{ "Event": { "analysis": "1", "date": "2025-01-29", "extends_uuid": "", "info": "[Threat Intel] Unmasking the Shadow of PoisonPlug's Obfuscator", "protected": false, "publish_timestamp": "1780040381", "published": true, "threat_level_id": "1", "timestamp": "1772902038", "uuid": "36bf37ab-79d9-45b2-901c-6c5b0292f707", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Code Signing - T1553.002\"", "relationship_type": "" }, { "colour": "#2031cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Password Filter DLL - T1556.002\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#90e6f2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal or Forge Kerberos Tickets - T1558\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#a320c3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unsecured Credentials - T1552\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#327a31", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Binary Padding - T1027.001\"", "relationship_type": "" }, { "colour": "#dd4476", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Golden Ticket - T1558.001\"", "relationship_type": "" }, { "colour": "#67762a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bash History - T1552.003\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#0505a8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Host Software Binary - T1554\"", "relationship_type": "" }, { "colour": "#ad5a96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"", "relationship_type": "" }, { "colour": "#f798db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal from Tools - T1027.005\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#3b33aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Subvert Trust Controls - T1553\"", "relationship_type": "" }, { "colour": "#e2a873", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steganography - T1027.003\"", "relationship_type": "" }, { "colour": "#3f00e6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compile After Delivery - T1027.004\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#abbbbf", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Authentication Process - T1556\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:fa5af22e-b260-4dc4-90bd-1c8431b680c0=\"c9d7b877-21aa-4327-8eb2-973b90b259fd\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"142 - Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"150 - Europe\"", "relationship_type": "" }, { "colour": "#b990dd", "local": false, "name": "misp-galaxy:target-information=\"Australia\"", "relationship_type": "" }, { "colour": "#1faf16", "local": false, "name": "misp-galaxy:target-information=\"Canada\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#d52b43", "local": false, "name": "misp-galaxy:target-information=\"Mexico\"", "relationship_type": "" }, { "colour": "#48df7e", "local": false, "name": "misp-galaxy:target-information=\"Netherlands\"", "relationship_type": "" }, { "colour": "#fa487c", "local": false, "name": "misp-galaxy:target-information=\"Philippines\"", "relationship_type": "" }, { "colour": "#3b9849", "local": false, "name": "misp-galaxy:target-information=\"Saudi Arabia\"", "relationship_type": "" }, { "colour": "#35a578", "local": false, "name": "misp-galaxy:target-information=\"South Africa\"", "relationship_type": "" }, { "colour": "#9c7ff4", "local": false, "name": "misp-galaxy:target-information=\"South Korea\"", "relationship_type": "" }, { "colour": "#63bd05", "local": false, "name": "misp-galaxy:target-information=\"Sweden\"", "relationship_type": "" }, { "colour": "#e6caf2", "local": false, "name": "misp-galaxy:target-information=\"Switzerland\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"ShadowPad\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"poisonplug\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Scatterbrain\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT41\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3a00e0", "local": false, "name": "rectifyq:action-taken=\"x\"", "relationship_type": "" }, { "colour": "#3b00e2", "local": false, "name": "rectifyq:action-taken=\"linkedin\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1738322711", "to_ids": false, "type": "link", "uuid": "94f5a71f-49c3-47e4-b1e0-9dfad8bf29a2", "value": "https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1738322711", "to_ids": false, "type": "text", "uuid": "c75c506b-5697-4cc3-bf20-d665f53abb87", "value": "Since 2022, cyber espionage operations utilizing POISONPLUG.SHADOW have been tracked, employing a custom obfuscating compiler called ScatterBrain. This evolved version of ScatterBee targets entities in Europe and Asia Pacific. POISONPLUG.SHADOW, a variant of the POISONPLUG modular backdoor, uses advanced obfuscation techniques to evade detection. The blog post details the analysis of ScatterBrain, including its modes of operation, protection components, and the development of a deobfuscator. It explains the process of CFG recovery, import restoration, and binary reconstruction. The research provides insights into combating sophisticated obfuscation techniques and contributes to enhancing cybersecurity defenses against evolving threats." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1738322711", "to_ids": false, "type": "text", "uuid": "bdf05a3d-f36d-4384-a820-24a6abb09b97", "value": "Name: Unmasking the Shadow of PoisonPlug's Obfuscator\nAuthor: AlienVault\nAdversary: APT41\nTags: [\"poisonplug.shadow\", \"cyber espionage\", \"poisonplug\", \"poisonplug.deed\", \"scatterbee\", \"scatterbrain\"]\nTgtd countries: []\nMlwr families: [\"POISONPLUG.SHADOW\", \"POISONPLUG.SHADOW\", \"ScatterBrain\"]\nAttack_ids: [\"T1553.002\", \"T1556.002\", \"T1140\", \"T1558\", \"T1555\", \"T1552\", \"T1555.003\", \"T1027.001\", \"T1558.001\", \"T1552.003\", \"T1552.001\", \"T1554\", \"T1574\", \"T1027.005\", \"T1027\", \"T1553\", \"T1027.003\", \"T1027.004\", \"T1027.002\", \"T1556\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1738322711", "to_ids": false, "type": "threat-actor", "uuid": "4f5fb227-2a12-4787-9bc2-1ee1f09fc6fd", "value": "APT41" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1739011575", "to_ids": true, "type": "md5", "uuid": "7c46d227-e0b5-4f9d-a33c-b3de05f23529", "value": "1f1361a67ce4396c3b9dbc198207ef52", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1739011576", "to_ids": true, "type": "md5", "uuid": "9b2b29c2-59b3-4f74-93d3-bec05ad1944e", "value": "4bf608e852cb279e61136a895a6912a9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1739011577", "to_ids": true, "type": "md5", "uuid": "4bc18b8b-0c18-467c-ba03-81351c809565", "value": "79313be39679f84f4fcb151a3394b8b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/02/2025", "deleted": false, "disable_correlation": false, "timestamp": "1739011579", "to_ids": true, "type": "md5", "uuid": "32cd2ad1-16fa-47d5-a155-ca78e6da0524", "value": "eb42ef53761b118efbc75c4d70906fe4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#e87d07", "local": false, "name": "verify-require=epp", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1739015819", "uuid": "fc614639-9e81-479c-a603-8db726c399e1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1739015819", "to_ids": true, "type": "md5", "uuid": "42f8fca0-e84e-4566-9c3b-775bd19291a8", "value": "0009f4b9972660eeb23ff3a9dccd8d86", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1739011571", "to_ids": true, "type": "sha1", "uuid": "d42c59dd-03d5-4d18-8fba-ad724ea81755", "value": "12180ff028c1c38d99e8375dd6d01f47f6711b97", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1739011571", "to_ids": true, "type": "sha256", "uuid": "b06359ec-cb18-4020-b75f-09d996722dcc", "value": "d484b9b8c44558c18ef6147c6ca8276a462fccf2acb2863be4ee9bf37942f11e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1739011241", "to_ids": true, "type": "ssdeep", "uuid": "5a56e24f-8bbc-4cba-8e7b-d95d7c6bd7a3", "value": "1572864:sA59t4XCWb1PpYFWqq+VuTMBGJ0YaX3SZQMPT:sA59uXt5P+V/BIanSZQMPT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1739011241", "to_ids": false, "type": "size-in-bytes", "uuid": "b76de4a5-9b92-48ab-84c9-5001faa3af09", "value": "57763752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1739011241", "to_ids": true, "type": "vhash", "uuid": "1c0ce245-9e71-4b41-95c6-9171ae78eed9", "value": "057046655d15619012z2c00bf7zd131z41z72z5603dz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1739011241", "to_ids": true, "type": "filename", "uuid": "4abb20e8-db37-49ac-b3f0-3350feba73d5", "value": "InstallShield Setup.exe" }, { "category": "Other", "comment": "Checked: 08/02/2025\nLast-scan\t: 06/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1739011241", "to_ids": false, "type": "text", "uuid": "ba392fea-c6cc-485b-a51a-4be411b2805b", "value": "Type Description: Win32 EXE\nSymantec: Backdoor.Shadowpad\nMicrosoft: Trojan:Win32/Occamy.AA\nSentinelOne: None\nVT Total Detection:36/70" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1739015841", "uuid": "cd696ab6-cb35-4012-98ea-2bdb1f963835", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1739015841", "to_ids": true, "type": "md5", "uuid": "5441e3e4-3e03-4398-a483-553d3208b4a1", "value": "5c62cdf97b2caa60448619e36a5eb0b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1739011572", "to_ids": true, "type": "sha1", "uuid": "7ef464a6-a862-4606-87b6-395feebb8dfc", "value": "f7576bc246e4bf5e47f54ba957371c938fec122c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1739011572", "to_ids": true, "type": "sha256", "uuid": "1a0e68fa-a665-4f5a-9501-29bdc301f6ab", "value": "60678e352f3c849e36413f5de51b5eeca1180840c818f9ece0a0da803eb205a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1739011305", "to_ids": true, "type": "ssdeep", "uuid": "8bfeaf4f-dfc8-4f86-b678-41706f8d6209", "value": "3072:YxTHBVlC1y1sDUkHcHM5kvjDDMZEnEChBAO8nWXcAvWMv08mTnPd7YfhxBz2Dpxi:sT3lC1y1CUOM7L/oElP5XMGVf/ZCyF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1739011305", "to_ids": false, "type": "size-in-bytes", "uuid": "cd3a0692-cea8-49f1-aafd-3d606b87e21f", "value": "309304" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1739011305", "to_ids": true, "type": "vhash", "uuid": "cd80eda8-d8cc-44cc-8b08-bd1156ab11ba", "value": "135066657d1515551az3d&z51b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1739011305", "to_ids": true, "type": "filename", "uuid": "0f76421b-07f9-4430-bb14-eae1ca8b95e0", "value": "Wbemcomn.dll" }, { "category": "Other", "comment": "Checked: 08/02/2025\nLast-scan\t: 07/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1739011305", "to_ids": false, "type": "text", "uuid": "cfd40c85-f479-4d9a-bd25-ae452111c709", "value": "Type Description: Win32 DLL\nSymantec: Trojan.Gen.2\nMicrosoft: None\nSentinelOne: None\nVT Total Detection:47/71" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1739015862", "uuid": "1b59a3a6-0f2f-441f-8f53-5851e9f0c9d8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1739015862", "to_ids": true, "type": "md5", "uuid": "0d24570e-1baf-427e-a044-2d47e7d26b2d", "value": "704fb67dffe4d1dce8f22e56096893be", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1739011574", "to_ids": true, "type": "sha1", "uuid": "07ff9db6-8f7e-465d-a423-1c289d47e2a5", "value": "88e345cd7b63dcc6f9559de4208d8832835ca6a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1739011574", "to_ids": true, "type": "sha256", "uuid": "34aeeac9-b2bd-4db8-b84f-da820ea79d5c", "value": "79c2c656eac34f628406855c9fafe36161ac423c071d9b20b64f4f511c9ec241", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1739011326", "to_ids": true, "type": "ssdeep", "uuid": "3fd18fa5-21da-4338-bee0-1fc795f21a31", "value": "24576:1uDXTIGaPhEYzUzA0nR8mtaeslFAqDav+n09I1jF5M1JwMB:IDjlabwz9IlvuvSK8jFG1JR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1739011326", "to_ids": false, "type": "size-in-bytes", "uuid": "305711dd-e947-430b-9fb7-55f6602029c6", "value": "1317751" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1739011326", "to_ids": true, "type": "vhash", "uuid": "a84234e4-29ae-44d9-a083-53601f10c37b", "value": "016086655d155d1515155az939z3tz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1739011326", "to_ids": true, "type": "filename", "uuid": "decbe043-e60c-4f77-93ca-62b67e92b823", "value": "Food and Agriculture Organization of the United Nations.exe" }, { "category": "Other", "comment": "Checked: 08/02/2025\nLast-scan\t: 06/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1739011326", "to_ids": false, "type": "text", "uuid": "34688784-652b-4075-a5fc-68cd78bc246a", "value": "Type Description: Win32 EXE\nSymantec: Trojan Horse\nMicrosoft: Trojan:Win64/Malgent!MSR\nSentinelOne: None\nVT Total Detection:43/71" } ] } ] } }