508", "to_ids": true, "type": "hostname", "uuid": "2fa15519-0f17-4863-8616-d2e69fb6f36f", "value": "when-architectural-cdna-faster.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978529", "to_ids": true, "type": "hostname", "uuid": "781c9e20-2a79-4204-9c92-9c8e671d4780", "value": "workshop-lighting-protective-customs.trycloudflare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978550", "to_ids": true, "type": "domain", "uuid": "a4ff05c3-dca0-4e34-8929-e7d229806917", "value": "1rpc.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978571", "to_ids": true, "type": "hostname", "uuid": "5d5f169e-e848-40bd-b5e8-44dd54d834ba", "value": "vefbdzzuaadnascpeqcn.supabase.co", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978593", "to_ids": true, "type": "hostname", "uuid": "774ce196-e782-4e98-9ea9-9523e9b1cb32", "value": "muurfzqprzmdkzoibxaz.supabase.co", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978614", "to_ids": true, "type": "hostname", "uuid": "e4148c18-599a-4ef2-9b12-1ece374a35d4", "value": "ep-lively-cherry-a80bmwii.eastus2.azure.neon.tech", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547038", "uuid": "b4fc2085-b54d-44d1-afb8-8b0ed3cbdf8f", "Attribute": [ { "category": "Payload delivery", "comment": "RAMMap.msi (Initial Acccess)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547038", "to_ids": true, "type": "md5", "uuid": "957f1583-fff2-43f1-b454-3eb3d04d3de1", "value": "73ce2438d4ed475e03727b7b000d2794", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RAMMap.msi (Initial Acccess)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547038", "to_ids": true, "type": "sha1", "uuid": "867381dc-566a-40d8-ae2e-b4409df66235", "value": "3d5ee8429ef00824c0351cba507dfeb92b54f83b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RAMMap.msi (Initial Acccess)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547038", "to_ids": true, "type": "sha256", "uuid": "59b8d48f-1d3c-4e21-8076-cccf158b3c68", "value": "d9487fdc097f770e5661f9e5dee130068cb179d33716abff1a21c8cb901f25a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971154", "to_ids": true, "type": "ssdeep", "uuid": "1ea25f6e-f60d-4ac4-b60c-333630ba9db7", "value": "768:Sm/WjwJC1oRRXWxV/jpRJeWMbC9qZN/nq:k1oRRXWnpbob6r" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971154", "to_ids": false, "type": "size-in-bytes", "uuid": "19edce80-4512-459c-814c-221ef59a508f", "value": "29184" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971154", "to_ids": true, "type": "vhash", "uuid": "4f1759db-4a32-4c7b-a614-05330ca9af67", "value": "ba151a36b5229126cd8a0e26f5d18ec0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971154", "to_ids": true, "type": "filename", "uuid": "9823a99b-5aac-4b18-a7e1-e6cd8c55c8e6", "value": "d9487fdc097f770e5661f9e5dee130068cb179d33716abff1a21c8cb901f25a6.msi" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 14/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971154", "to_ids": false, "type": "text", "uuid": "af20792c-9f24-44fc-bbdb-addfc9450998", "value": "RAMMap.msi (Initial Acccess)\r\nType Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win32/Yomal!rfn\nVT Total Detection:28/61\nFirst Submission:2026-04-24T15:01:05.000000+00:00\nLast Submission:2026-04-28T04:32:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547041", "uuid": "7c9773ac-1c06-4f11-a1d8-83eb685795f2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547040", "to_ids": true, "type": "md5", "uuid": "fec6520f-a6fe-4a0b-87f4-e1e2bbed2fff", "value": "b2d51212744f404714fd909e87254d98", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547040", "to_ids": true, "type": "sha1", "uuid": "9fdf2af2-ad06-4d27-88f0-f12bee8078be", "value": "c98ee41f09ae079a5643626f57eb84f92205bb2b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547041", "to_ids": true, "type": "sha256", "uuid": "24bf4954-d91a-43ba-9910-62878d46362f", "value": "8c2665adf8bfab65463f2a9bd1b7bb0231de3f5c1e6a2e51479e44aaac2e7bf0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971218", "to_ids": true, "type": "ssdeep", "uuid": "88f51b66-d33c-4226-9ee5-6b74a328e8b3", "value": "24:gCgJxWZ2YduD0SRoLuqk1ASZBEnASSRASatr/Z8anupakS0RWqTvFr/Z8aua3KG/:sJxWZ2YdKfRoLuqk1EWAtl8aCakS0RWq" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971218", "to_ids": false, "type": "size-in-bytes", "uuid": "afb0bf9e-ad4f-4cea-9e4c-08c601df2f2f", "value": "1357" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971218", "to_ids": true, "type": "filename", "uuid": "6243b1dc-28e5-48a9-a877-7df3e17ae52e", "value": "EG61CIQnLiDW" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 14/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971218", "to_ids": false, "type": "text", "uuid": "08bfc730-d913-4d23-8bfb-bb5165447fdb", "value": "Type Description: DOS batch file\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:9/62\nFirst Submission:2026-05-12T01:25:28.000000+00:00\nLast Submission:2026-05-12T01:25:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547043", "uuid": "60926dbc-7c0b-4207-afc2-bdd7294356e9", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547043", "to_ids": true, "type": "md5", "uuid": "862d007f-8dee-4092-aa6d-38ff73c996ab", "value": "c92cf9a1af5b1fe25cdcb8771ce52be4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547043", "to_ids": true, "type": "sha1", "uuid": "ef7a4533-a000-45d2-bec7-71ddd87ff937", "value": "b44c8084b88d31113ee51758740eb84c251bdae8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547043", "to_ids": true, "type": "sha256", "uuid": "f728c0a3-8370-4737-bf57-68c9e24744e7", "value": "4142d5efd4ea2abab77f2f0a917610e2ff976bf9e19d7ad1e9156eccdc5412db", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971239", "to_ids": true, "type": "ssdeep", "uuid": "7b4de4a1-e5f1-4676-9fc9-a419f429500e", "value": "96:Xmxf6MwDMsevIK8UC6Dlg1UUVLfZPIJuSZvCIHfv/lk:u6M2MsxZu70L/kCI/vC" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971239", "to_ids": false, "type": "size-in-bytes", "uuid": "58648085-8449-43a4-a77a-e52776b78e5d", "value": "4654" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971239", "to_ids": true, "type": "vhash", "uuid": "d0add0d9-2fa7-4123-b571-c28797281a98", "value": "e3c63a4fc2aa8681eaaca8d7d999cd40" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971239", "to_ids": true, "type": "filename", "uuid": "7c222d0d-63cc-4d82-8288-0908a712a013", "value": "r_624k6i0Ucp" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 14/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971239", "to_ids": false, "type": "text", "uuid": "77dba8fc-3eb2-4d30-85ce-89fa6d068138", "value": "Type Description: JavaScript\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:24/62\nFirst Submission:2026-04-27T21:01:33.000000+00:00\nLast Submission:2026-04-27T21:01:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547046", "uuid": "c26a246e-562d-442f-8944-e1dc6a925c73", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547045", "to_ids": true, "type": "md5", "uuid": "1b376f08-5105-47d6-8f24-00f37532223e", "value": "f985b8d6d635c266fc4779dad77aa75c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547046", "to_ids": true, "type": "sha1", "uuid": "eb4afee6-d08e-49e6-83f1-15f601a39e3d", "value": "ba80d7b038758a129861e1e498e462cc3d68ae20", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547046", "to_ids": true, "type": "sha256", "uuid": "f7244a84-0381-44ba-9089-22bd0b6423d8", "value": "19021e53b9929fdf4b7d0e0707434d56bb73c1a9b7403c8837b44d1c417198dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971261", "to_ids": true, "type": "ssdeep", "uuid": "947aed8f-e849-497a-b1e4-5c89ee6109bc", "value": "3072:aKYPMV1h3jSteEEE5TjtbHOttnLvTXFF9a3X2CGlRq992xKsqur4N0:aKY61yjtittjAGy98" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971261", "to_ids": false, "type": "size-in-bytes", "uuid": "9fca0aa1-e661-40fb-91c9-d81d6063b447", "value": "156672" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971261", "to_ids": true, "type": "vhash", "uuid": "ff5e38c1-1e8e-4324-940b-cd6131b495af", "value": "315036551512309c8c5064832" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971261", "to_ids": true, "type": "filename", "uuid": "c66bfb25-b278-4adb-8837-81a6ed363a0e", "value": "log4net.dll" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971261", "to_ids": false, "type": "text", "uuid": "4ef0ec39-c05a-4322-8f1a-371d3a6c5aeb", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:18/71\nFirst Submission:2026-04-29T20:46:08.000000+00:00\nLast Submission:2026-04-29T20:46:08.000000+00:00" } ] } ] } }