{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] How a Tax Search Leads to Kernel-Mode AV/EDR Kill", "protected": false, "publish_timestamp": "1775245824", "published": true, "threat_level_id": "3", "timestamp": "1775245824", "uuid": "cc6de75b-db6a-40cb-b025-0b46d3b5ce97", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#177fb7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1218.011\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#07ff3c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#ff7546", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Kernel Modules and Extensions - T1547.006\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#37c019", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Accounts - T1078.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Accounts - T1078.003\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004430", "to_ids": false, "type": "link", "uuid": "85338faf-d066-49bb-8d62-bd08fbaa4d3a", "value": "https://www.huntress.com/blog/w2-malvertising-to-kernel-mode-edr-kill" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774004430", "to_ids": false, "type": "text", "uuid": "fe2d7a04-1c70-4398-abdd-50a327667cb9", "value": "A large-scale malvertising campaign targeting U.S. tax form searchers has been uncovered. The attack chain begins with Google Ads, using dual commercial cloaking services to evade detection. Victims are directed to rogue ScreenConnect installers, leading to a multi-stage crypter that ultimately deploys a BYOVD (Bring Your Own Vulnerable Driver) tool. This tool, named HwAudKiller, exploits a previously undocumented Huawei audio driver to terminate antivirus and EDR processes from kernel mode. The campaign's sophistication lies in its use of commodity tools and services, combining free-tier ScreenConnect instances, off-the-shelf crypters, and a signed driver with an exploitable weakness. The attackers consistently deploy multiple remote access tools on compromised hosts for redundancy, indicating a likely pre-ransomware or initial access broker operation." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774004430", "to_ids": false, "type": "text", "uuid": "b28b1ea7-673a-4bcd-ae3f-4cccda3bdfc6", "value": "Name: How a Tax Search Leads to Kernel-Mode AV/EDR Kill\nAuthor: AlienVault\nAdversary: \nTags: [\"screenconnect\", \"cloaking\", \"malvertising\", \"google ads\", \"hwaudkiller\", \"edr evasion\", \"byovd\", \"fatmalloc\", \"kernel driver\", \"tax lure\"]\nTgtd countries: []\nMlwr families: [\"HwAudKiller\", \"FatMalloc\"]\nAttack_ids: [\"T1218.011\", \"T1082\", \"T1055\", \"T1003.001\", \"T1016\", \"T1497\", \"T1547.006\", \"T1562.001\", \"T1027\", \"T1059.003\", \"T1027.002\", \"T1204.001\", \"T1078.004\", \"T1078.003\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237427", "to_ids": true, "type": "sha1", "uuid": "ee82e8c5-b886-456d-a939-f8f0a6a69472", "value": "0ded1a1eabec8ae0ffb0b512871e7b545878437a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237428", "to_ids": true, "type": "sha256", "uuid": "9e3b2d77-a0eb-420d-aa20-3ac940e63be2", "value": "0821661e715fe64bb39f4fece277737a48fd6839edd40ec8a4a39bf04cea8524", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237429", "to_ids": true, "type": "sha256", "uuid": "ae3e5ac8-c0aa-494b-bfaf-67ce6507f01c", "value": "28278b8c85c832417f9860fe8ea3ddbb9ff1d5860317db4813227a3a52b7c7cc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237430", "to_ids": true, "type": "sha256", "uuid": "66c76e4b-b828-4026-ad07-79998d6adff2", "value": "2b409a265f571dccde6ef4860831c1b03d5418d1951f97925315dc5b0891da04", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239515", "to_ids": true, "type": "url", "uuid": "b826bc80-9cfc-4828-b2df-f3e796531f20", "value": "http://anukitax.com/forminw9/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239537", "to_ids": true, "type": "url", "uuid": "844d8349-5933-4f66-8b97-618d76fe98b7", "value": "http://bringetax.com/humu/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239558", "to_ids": true, "type": "url", "uuid": "08ad93ef-7c97-42ca-ac56-9a5f87235dda", "value": "http://grinvan.com/vims/browser/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239579", "to_ids": true, "type": "url", "uuid": "6ef93c3d-5c11-4cef-995c-dbf43f6021ff", "value": "http://rpc.adspect.net/v2/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239600", "to_ids": true, "type": "url", "uuid": "1ab49bd7-66cc-4c23-8811-bb0214d92cf8", "value": "https://jcibj.com/pcl.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239621", "to_ids": true, "type": "domain", "uuid": "39c9127e-400f-44dc-86fc-11cc084d31f0", "value": "anukitax.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239643", "to_ids": true, "type": "domain", "uuid": "3c4fb228-bf96-4208-bd4a-33bcfc8413ac", "value": "bjtrck.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239664", "to_ids": true, "type": "domain", "uuid": "82fe7494-8e20-4a17-a6e8-13a51fbe3589", "value": "bringetax.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239685", "to_ids": true, "type": "domain", "uuid": "55eea46b-ebe3-4b00-a2e1-6a6a40817b6a", "value": "fioclouder.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239706", "to_ids": true, "type": "domain", "uuid": "139113fd-ad82-4579-9422-0589e1f28738", "value": "friugrime.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239727", "to_ids": true, "type": "domain", "uuid": "da520b4c-f07a-44fc-9a18-57e29ef0b06a", "value": "grinvan.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239749", "to_ids": true, "type": "domain", "uuid": "3817c5c7-3278-4994-bd85-a4b90484eabe", "value": "gripsmonga.sbs", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239770", "to_ids": true, "type": "hostname", "uuid": "0f8237a8-73cd-4f91-90a4-12fcd3fc92ee", "value": "cdn.justcloakit.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239791", "to_ids": true, "type": "hostname", "uuid": "6f8c2ea7-3ebe-445a-af30-8f5229f79c4b", "value": "client.justcloakit.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239812", "to_ids": true, "type": "hostname", "uuid": "8c4ac487-d408-468b-82b4-8380ba8a5727", "value": "rpc.adspect.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239833", "to_ids": true, "type": "url", "uuid": "95392c88-2c0b-4b55-9088-97fe6d7ab412", "value": "grinvan.com/vims/browser/", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239854", "to_ids": true, "type": "hostname", "uuid": "1dfe27ff-7cb9-4dbb-9a49-b67496fa85c5", "value": "instance-itsd8c-relay.screenconnect.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239875", "to_ids": true, "type": "hostname", "uuid": "69a181ee-4d11-4f1a-a24a-a1f3c4f9d002", "value": "instance-sl1mb9-relay.screenconnect.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239897", "to_ids": true, "type": "hostname", "uuid": "71735ee5-e44d-445c-91fb-5a06f5def847", "value": "instance-t5sady-relay.screenconnect.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239918", "to_ids": true, "type": "hostname", "uuid": "8d347764-ad99-479e-9abe-29e7ad0035fd", "value": "instance-vdquvd-relay.screenconnect.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239939", "to_ids": true, "type": "hostname", "uuid": "02946a49-0df7-4177-ab49-f543d5beaefc", "value": "instance-gcfox6-relay.screenconnect.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239960", "to_ids": true, "type": "hostname", "uuid": "42317349-d915-4b0e-baa7-77465f9983c9", "value": "instance-zichgu-relay.screenconnect.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775239984", "to_ids": true, "type": "domain", "uuid": "2d344fca-7070-4be7-97fe-8428d92dd4ac", "value": "jcibj.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1775234348", "uuid": "5b1146a3-9c75-4c62-b20e-4a01968f404b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1775234348", "to_ids": false, "type": "text", "uuid": "abe860d2-6766-4069-9f90-5b1aa895cdb0", "value": "win_mal_FatMalloc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1775234348", "to_ids": false, "type": "comment", "uuid": "8c1b8a83-3964-4422-9176-6ccf1b7e73cd", "value": "Detects FatMalloc Crypter" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1775234348", "to_ids": true, "type": "yara", "uuid": "70afee06-e304-46e0-82de-82b76cc4563c", "value": "rule win_mal_FatMalloc {\r\n meta:\r\n author = \"RussianPanda\"\r\n description = \"Detects FatMalloc Crypter\"\r\n date = \"3/16/2025\"\r\n\t\thash = \"8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531\"\r\n strings:\r\n $s1 = {48 89 E8 48 8B 3C 24 48 8D 64 24 08 5E 5B 5D FF E0}\r\n $s2 = {88 E3 32 1C 0E 88 5C 15 00}\r\n\t\t$s3 = \"timeSetEvent\"\r\n condition:\r\n uint16(0) == 0x5A4D and all of ($s*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1775234362", "uuid": "bdb3280b-f989-414c-a145-3b57e8793e2d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1775234362", "to_ids": false, "type": "text", "uuid": "87bd78ff-87a9-4ba6-80e4-36b009728f25", "value": "win_mal_HwAudKiller" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1775234362", "to_ids": false, "type": "comment", "uuid": "66ef4fe4-38be-46e5-99a8-143977b9065f", "value": "Detects HwAudKiller BYOVD AV/EDR killer" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1775234362", "to_ids": true, "type": "yara", "uuid": "0970d835-fd02-4637-bb5d-cb130ca5a7f8", "value": "rule win_mal_HwAudKiller {\r\n meta:\r\n author = \"RussianPanda\"\r\n description = \"Detects HwAudKiller BYOVD AV/EDR killer \"\r\n date = \"3/16/2025\"\r\n\t\thash = \"28278b8c85c832417f9860fe8ea3ddbb9ff1d5860317db4813227a3a52b7c7cc\"\r\n strings:\r\n $s1 = \"[+] Havoc Process Terminator\"\r\n $s2 = \"sc create Havoc\"\r\n condition:\r\n uint16(0) == 0x5A4D and all of ($s*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775240005", "uuid": "347c976b-8cef-4711-8bea-8ca10b5b80cc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775240005", "to_ids": true, "type": "md5", "uuid": "5f681a5d-f954-4539-a2bc-37efe6f017de", "value": "ecb1d69999a730760b3c5654920f0ef6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237423", "to_ids": true, "type": "sha1", "uuid": "b1356563-0eab-4984-b564-157d1cca43fd", "value": "b4ddb0adf94e28b53e392900c5ff2f538616441b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237423", "to_ids": true, "type": "sha256", "uuid": "a1034bb6-92bf-4a1c-929e-56f0f4398ea1", "value": "8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775236015", "to_ids": true, "type": "ssdeep", "uuid": "f690c63a-e378-4fe2-8e9d-d93c6cea51a6", "value": "6144:G9+6m01ZrYh4oEnZLWaAsRkA4w3RNo3Evm2Qk/A28ecH7sU+:EHrEOZqlQkApmeeecbsp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775236015", "to_ids": false, "type": "size-in-bytes", "uuid": "25e834df-20dd-4c2b-b0f3-4cda5c57b5fb", "value": "277504" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775236015", "to_ids": true, "type": "vhash", "uuid": "04281d2f-6026-4be3-b06a-7f06ce658bdc", "value": "0250b76d7515551c0d1d1az3c2drz19z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775236015", "to_ids": true, "type": "filename", "uuid": "c816f15b-ae0d-44db-a332-1099c71f9131", "value": "2026-02-09_ecb1d69999a730760b3c5654920f0ef6_cobalt-strike_conti" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775236015", "to_ids": false, "type": "text", "uuid": "e1c16c9c-c60e-4d9b-bed0-5c68bc543bfd", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:51/71\nFirst Submission:2026-02-08T03:27:24.000000+00:00\nLast Submission:2026-02-09T11:15:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775240027", "uuid": "a7f9aebb-8fda-49ca-9c0a-d9bfbb8a60c7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775240027", "to_ids": true, "type": "md5", "uuid": "f3555268-b4aa-438c-8434-180c2fde8798", "value": "eef8a950952696b018aa9c6da2f5d7ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237424", "to_ids": true, "type": "sha1", "uuid": "a7570af5-2d09-4ed6-9e99-b90da8f0dba3", "value": "1fa071303fb846308571e64727501fb98b1c2be6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237424", "to_ids": true, "type": "sha256", "uuid": "172342a9-d0d8-4b94-8d86-b793bf3e0259", "value": "5abe477517f51d81061d2e69a9adebdcda80d36667d0afabe103fda4802d33db", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775236058", "to_ids": true, "type": "ssdeep", "uuid": "7c803aa5-2999-47ef-93dc-5a35795318a8", "value": "768:4vBHl9DiRieNDb8GpJH8iulH4cT/vNMuaxwRenN3mGVjfR7JKhLhn2KBUL:4v8pH7oLdReNWMzRdI2KBUL" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775236058", "to_ids": false, "type": "size-in-bytes", "uuid": "ffd63729-0b7a-4667-a315-2b3528104a2b", "value": "47240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775236058", "to_ids": true, "type": "vhash", "uuid": "5843477c-58e9-43c6-ae68-bbeef10b84d2", "value": "044086651d151666551519z16z3exz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775236058", "to_ids": true, "type": "filename", "uuid": "aee10537-69b2-4a87-a4aa-05d69895318f", "value": "HWAuidoOs2Ec.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775236058", "to_ids": false, "type": "text", "uuid": "069dfaad-55b3-4726-927e-0aac7587f637", "value": "Type Description: Win32 EXE\nFile distributed by: ['Microsoft']\nData sources: ['HashDB']\nVerdict filename: ['HWAudioOs2Ec.sys']\nMicrosoft: None\nVT Total Detection:2/71\nFirst Submission:2022-01-14T06:23:32.000000+00:00\nLast Submission:2026-04-02T21:27:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775240048", "uuid": "b91694ff-6842-4b5e-8a04-f0920f19f663", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775240048", "to_ids": true, "type": "md5", "uuid": "02f67151-be89-4759-93a7-fb4de213cb70", "value": "fee81908c4a5a6ffce61a30a2e2d88ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237425", "to_ids": true, "type": "sha1", "uuid": "03c9602c-53d7-49be-b005-0a8111a830f8", "value": "f3245ef6bf0da593011799cef036cc8b6596cefe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237425", "to_ids": true, "type": "sha256", "uuid": "64d16046-9187-4930-b856-33858a3e0bcf", "value": "033f42102362a8d8d4bdba870599eb5e0c893d8fd8dd4bc2a4b446cbbeb59b99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775236080", "to_ids": true, "type": "ssdeep", "uuid": "aa3b7ea1-f77d-4670-a056-a5c83c74b55d", "value": "3072:YwXhwD1Z9ufg3K9Wt+8fdS4TRXeshFW/USZGiPWhO:ru5zKv+NReshTdiPWQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775236080", "to_ids": false, "type": "size-in-bytes", "uuid": "46302248-fd3c-4dc4-b0db-54d4546b3b39", "value": "195072" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775236080", "to_ids": true, "type": "vhash", "uuid": "fb86a24b-7076-486f-9bb0-b89b2f9a4200", "value": "015076656d155d05555az51!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775236080", "to_ids": true, "type": "filename", "uuid": "239ed1d8-a0fc-454a-9421-157efac388c9", "value": "sf7ezm.exe" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775236080", "to_ids": false, "type": "text", "uuid": "5d67b790-7afd-43f1-ae8a-89b954259faa", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:37/71\nFirst Submission:2026-02-08T05:48:43.000000+00:00\nLast Submission:2026-02-08T05:48:43.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775240069", "uuid": "c91cc6d7-5a33-415d-b37c-667009bb235d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775240069", "to_ids": true, "type": "md5", "uuid": "bc42eeda-54fe-404d-b150-ddf12a6db902", "value": "568580a65609e9eafab40840e1c9c7c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237426", "to_ids": true, "type": "sha1", "uuid": "451ce711-3b29-4ad5-8983-b76e29d4a8a2", "value": "e7f8eb094d6f60a15b3bd57c0d836f8d54abb2d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237426", "to_ids": true, "type": "sha256", "uuid": "05fb3404-870e-4e36-bffc-6aa744a31367", "value": "7509365935fc1bfadba20656698d3a29051031635419043bc2bc45116106e026", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775236166", "to_ids": true, "type": "ssdeep", "uuid": "5415d443-5629-4c49-87a3-36c1604333ab", "value": "196608:tKaLNkbgki4QcKaLNkbgRKaLNkbgZKaLNkbg:BWgkiHyWg1Wg9Wg" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775236166", "to_ids": false, "type": "size-in-bytes", "uuid": "66fc465a-efeb-44ab-afe4-c2e614071a81", "value": "10072064" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775236166", "to_ids": true, "type": "vhash", "uuid": "dfea1d54-86ee-4b06-b8b1-5b29ae7cb4bc", "value": "45155b83172cd3ff230fec9025027227" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775236166", "to_ids": true, "type": "filename", "uuid": "3723da6c-d041-4dd7-9596-1f1672231068", "value": "form_w9.msi" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775236166", "to_ids": false, "type": "text", "uuid": "eecf4670-7d45-4555-b15f-35d04ecab84b", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:9/62\nFirst Submission:2026-01-13T18:32:54.000000+00:00\nLast Submission:2026-01-13T18:32:54.000000+00:00" } ] } ] } }