{ "Event": { "analysis": "1", "date": "2026-03-16", "extends_uuid": "", "info": "[Threat Intel] Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack", "protected": false, "publish_timestamp": "1774219617", "published": true, "threat_level_id": "2", "timestamp": "1774219616", "uuid": "f44ec846-5fdc-4d7f-9a56-0edd6ef6b248", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#717bc3", "local": false, "name": "misp-galaxy:producer=\"Trend Micro\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive via Utility - T1560.001\"", "relationship_type": "" }, { "colour": "#177fb7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1218.011\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1087.002\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#657ac3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Protocol Tunneling - T1572\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#5affe5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Remote Management - T1021.006\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#a64427", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DCSync - T1003.006\"", "relationship_type": "" }, { "colour": "#0add7f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#15cd0b", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"warlock\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MimiKatz\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773716423", "to_ids": false, "type": "link", "uuid": "d96232b6-2c3f-4835-8faa-a5574e6251b8", "value": "https://www.trendmicro.com/en_us/research/26/c/dissecting-a-warlock-attack.html" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773716423", "to_ids": false, "type": "text", "uuid": "8f7083ea-0f83-4611-910e-db697e29c8fe", "value": "The Warlock ransomware group has enhanced its attack chain with improved methods for persistence, lateral movement, and evasion. Their updated toolset includes TightVNC, Yuze, and a persistent BYOVD technique exploiting the NSec driver. The group's primary targets were technology, manufacturing, and government sectors, with the US, Germany, and Russia being the most affected countries. Warlock continues to exploit unpatched Microsoft SharePoint servers for initial access, and has expanded its post-exploitation toolkit. New additions include TightVNC for persistent remote access, Yuze for establishing SOCKS5 connections, and a BYOVD technique using the NSecKrnl.sys driver to terminate security products. The group also leverages Velociraptor, VS Code tunnels, and Cloudflare Tunnel for C&C communications." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773716423", "to_ids": false, "type": "text", "uuid": "4d848848-051b-40c2-a43c-04d6e19d0c3e", "value": "Name: Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack\nAuthor: AlienVault\nAdversary: Warlock\nTags: [\"yuze\", \"sharepoint\", \"cloudflare\", \"ransomware\", \"lateral movement\", \"tunneling\", \"velociraptor\", \"lockbit\", \"tightvnc\", \"byovd\"]\nTgtd countries: [\"United States of America\", \"Germany\", \"Russian Federation\", \"United Kingdom of Great Britain and Northern Ireland\"]\nMlwr families: [\"LockBit\"]\nAttack_ids: [\"T1560.001\", \"T1218.011\", \"T1087.002\", \"T1190\", \"T1021.002\", \"T1572\", \"T1505.003\", \"T1021.006\", \"T1059.001\", \"T1562.001\", \"T1068\", \"T1027\", \"T1486\", \"T1095\", \"T1105\", \"T1021.001\", \"T1003.006\", \"T1048.003\"]\nIndustries: [\"Technology\", \"Manufacturing\", \"Government\", \"Education\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773716423", "to_ids": false, "type": "threat-actor", "uuid": "3a5562ee-c2f1-44bf-9117-8617d898bcf8", "value": "Warlock" }, { "category": "Payload delivery", "comment": "BYOVD AV Killer No sample in VT\r\nLast check:22/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774194762", "to_ids": true, "type": "sha256", "uuid": "a5906f6d-fc10-42ee-b9ab-69746a752c9e", "value": "9a3b6cf6aec6df3e5b43dc024d288d06ae03d2a909f188f38ba275a5ac6d3bf0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "C&C Agent No sample in VT\r\nLast check:22/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774194763", "to_ids": true, "type": "sha256", "uuid": "ac806ba5-6121-4656-a279-9178b705590e", "value": "ef1b604bf2e2d598437d97af38cbed4e6dbdb3fde771eaaf8389b46c86391a0d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195049", "to_ids": true, "type": "ip-dst", "uuid": "4750df75-5142-44d7-a7be-db447c642bfd", "value": "198.13.158.193", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195071", "to_ids": true, "type": "hostname", "uuid": "d96e3a82-6088-4325-a091-d8cedc1e1649", "value": "code.translatevv.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Velociraptor C&C", "deleted": false, "disable_correlation": false, "timestamp": "1774195092", "to_ids": true, "type": "url", "uuid": "9e27511f-0001-4aa0-b6ca-d85bfdb90005", "value": "http://auth.qgtxtebl.workers.dev", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "URL that downloads wssocks.exe", "deleted": false, "disable_correlation": false, "timestamp": "1774195114", "to_ids": true, "type": "url", "uuid": "6bc8e3bc-863d-455a-a5a3-b6355f891678", "value": "https://litter.catbox.moe/zqqxb3.txt", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "URL that downloads wssocks.exe", "deleted": false, "disable_correlation": false, "timestamp": "1774195136", "to_ids": true, "type": "url", "uuid": "4ce93346-cde5-4281-8d88-38b170070f3a", "value": "https://files.catbox.moe/wzsjlw.dll", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774191775", "to_ids": false, "type": "threat-actor", "uuid": "ccc0e623-aff0-44fb-8958-77a194c3a5b2", "value": "Water Manaul" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774195157", "to_ids": true, "type": "url", "uuid": "c848d48a-3712-4923-81b4-2e5057c834e9", "value": "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Velociraptor C&C", "deleted": false, "disable_correlation": false, "timestamp": "1774195179", "to_ids": true, "type": "hostname", "uuid": "ee5e7cd5-f716-4c70-8ada-a0b602f0ae63", "value": "auth.qgtxtebl.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "URL that downloads wssocks.exe", "deleted": false, "disable_correlation": false, "timestamp": "1774195200", "to_ids": true, "type": "url", "uuid": "3b9c9a54-2607-43d8-b970-9f130cf62ad5", "value": "https://litter.catbox.moe/uaw2gm.txt", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774195222", "uuid": "e0e13da2-7732-4303-a2dd-38dfeb03509b", "Attribute": [ { "category": "Payload delivery", "comment": "CloudFlared Tunnel Client", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774195222", "to_ids": true, "type": "md5", "uuid": "60f9c612-d301-4b7f-89fd-ebc542cdee3d", "value": "97e278049b68d1058938beb4c4acd833", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CloudFlared Tunnel Client", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774194755", "to_ids": true, "type": "sha1", "uuid": "7366ee8c-b665-4bb6-a913-019ffa834c93", "value": "a4a21a0eef3f5a7d823db7ce1086fcab2dc211fd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CloudFlared Tunnel Client", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774194755", "to_ids": true, "type": "sha256", "uuid": "b884fddc-e1d8-4fd5-b534-a13101308239", "value": "06142acc825e0d799d12ff0a03fd714b119c69dce868c98bb5def165b2425454", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774193555", "to_ids": true, "type": "ssdeep", "uuid": "d487acd3-dad7-4a59-9a37-501c8c6a0a16", "value": "393216:LZF4YHvLmRqGEJ3rOOZpLmjtLW+GwuysVTtNkd+ILL3teqCzoTwYSFG0Ep1vA3Lx:NFpHvLNJ3HLmRLW3WsVTMP/Dw/FGvp18" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774193555", "to_ids": false, "type": "size-in-bytes", "uuid": "9bfb7844-f8b1-46dd-9e28-01b8660830a4", "value": "19831808" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774193555", "to_ids": true, "type": "vhash", "uuid": "9685f47e-545c-4837-a386-f7edac008e26", "value": "62e323a53577e6d1b09085bdc676e603" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774193555", "to_ids": true, "type": "filename", "uuid": "7e07468a-ba1b-4502-a276-a55878c5a18b", "value": "cloudflared-windows-amd64 (1).msi" }, { "category": "Other", "comment": "Checked: 22/03/2026\nLast-scan\t: 19/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774193555", "to_ids": false, "type": "text", "uuid": "44821d03-27f0-4d48-b7f2-a97136c9447a", "value": "CloudFlared Tunnel Client\r\nType Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:5/61\nFirst Submission:2025-09-22T18:45:31.000000+00:00\nLast Submission:2025-12-15T16:33:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774195244", "uuid": "da4e6620-adaa-4821-8874-ea66349eee61", "Attribute": [ { "category": "Payload delivery", "comment": "WSSocks Tunnel", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774195244", "to_ids": true, "type": "md5", "uuid": "1dd5f9ad-f2f9-4465-9e01-20ce6b8fca42", "value": "7535154acf4ef4611acbcdd9a3189e06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "WSSocks Tunnel", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774194757", "to_ids": true, "type": "sha1", "uuid": "3f9f5e23-26b5-4a50-80b9-eb372b4ba19e", "value": "8b77260672fce04bca02a2ea9d3c40a70799c34d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "WSSocks Tunnel", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774194757", "to_ids": true, "type": "sha256", "uuid": "745a4f89-e971-4c1d-8773-df0a9b3fa2d2", "value": "129eec0c999653e30a659f6a336c76d3b6ce810d459a7f860bacbc06fd556277", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774193578", "to_ids": true, "type": "ssdeep", "uuid": "334a67df-1488-4104-9be1-d87fa6c94e11", "value": "384:ZfGLOJW1gWlHKcjVULBjCNGwzvnrb0VQILWjCRpj1edjEA/ZC3fj3Bt8N5SgGdZG:9cQ5En9vjCRTRvjo5SgGdZQ5L" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774193578", "to_ids": false, "type": "size-in-bytes", "uuid": "c9797500-f674-4f36-a5d3-dd7dc53bd3f9", "value": "25600" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774193578", "to_ids": true, "type": "vhash", "uuid": "3b2903b6-092b-4b3a-b2b0-457678c437ff", "value": "22403655151f08115500815" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774193578", "to_ids": true, "type": "filename", "uuid": "eae541a8-52e7-409c-9168-10951e650bea", "value": "wssocks.exe" }, { "category": "Other", "comment": "Checked: 22/03/2026\nLast-scan\t: 19/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774193578", "to_ids": false, "type": "text", "uuid": "bebe4f64-761a-4e84-854b-5f03658777b8", "value": "WSSocks Tunnel\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Seheq!rfn\nVT Total Detection:19/71\nFirst Submission:2025-12-22T20:52:46.000000+00:00\nLast Submission:2025-12-22T20:52:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774195265", "uuid": "cbf2fa52-6b6a-4b9d-9f51-2ea3b5d3f2f6", "Attribute": [ { "category": "Payload delivery", "comment": "NSecKrnl Kernel Driver", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774195265", "to_ids": true, "type": "md5", "uuid": "5552e340-87e7-4547-aac5-da9e0caa3fb3", "value": "80961850786d6531f075b8a6f9a756ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NSecKrnl Kernel Driver", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774194759", "to_ids": true, "type": "sha1", "uuid": "e4b76f0f-4c6f-4991-b247-53975f57e161", "value": "b0b912a3fd1c05d72080848ec4c92880004021a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NSecKrnl Kernel Driver", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774194759", "to_ids": true, "type": "sha256", "uuid": "cf24ea1f-a7b7-43d3-bc04-c6731918d246", "value": "206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774193601", "to_ids": true, "type": "ssdeep", "uuid": "e99241aa-208d-4b0d-8a9c-f93809efbb36", "value": "384:xrt+fwuqbvHZi0xZsHLgZDgf2hpbvFR2IDgf2hZw:06vbyCUf2hpPFUf2h+" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774193601", "to_ids": false, "type": "size-in-bytes", "uuid": "310b78fb-e4bd-4d3a-abdf-e51dddef395a", "value": "25056" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774193601", "to_ids": true, "type": "vhash", "uuid": "ba5a4660-b925-4d71-ba61-6bc121545d56", "value": "024076551d151655151iz16xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774193601", "to_ids": true, "type": "filename", "uuid": "f84467e0-55f1-4b3b-b25d-7f0345e38efc", "value": "NSecKrnl" }, { "category": "Other", "comment": "Checked: 22/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774193601", "to_ids": false, "type": "text", "uuid": "92e1eb6c-740e-40a2-9b81-311e614759ea", "value": "NSecKrnl Kernel Driver\r\nType Description: Win32 EXE\nMicrosoft: VulnerableDriver:Win32/nseckrnl.B\nVT Total Detection:18/71\nFirst Submission:2020-06-29T09:17:58.000000+00:00\nLast Submission:2026-03-20T17:33:18.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774195287", "uuid": "f3ea7e2a-9638-49aa-9377-5f2009ff2d5e", "Attribute": [ { "category": "Payload delivery", "comment": "VSCode CLI Tool", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774195287", "to_ids": true, "type": "md5", "uuid": "4e1291da-9056-486c-91dd-aa7f252ffa83", "value": "78cd87dfa9ba0f9b533310ca98b54489", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VSCode CLI Tool", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774194760", "to_ids": true, "type": "sha1", "uuid": "13f5ecdd-a3d9-4195-8767-8859c6439dc5", "value": "7cbe4243c09f299b2dbfdc10f63846541367dcef", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VSCode CLI Tool", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774194761", "to_ids": true, "type": "sha256", "uuid": "d60a4f8b-a9df-436f-8fa3-bf07fb5ac238", "value": "34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774193624", "to_ids": true, "type": "ssdeep", "uuid": "335f4c95-dedf-44bf-b89e-d6508178c733", "value": "98304:MNsWGGWq10CYfpHXtvCrNfylv0d1/mmLn9Ogxwxc8/cXcE4Mg/b35R+GrHn+9lTn:G6t8NRneep4HvHn+9GQ5C/xqVa1L11Mb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774193624", "to_ids": false, "type": "size-in-bytes", "uuid": "35e6d2aa-88e8-41a7-b2a0-ef9e344d53d9", "value": "22401592" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774193624", "to_ids": true, "type": "vhash", "uuid": "29920f97-2596-4c7c-ab09-c5b2e87aa259", "value": "027066655d156d055223zd2zba1z40f1z603031zd023z44z217z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774193624", "to_ids": true, "type": "filename", "uuid": "e058e272-a943-46d7-b4a3-f9e07728906f", "value": "code.txt" }, { "category": "Other", "comment": "Checked: 22/03/2026\nLast-scan\t: 18/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774193624", "to_ids": false, "type": "text", "uuid": "b1efaf68-80b4-4dfd-8d35-c73f3a844130", "value": "VSCode CLI Tool\r\nType Description: Win32 EXE\nFile distributed by: ['Microsoft']\nData sources: ['Microsoft Corporation']\nVerdict filename: ['code.exe']\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2025-08-08T12:33:09.000000+00:00\nLast Submission:2026-02-09T03:10:38.000000+00:00" } ] } ] } }