{ "Event": { "analysis": "2", "date": "2022-04-05", "extends_uuid": "", "info": "[Threat Intel] RTF template injection sample targeting Malaysia", "protected": false, "publish_timestamp": "1780039974", "published": true, "threat_level_id": "2", "timestamp": "1780039974", "uuid": "06c6d7a8-2854-402a-9f01-74715d433ed0", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#2cfe4e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Template Injection - T1221\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Office Template Macros - T1137.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:f3b46834-6ce9-44ef-852d-d7ac61a12920=\"5ba3a053-9bd8-47da-b837-2aef418a0a42\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740750627", "to_ids": false, "type": "link", "uuid": "210c04cc-211e-4c91-baea-8ad42d13afc5", "value": "https://notes.netbytesec.com/2022/04/rtf-template-injection-sample-targeting-Malaysia.html" }, { "category": "Payload delivery", "comment": "Salwa.dotm No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746790111", "to_ids": true, "type": "md5", "uuid": "110cb300-990f-481f-bff4-546e49aad2e6", "value": "d50e5febbbb53fb439df73b976db790c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "RTF template injection URLs", "deleted": false, "disable_correlation": false, "timestamp": "1747004673", "to_ids": true, "type": "url", "uuid": "c97eb2a2-725f-43f0-ab61-f09535c2222a", "value": "https://mckeaguee.com/salwa.dotm", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "RTF template injection URLs", "deleted": false, "disable_correlation": false, "timestamp": "1747004694", "to_ids": true, "type": "url", "uuid": "aaeeba94-52f2-49da-958d-e368ff0f3870", "value": "https://mckeaguee.com/suhaimi.dotm", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "RTF template injection URLs", "deleted": false, "disable_correlation": false, "timestamp": "1747004715", "to_ids": true, "type": "url", "uuid": "6c0f6175-a22e-424a-8c21-67cb0a83f45b", "value": "https://mckeaguee.com/rushidan.dotm", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "RTF template injection URLs", "deleted": false, "disable_correlation": false, "timestamp": "1747004736", "to_ids": true, "type": "url", "uuid": "7f678585-4ecb-48b1-a140-9616d182672a", "value": "https://mckeaguee.com/hamizan.dotm", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "RTF communication", "deleted": false, "disable_correlation": false, "timestamp": "1747004758", "to_ids": true, "type": "domain", "uuid": "755bc2c9-352a-472e-b16e-01bcf3ff1821", "value": "mckeaguee.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "RTF communication", "deleted": false, "disable_correlation": false, "timestamp": "1780039972", "to_ids": true, "type": "ip-dst", "uuid": "d46d0e43-99fd-452f-95b5-6811dbf6425f", "value": "206.166.251.228", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#5beb6d", "local": false, "name": "asn:asn=\"399629\"", "relationship_type": "" }, { "colour": "#6967e5", "local": false, "name": "asn:as-owner=\"BLNWX\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DLL communication - C2 Server", "deleted": false, "disable_correlation": false, "timestamp": "1747004800", "to_ids": true, "type": "domain", "uuid": "e1f1bdc8-aa33-490a-8b12-2b9e01490023", "value": "mclartyc.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DLL communication", "deleted": false, "disable_correlation": false, "timestamp": "1780039974", "to_ids": true, "type": "ip-dst", "uuid": "2853b736-ef21-408c-90e8-f68b80e7a5e6", "value": "139.177.184.80", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#680e86", "local": false, "name": "asn:asn=\"63949\"", "relationship_type": "" }, { "colour": "#edf21f", "local": false, "name": "asn:as-owner=\"AKAMAI-LINODE-AP Akamai Connected Cloud\"", "relationship_type": "" }, { "colour": "#d906de", "local": false, "name": "asn:as-country=\"SG\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"singapore\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747004842", "uuid": "0e6f1792-6c3f-47f3-9e16-e7f1c74025ec", "Attribute": [ { "category": "Payload delivery", "comment": "Training Schedule Year 2022.doc", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747004842", "to_ids": true, "type": "md5", "uuid": "f1231f6a-2a26-4bde-b939-0df1ca95826d", "value": "bc3102871cff7431440dbee8d7f1ae55", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Training Schedule Year 2022.doc", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748177", "to_ids": true, "type": "sha1", "uuid": "abac7ddf-53b2-4d3f-911f-e7e9315cac56", "value": "8d9fdbc73b7abab3759899e39af915916691c00f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Training Schedule Year 2022.doc", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748177", "to_ids": true, "type": "sha256", "uuid": "44d43798-6cb8-4726-b383-e30be287df54", "value": "3fe2952c237d5a5a32a82ff20366e136d9be7724fe7869dc16f9b01df506b574", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748177", "to_ids": true, "type": "ssdeep", "uuid": "7aae6d30-fc3a-41f8-b000-526fe03cb367", "value": "6144:7sXxB/XA83qHEGoVMlNbr+a1pW2gUOTg+JVLP2+Hy+FZB+LfS4Adn+Y31wWju/1e:7sB8oaN+SW6+/jnBFD" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748177", "to_ids": false, "type": "size-in-bytes", "uuid": "0054b77f-e790-49e0-821f-c1991503ae8f", "value": "585849" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748177", "to_ids": true, "type": "vhash", "uuid": "40e1a8e5-ccd2-4130-80a0-d981408700e7", "value": "822da1f86c6e4f8f0d4b3a2d6e0f63270" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748177", "to_ids": true, "type": "filename", "uuid": "4bc802c1-5203-47de-88ec-8cf9efd3df3f", "value": "Training Schedule Year 2022.doc" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 28/05/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748177", "to_ids": false, "type": "text", "uuid": "3a6411c2-c87a-4aef-a125-37a25b748fab", "value": "Training Schedule Year 2022.doc\r\nType Description: Rich Text Format\nMicrosoft: None\nVT Total Detection:22/58\nFirst Submission:2022-03-30T10:26:26.000000+00:00\nLast Submission:2022-03-30T10:26:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747004863", "uuid": "b36aebc3-32c6-490f-a96f-4710da28334c", "Attribute": [ { "category": "Payload delivery", "comment": "CSM-ACE_Delegates_Kit.doc", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747004863", "to_ids": true, "type": "md5", "uuid": "3efefa04-f47b-4149-b765-e43075378355", "value": "99f02db0641f2bb5680fdd08e59dd2e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CSM-ACE_Delegates_Kit.doc", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748198", "to_ids": true, "type": "sha1", "uuid": "51dd5b0a-a26b-4942-9b8d-0b9be48fce12", "value": "c6e4a1c82b67a566dbe4ad90f95af8995fdb3dc7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CSM-ACE_Delegates_Kit.doc", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748198", "to_ids": true, "type": "sha256", "uuid": "7f3c07a7-7649-4046-994c-6b17709f4a82", "value": "e91167ff17ccdffaf7a81a640b85efc1bacc9333c5ba56e988d6b58370c3aaf6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748198", "to_ids": true, "type": "ssdeep", "uuid": "25784e06-3715-42cc-9cf1-49142438bed2", "value": "1536:3uFzd9tm9SfIVEGa3aFSTRZEN732aGnegtuXRzIfUisxYtY:3WnehR+AIaNS1UYu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748198", "to_ids": false, "type": "size-in-bytes", "uuid": "d0037103-ca33-473a-b240-6e5ec55bd9cb", "value": "98652" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748198", "to_ids": true, "type": "vhash", "uuid": "5d8dc075-5a6e-4523-8bd4-e0fa6749608c", "value": "822da1f86c6e4f8f0d4b3a2d6e0f63270" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748198", "to_ids": true, "type": "filename", "uuid": "204531a1-ee9d-45fb-b7ac-d02d4bb07b11", "value": "CSM-ACE_Delegates_Kit.doc" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 20/04/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748198", "to_ids": false, "type": "text", "uuid": "78d29021-1109-4331-8814-93435d6b743b", "value": "CSM-ACE_Delegates_Kit.doc\r\nType Description: Rich Text Format\nMicrosoft: None\nVT Total Detection:14/59\nFirst Submission:2022-03-30T07:41:45.000000+00:00\nLast Submission:2022-03-30T07:41:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747004884", "uuid": "e3ec6012-0dd1-4828-ac55-d04ae9d9062c", "Attribute": [ { "category": "Payload delivery", "comment": "CSM 2022.doc", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747004884", "to_ids": true, "type": "md5", "uuid": "32b39343-803a-4784-9f9e-4638fdce9aff", "value": "aac4b8e7e637c5b73e0801bc113ec0aa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CSM 2022.doc", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748219", "to_ids": true, "type": "sha1", "uuid": "eb2d7cf9-8834-4120-b877-48a8954d3ce4", "value": "b8382bcb28a88c795cfb63ecec81695382965a9a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CSM 2022.doc", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748220", "to_ids": true, "type": "sha256", "uuid": "38146eff-b6b2-442a-b8b8-b3a3303c2513", "value": "e9bd671bc0dc4f5f4043285bb37dd1d9aa929aa07fb4520695ba1469e596806b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748219", "to_ids": true, "type": "ssdeep", "uuid": "8e2bdd2a-eb60-421c-8894-0cb57b378ef7", "value": "384:3mm4AmIKvQtVlEF/SGi6rGs+ZAUw5PTsxCYDnMNLBV:3mm4bF+qUisx+NLBV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748219", "to_ids": false, "type": "size-in-bytes", "uuid": "dfaabe43-8435-45e5-adc2-7e079e2bb2ea", "value": "40958" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748219", "to_ids": true, "type": "vhash", "uuid": "dec78acc-97d6-43dd-8aa2-8379d2ae756a", "value": "84c79ee1f8befc5660fd48dd02b6d8602" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748219", "to_ids": true, "type": "filename", "uuid": "b0fb4713-0373-4bf6-8081-51cba6483c13", "value": "CSM 2022.doc" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 12/05/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748219", "to_ids": false, "type": "text", "uuid": "7f5b43d6-9480-4c69-a94b-8ae9abee194d", "value": "CSM 2022.doc\r\nType Description: Rich Text Format\nMicrosoft: None\nVT Total Detection:13/59\nFirst Submission:2022-03-30T10:45:00.000000+00:00\nLast Submission:2022-03-30T10:45:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747004905", "uuid": "b1c6e6ee-bf80-4799-9a17-96c4fccdbfe5", "Attribute": [ { "category": "Payload delivery", "comment": "CSM-ACE Delegates Kit.doc", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747004905", "to_ids": true, "type": "md5", "uuid": "84f1bd74-9bda-44ee-8a3f-252b19f5fa96", "value": "44f989a9dd3958611189eaca5b32444d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CSM-ACE Delegates Kit.doc", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748241", "to_ids": true, "type": "sha1", "uuid": "16560d57-346d-41ef-8353-2b7d7ae9d9f8", "value": "3213a128d3f34c0b717f3b7f68edebc0520311bf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CSM-ACE Delegates Kit.doc", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748241", "to_ids": true, "type": "sha256", "uuid": "dc8c0f6f-2386-462b-a18c-533443159c3a", "value": "c89de0bedf7ab3da754aec4b42dadf827e0d69461c35458843485d878fc58443", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748240", "to_ids": true, "type": "ssdeep", "uuid": "71e97f96-1a07-49d3-b7b8-b6911e9f5ff7", "value": "1536:3AZYd9tm9SfIVEGa3aFSTRZEN7QsQMnegtuXRzItUisxqy9:3w+ehR+AIaNT1Uqi" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748240", "to_ids": false, "type": "size-in-bytes", "uuid": "5cfeff0c-62e6-4e17-bfd8-6e5f7029007e", "value": "99502" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748240", "to_ids": true, "type": "vhash", "uuid": "46e5edd0-ea35-48ac-a96a-f347028330f6", "value": "822da1f86c6e4f8f0d4b3a2d6e0f63270" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748240", "to_ids": true, "type": "filename", "uuid": "9297f1ae-703c-49f6-90b8-e938b4bd4740", "value": "CSM-ACE Delegates Kit.doc" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 07/10/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748240", "to_ids": false, "type": "text", "uuid": "7306487d-7afb-4329-8872-44456e269f49", "value": "CSM-ACE Delegates Kit.doc\r\nType Description: Rich Text Format\nMicrosoft: None\nVT Total Detection:12/61\nFirst Submission:2022-03-30T10:30:15.000000+00:00\nLast Submission:2022-03-30T10:30:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747004926", "uuid": "6b653ded-874d-4850-855c-40d820685400", "Attribute": [ { "category": "Payload delivery", "comment": "Training", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747004926", "to_ids": true, "type": "md5", "uuid": "4d807012-ecea-4175-911a-40345a2bd75f", "value": "3890c7037e01edf40ce6700491a49dd3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Training", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748284", "to_ids": true, "type": "sha1", "uuid": "136b8c4f-adc5-4139-a49a-f84892e4b848", "value": "9dd32c304824ff37dd7cae0991178fb3612d1630", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Training", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748284", "to_ids": true, "type": "sha256", "uuid": "0c645e70-0622-4dc4-814b-f4cf39894b0c", "value": "712573384e6a1732d0a5281f9b33c1a05624c30c6c6888c6ccf1380621734ed5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748283", "to_ids": true, "type": "ssdeep", "uuid": "7e7597df-2393-4801-8f75-a9d130ca4337", "value": "3072:BI3N1iEXy0xfcbqPuOtrrZWVJ7ILJW0bRnsog2QL:B4i8Hr9WVJcWnog2u" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748283", "to_ids": false, "type": "size-in-bytes", "uuid": "905eeee7-25cd-4d97-9633-e6edb86e557e", "value": "160835" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748283", "to_ids": true, "type": "vhash", "uuid": "d9893b3b-7a35-4e0c-b08d-91435dd5844d", "value": "03435ac708afa052aa49e52b2398fc51" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748283", "to_ids": true, "type": "filename", "uuid": "35c211d7-5503-47ef-99f5-7eb2a813a5bf", "value": "STONEDOWN_3890c7037e01edf40ce6700491a49dd3._mal" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 06/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748283", "to_ids": false, "type": "text", "uuid": "34f8e90d-bf1a-4e6a-be0e-c37be290bc72", "value": "Training\r\nType Description: Office Open XML Document\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:39/66\nFirst Submission:2023-01-26T07:27:02.000000+00:00\nLast Submission:2023-01-26T07:27:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747004947", "uuid": "cca73a58-76cf-44c3-b0bd-3ba27b3a696c", "Attribute": [ { "category": "Payload delivery", "comment": "GoogleServices.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747004947", "to_ids": true, "type": "md5", "uuid": "14379b2e-86d9-4fd6-b7d8-631848b0401f", "value": "4ce106b72de51c55781d6d55e758a636", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GoogleServices.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748305", "to_ids": true, "type": "sha1", "uuid": "8501f9fd-ea8a-4c52-90ee-d3c2d11e12c8", "value": "3b6a7d20e2d0d45f1b91d119c8381721dd2abdda", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GoogleServices.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748305", "to_ids": true, "type": "sha256", "uuid": "f55e6a55-4e07-407c-8213-ece4e9172e23", "value": "6c5e7d6573fdbf7a87c7c22044326a9d23b6d80618306477809b8632099bccba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748304", "to_ids": true, "type": "ssdeep", "uuid": "0b1dcc64-2994-4643-afe9-0b2e5a084c7a", "value": "3072:gPmKtewE5qe7qS2ZXzyJgQSDtiDP2vqh2ln:gPZNEz7GFzGgQ9h2ln" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748304", "to_ids": false, "type": "size-in-bytes", "uuid": "33000fef-dffc-4231-bc0d-6829680f2024", "value": "111104" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748304", "to_ids": true, "type": "vhash", "uuid": "59aed2d5-72cb-4db3-88e0-c57227dcfa44", "value": "115056655d15156az42?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748304", "to_ids": true, "type": "filename", "uuid": "4175e7df-daf1-41b0-b8d4-286cbc333fc7", "value": "GoogleServices.bin" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 06/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748304", "to_ids": false, "type": "text", "uuid": "1221b681-01e9-461f-b72f-e029fc42878b", "value": "GoogleServices.dll\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:50/72\nFirst Submission:2022-03-30T15:59:54.000000+00:00\nLast Submission:2022-03-30T15:59:54.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747004968", "uuid": "a8417b8e-17df-402b-ad1b-558bdc6997fd", "Attribute": [ { "category": "Payload delivery", "comment": "GoogleDesktop.exe", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747004968", "to_ids": true, "type": "md5", "uuid": "86d92e7b-1f14-43a0-804d-053abe1a1576", "value": "9f5f2f0fb0a7f5aa9f16b9a7b6dad89f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GoogleDesktop.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746748327", "to_ids": true, "type": "sha1", "uuid": "995df989-ac2a-4207-bf7a-b98f8efbcf05", "value": "603f73160dcc49da297a10f0691cefe4dddd9772", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GoogleDesktop.exe", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746748327", "to_ids": true, "type": "sha256", "uuid": "2bff129e-5c0f-461a-9efe-2b37c8335802", "value": "6d2b301e77839fff1c74425b37d02c3f3837ce50e856c21ae4cf7ababb04addc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746748326", "to_ids": true, "type": "ssdeep", "uuid": "9710a575-13c4-4f9e-a768-9a5af3e766f6", "value": "384:cyq+lmjXbHEno/vmOmG0njumBSZJ2YJLWEbxS:hlAknoGDBKFZLVbI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746748326", "to_ids": false, "type": "size-in-bytes", "uuid": "b9080344-8776-456b-9ddc-59858ec0372b", "value": "30192" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746748326", "to_ids": true, "type": "vhash", "uuid": "99ee6ed7-b38e-4575-8e7a-2476c3a30db4", "value": "034056151d05551bz8!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746748326", "to_ids": true, "type": "filename", "uuid": "8275a9f5-59fc-4a01-be26-063923a80395", "value": "Google Desktop" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 06/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746748326", "to_ids": false, "type": "text", "uuid": "f91f4bb4-497f-43cd-9979-ca3c6b4b026f", "value": "GoogleDesktop.exe\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2010-05-26T06:12:21.000000+00:00\nLast Submission:2024-07-24T03:12:11.000000+00:00" } ] } ] } }