{ "Event": { "analysis": "1", "date": "2026-04-21", "extends_uuid": "", "info": "[Threat Intel] DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers", "protected": false, "publish_timestamp": "1779545441", "published": true, "threat_level_id": "3", "timestamp": "1779545441", "uuid": "ff6bd3b2-34b3-4769-8b84-7c5acfff2fb6", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#cf6788", "local": false, "name": "misp-galaxy:producer=\"Hunt.io\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#15cd0b", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777028406", "to_ids": false, "type": "link", "uuid": "e38a4144-0d8c-4258-8571-8455822e282a", "value": "https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777028406", "to_ids": false, "type": "text", "uuid": "ee31794b-5b36-4f8f-929f-f6505c02e5fd", "value": "DinDoor is a Deno-based backdoor delivered via MSI files that exploits the Deno runtime to execute obfuscated JavaScript for command and control communications and system fingerprinting. Two analyzed samples show different execution behaviors: one writes JavaScript to disk while the other executes entirely in memory. Both samples use identical fingerprinting algorithms generating unique victim identifiers. One sample contains an embedded JWT exposing campaign metadata and the domain serialmenot[.]com, identified as multi-tenant infrastructure serving multiple threat actors including state-sponsored groups and cybercriminals. Analysis of HTTP response headers enabled identification of 20 active C2 servers across 15 autonomous systems, many using bulletproof hosting providers. The malicious infrastructure uses Caddy proxy with distinctive headers allowing network-based detection." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777028406", "to_ids": false, "type": "text", "uuid": "2dede66b-856d-438d-a2bf-2eff511b3be2", "value": "Name: DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers\nAuthor: AlienVault\nAdversary: MuddyWater\nTags: [\"castleloader\", \"deno runtime\", \"caddy proxy\", \"tsundere botnet\"]\nTgtd countries: [\"United States of America\", \"Russian Federation\"]\nMlwr families: [\"DinDoor\", \"Tsundere Botnet\", \"CastleLoader\", \"CastleRAT\", \"ChainShell\"]\nAttack_ids: [\"T1033\", \"T1059.007\", \"T1497.001\", \"T1082\", \"T1140\", \"T1016\", \"T1090\", \"T1204\", \"T1057\", \"T1059.001\", \"T1566\", \"T1571\", \"T1027\", \"T1573\", \"T1518.001\", \"T1132\", \"T1071.001\", \"T1105\"]\nIndustries: [\"Finance\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1779140582", "to_ids": false, "type": "threat-actor", "uuid": "455b3e77-7f58-4747-9e50-e85cf7b1e05f", "value": "MuddyWater", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"MuddyWater\"", "relationship_type": "" }, { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611100", "to_ids": true, "type": "domain", "uuid": "471bdd28-ec7c-406a-b118-98f1de1c59f3", "value": "ineracaspsl.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611122", "to_ids": true, "type": "domain", "uuid": "8402f1ec-1b35-4b67-b2c0-152d1a4d49af", "value": "serialmenot.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611143", "to_ids": true, "type": "domain", "uuid": "0a4f074d-a5d9-41fc-a85a-aa27ea0970be", "value": "justtalken.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611164", "to_ids": true, "type": "domain", "uuid": "5e42c814-0bd5-46f5-a1e9-0d0d3913e180", "value": "hngfbgfbfb.cyou", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611185", "to_ids": true, "type": "hostname", "uuid": "510894fc-945b-4d77-ba04-cb8c8e0ec4ff", "value": "agilemast3r.duckdns.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611206", "to_ids": true, "type": "hostname", "uuid": "35906104-1050-4587-a0fb-8e945ec6ddbd", "value": "grafana.healthydefinitetrunk.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611227", "to_ids": true, "type": "ip-dst", "uuid": "433f8ee7-78f3-4dfa-af52-098e4a7f2ab8", "value": "138.124.240.76", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611248", "to_ids": true, "type": "ip-dst", "uuid": "4956ad4a-3108-407e-8cf4-e8179bbd2f61", "value": "138.124.240.77", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611269", "to_ids": true, "type": "ip-dst", "uuid": "267a56da-1a4e-4623-b44a-8b739e89aa37", "value": "178.16.52.191", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611290", "to_ids": true, "type": "ip-dst", "uuid": "12b4ab66-d6c6-4bde-b7e2-43c048c7bfa4", "value": "185.218.19.117", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611312", "to_ids": true, "type": "ip-dst", "uuid": "3343a85c-42e6-4972-a88f-c65c0610fd63", "value": "192.109.200.151", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611333", "to_ids": true, "type": "ip-dst", "uuid": "d701783e-2baf-425f-8d63-1946ed2cb090", "value": "193.233.82.43", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611354", "to_ids": true, "type": "ip-dst", "uuid": "17ff18d6-1438-4b5f-b499-7a1509c9b3af", "value": "193.24.123.25", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611375", "to_ids": true, "type": "ip-dst", "uuid": "d033c375-0114-4f28-988a-4ca7e22765b0", "value": "194.48.141.192", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611396", "to_ids": true, "type": "ip-dst", "uuid": "01f8019c-6ccb-4de9-9486-47a10dedb608", "value": "199.217.99.189", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611417", "to_ids": true, "type": "ip-dst", "uuid": "a99d2370-61a4-469a-807b-c2253f537800", "value": "199.91.220.142", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611438", "to_ids": true, "type": "ip-dst", "uuid": "0067f679-38e7-40dd-a38c-4209164b245c", "value": "199.91.220.216", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611460", "to_ids": true, "type": "ip-dst", "uuid": "e22ef89d-0e9d-4637-b7e8-2fa867625197", "value": "2.26.117.169", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611481", "to_ids": true, "type": "ip-dst", "uuid": "8f53d01f-e9ea-42fe-9750-a162372ded16", "value": "2.27.122.16", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611502", "to_ids": true, "type": "ip-dst", "uuid": "786ae80c-c358-4cab-9e31-09f160d0d7b3", "value": "209.99.189.170", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611523", "to_ids": true, "type": "ip-dst", "uuid": "26ac3ba2-348d-4b55-b8ea-04d95f0cbeca", "value": "45.135.180.200", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611544", "to_ids": true, "type": "ip-dst", "uuid": "62a346cf-b330-4c2e-b7c0-77db947d9c27", "value": "45.151.106.88", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611566", "to_ids": true, "type": "ip-dst", "uuid": "24117110-4f21-4e1a-afbe-a1eb0b42d477", "value": "85.192.27.152", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611587", "to_ids": true, "type": "url", "uuid": "c1b04d1e-7a7f-4b23-b5ab-7aeb46c7fd41", "value": "http://serialmenot.com/mv2/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611608", "to_ids": true, "type": "domain", "uuid": "d9e9ad74-1e4a-40bc-be41-32322e9ef872", "value": "aeeracaspsl.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611629", "to_ids": true, "type": "domain", "uuid": "95a36ab7-c0a0-4f4f-b7d1-6d2e54d99342", "value": "annaionovna.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611650", "to_ids": true, "type": "domain", "uuid": "49f48b24-69ea-4bf1-930a-29e4669fed3d", "value": "bitatits.surf", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611671", "to_ids": true, "type": "domain", "uuid": "8e21a401-efd7-4fb6-b914-ce947ebd16b0", "value": "generalnewlong.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611693", "to_ids": true, "type": "domain", "uuid": "8b61f81b-af21-4031-85fc-3692525662b8", "value": "ilspaeysoff.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611715", "to_ids": true, "type": "domain", "uuid": "9db4ad58-a549-45c5-b2ab-40b602db0a7a", "value": "landmas.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611736", "to_ids": true, "type": "domain", "uuid": "46cd3492-9e6f-432d-845b-9820f286b927", "value": "myspaeysoff.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611757", "to_ids": true, "type": "hostname", "uuid": "3058596b-3a61-4d2f-b952-479e84130090", "value": "bandage.healthydefinitetrunk.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611778", "to_ids": true, "type": "hostname", "uuid": "ba0a5ff6-ab7d-4462-8d48-21a6f9549f2a", "value": "surgery.healthydefinitetrunk.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611799", "to_ids": true, "type": "ip-dst", "uuid": "7aee7902-f763-4e43-a054-90a0c772181d", "value": "140.82.18.48", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611821", "to_ids": true, "type": "ip-dst", "uuid": "73f7d0bd-ef28-4b9a-b411-30bd7475b407", "value": "178.104.137.180", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611842", "to_ids": true, "type": "domain", "uuid": "241864a9-ead8-482a-a5da-bb2792454226", "value": "playerdragonbike.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611863", "to_ids": true, "type": "domain", "uuid": "8d9f0e9d-6782-437f-abcc-537ad729bf4c", "value": "weaplink.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777611884", "to_ids": true, "type": "ip-dst", "uuid": "29254c96-5e86-4f39-a166-7ab1e528f3c5", "value": "146.19.254.84", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545439", "uuid": "861d7a9c-8f7d-401c-92ad-a923e75d8111", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545438", "to_ids": true, "type": "md5", "uuid": "ec62e6f9-4bad-4598-880f-ec6fb2ade5a4", "value": "5c057af2f358fc10107d5ccdb39938ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545439", "to_ids": true, "type": "sha1", "uuid": "0e43a5f4-c1d1-48e1-b633-454715c031e4", "value": "e2e8516b4f275e8c636620b7377ee3b9f9f47bb0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545439", "to_ids": true, "type": "sha256", "uuid": "075bfd4a-dad1-4c9b-a717-aebbda699195", "value": "2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777608091", "to_ids": true, "type": "ssdeep", "uuid": "f0ae50a7-9d98-4368-acc0-b5640c3f1515", "value": "24576:5NOmTRC/KmPbeqL+FnXvO9+f1KUw+T/s/e:vOmVv+bD+1X29WKwE/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777608091", "to_ids": false, "type": "size-in-bytes", "uuid": "dcc10b84-0ff6-42e1-b6b8-e76fa1e597c9", "value": "1096704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777608091", "to_ids": true, "type": "vhash", "uuid": "d63b6c7b-caed-4bfc-b485-d58a7d02cbb5", "value": "ba151a36b5229126cd8a0e26f5d18ec0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777608091", "to_ids": true, "type": "filename", "uuid": "7a311f9a-ab1c-43a4-b83a-ff41487a0c4b", "value": "2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5.msi" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 29/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777608091", "to_ids": false, "type": "text", "uuid": "c9241d30-3110-4ffe-8f86-aa3fc2885b42", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Python/MuddyWater.DB!MTB\nVT Total Detection:36/61\nFirst Submission:2026-02-13T11:10:02.000000+00:00\nLast Submission:2026-03-02T14:07:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545441", "uuid": "ba16345e-73f1-4c8c-83fa-378dc018b343", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545440", "to_ids": true, "type": "md5", "uuid": "9e4803c4-494e-47fc-88bc-ceb72a9ef0a1", "value": "6d56ec35c1bb1e44a8d6ee201845aa05", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545440", "to_ids": true, "type": "sha1", "uuid": "3450fce7-77a4-4bea-96b3-92cd97e61bc8", "value": "197fb8bf3d6064a9f3272b8222cab6d5cf4f24de", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545441", "to_ids": true, "type": "sha256", "uuid": "e0501c46-5337-4867-98b0-cd6668fd8dd6", "value": "7b793c54a927da36649eb62b9481d5bcf1e9220035d95bbfb85f44a6cc9541ae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777608113", "to_ids": true, "type": "ssdeep", "uuid": "09b28122-53aa-4dbe-8ec7-0a2319a4ea15", "value": "384:C61ynfiR+V5fTnhsNB1oyfHILv888nF3/uNArxN:CQyn6I5Dy/ggF3GG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777608113", "to_ids": false, "type": "size-in-bytes", "uuid": "93435e0a-e756-4c4b-a09a-6c6c746b7d52", "value": "19456" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777608113", "to_ids": true, "type": "vhash", "uuid": "8d947b0e-c7da-4065-a354-a49b070a1696", "value": "a358b5762e38b67c66a08fc811f4eee1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777608113", "to_ids": true, "type": "filename", "uuid": "340ea770-c262-4f4f-8108-065da0fd7851", "value": "dvxjb.exe" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777608113", "to_ids": false, "type": "text", "uuid": "2c2cc4e3-9a7c-4363-b7ea-f510409acbda", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:30/61\nFirst Submission:2026-03-26T12:00:09.000000+00:00\nLast Submission:2026-04-08T12:28:13.000000+00:00" } ] } ] } }