{ "Event": { "analysis": "2", "date": "2023-04-26", "extends_uuid": "", "info": "[Threat Intel] Evasive Panda APT group delivers malware via updates for popular Chinese software", "protected": false, "publish_timestamp": "1780040141", "published": true, "threat_level_id": "1", "timestamp": "1780040141", "uuid": "9b6cede7-8d6c-4aca-8e41-356e8b4f16f5", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#8675c7", "local": false, "name": "misp-galaxy:producer=\"ESET\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Evasive Panda\"", "relationship_type": "" }, { "colour": "#52d590", "local": false, "name": "misp-galaxy:target-information=\"China\"", "relationship_type": "" }, { "colour": "#e459c3", "local": false, "name": "misp-galaxy:target-information=\"Hong Kong\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Macau\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#b03f2c", "local": false, "name": "misp-galaxy:target-information=\"Myanmar\"", "relationship_type": "" }, { "colour": "#bedb1f", "local": false, "name": "misp-galaxy:target-information=\"Nigeria\"", "relationship_type": "" }, { "colour": "#fa487c", "local": false, "name": "misp-galaxy:target-information=\"Philippines\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#1b8479", "local": false, "name": "misp-galaxy:target-information=\"Vietnam\"", "relationship_type": "" }, { "colour": "#c55f42", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive via Library - T1560.002\"", "relationship_type": "" }, { "colour": "#8b05c0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1123\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Removable Media - T1025\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Data Staging - T1074.001\"", "relationship_type": "" }, { "colour": "#0c8fe6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Email Collection - T1114.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Portable Executable Injection - T1055.002\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server - T1583.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740785124", "to_ids": false, "type": "link", "uuid": "270dce2f-949c-4c20-9687-d73484fb2767", "value": "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1746834220", "to_ids": true, "type": "url", "uuid": "c3acd0ad-f5b4-4a16-a09c-d23af07960af", "value": "http://update.browser.qq.com/qmbs/QQ/QQUrlMgr_QQ88_4296.exe", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780040134", "to_ids": true, "type": "ip-dst", "uuid": "b959a331-b454-46c3-8cbf-d6a8b4d654fd", "value": "123.151.72.74", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#d6afb4", "local": false, "name": "asn:asn=\"58542\"", "relationship_type": "" }, { "colour": "#4ddd88", "local": false, "name": "asn:as-owner=\"CHINATELECOM-TIANJIN Tianjij,300000\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780040136", "to_ids": true, "type": "ip-dst", "uuid": "4bf670e1-fb94-4209-8281-d6126886ed29", "value": "183.232.96.107", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#b1060d", "local": false, "name": "asn:asn=\"56040\"", "relationship_type": "" }, { "colour": "#73b502", "local": false, "name": "asn:as-owner=\"CMNET-GUANGDONG-AP China Mobile communications corporation\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780040137", "to_ids": true, "type": "ip-dst", "uuid": "30b0e443-2eb8-4aed-a2b9-21e0497ef50e", "value": "61.129.7.35", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#907aeb", "local": false, "name": "asn:asn=\"4811\"", "relationship_type": "" }, { "colour": "#4506e0", "local": false, "name": "asn:as-owner=\"CHINANET-SHANGHAI-MAN China Telecom Group\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot installer No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746793609", "to_ids": true, "type": "sha1", "uuid": "27e74bd3-29ae-4319-a9bb-e800634cc81d", "value": "65b03630e186d9b6adc663c313b44ca122ca2079", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "MgBot C&C server", "deleted": false, "disable_correlation": false, "timestamp": "1780040139", "to_ids": true, "type": "ip-dst", "uuid": "289fbc21-5580-4825-8140-e67384e67967", "value": "122.10.88.226", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#44ec52", "local": false, "name": "asn:asn=\"134548\"", "relationship_type": "" }, { "colour": "#fce2d0", "local": false, "name": "asn:as-owner=\"DXTL-HK DXTL Tseung Kwan O Service\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "MgBot C&C server", "deleted": false, "disable_correlation": false, "timestamp": "1780040141", "to_ids": true, "type": "ip-dst", "uuid": "52d60fdc-86c6-47b6-bde8-f7675d693f78", "value": "122.10.90.12", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#44ec52", "local": false, "name": "asn:asn=\"134548\"", "relationship_type": "" }, { "colour": "#fce2d0", "local": false, "name": "asn:as-owner=\"DXTL-HK DXTL Tseung Kwan O Service\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "hardcoded decryption key", "deleted": false, "disable_correlation": false, "timestamp": "1746832965", "to_ids": false, "type": "text", "uuid": "656b9f97-0f86-4b9d-86bc-6e40463a7bd8", "value": "3+&7k!I~F,@#y$^d" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746834346", "uuid": "b0fc208b-9d55-40f4-b6eb-794d5d24e6b5", "Attribute": [ { "category": "Payload delivery", "comment": "MgBot information stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746834346", "to_ids": true, "type": "md5", "uuid": "eeed4ed4-14f5-4b66-b858-73e678e595b7", "value": "011f7a50fd410bfa0666f1150b2c3351", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot information stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746792438", "to_ids": true, "type": "sha1", "uuid": "7a822661-7f0b-4779-99a1-ccb807dee5e3", "value": "10fb52e4a3d5d6bda0d22bb7c962bde95b8da3dd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot information stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746792438", "to_ids": true, "type": "sha256", "uuid": "36bbff2a-3395-47a1-a491-22eb9d651367", "value": "c55dc6adb0f8faa94650d379814c568ca55db3d50f8fb8c5b075a21955f76daf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746792437", "to_ids": true, "type": "ssdeep", "uuid": "58d7d659-c844-403f-9e77-fc4698a9a1da", "value": "24576:Hq0Q7fO8Xt/kRlhmxIhwUxf2obW+yjDeFV8XNFQTFje5L:6O8Xta+xILxf2xj7j1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746792437", "to_ids": false, "type": "size-in-bytes", "uuid": "b156df52-facd-4d92-9e70-7b0d3ab45077", "value": "1257984" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746792437", "to_ids": true, "type": "vhash", "uuid": "a659a4d6-924c-4d3d-926a-5482a9291953", "value": "116056657d55556az79?z4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746792437", "to_ids": true, "type": "filename", "uuid": "6c088837-502e-44ff-b6ec-99763645fc91", "value": "wcdbcrk.dll" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 22/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746792437", "to_ids": false, "type": "text", "uuid": "2bd93451-9a87-4efa-a615-3e53d2082ece", "value": "MgBot information stealer plugin\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:41/72\nFirst Submission:2023-07-26T06:25:22.000000+00:00\nLast Submission:2025-04-28T17:23:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746834367", "uuid": "2b29981b-a871-4129-8da6-9216434cd823", "Attribute": [ { "category": "Payload delivery", "comment": "MgBot file stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746834367", "to_ids": true, "type": "md5", "uuid": "d8eca9a0-5f6d-4d3d-82e9-417e6d3aaf89", "value": "13546e9d36effa74f971d90687b60ea6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot file stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746792459", "to_ids": true, "type": "sha1", "uuid": "422a25fd-4d6d-450e-9a51-6872298b785c", "value": "e5214ab93b3a1fc3993ef2b4ad04dfcc5400d5e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot file stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746792459", "to_ids": true, "type": "sha256", "uuid": "f7a10253-c108-4b96-9b20-fc23f944fb02", "value": "eb540cf9833ab8bd901b48ef258c0e14eb91fb3118fa967a40cd64d8ab417fa9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746792459", "to_ids": true, "type": "ssdeep", "uuid": "e0c98588-0b3c-4de7-8679-c493c098be38", "value": "6144:6MuNC9o1dipV+k0OW2pXzjlpuoJpVAOhDGy:6Muh1dipV+vOWyTuoJpVj6y" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746792459", "to_ids": false, "type": "size-in-bytes", "uuid": "c3fa40de-34b7-4702-abb2-91fbcaf9317e", "value": "256000" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746792459", "to_ids": true, "type": "vhash", "uuid": "46642ea5-cfc9-471a-a8f6-a06c18abff31", "value": "125056655d15556038z5bhz1061z1ez4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746792459", "to_ids": true, "type": "filename", "uuid": "099db150-0f25-4a30-bdcd-ff0e9011dc4d", "value": "eb540cf9833ab8bd901b48ef258c0e14eb91fb3118fa967a40cd64d8ab417fa9.dll" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 17/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746792459", "to_ids": false, "type": "text", "uuid": "6cb1ecbf-313b-475a-90c9-d2cdf856992a", "value": "MgBot file stealer plugin\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:49/72\nFirst Submission:2023-05-03T01:00:33.000000+00:00\nLast Submission:2024-06-04T16:01:21.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746834388", "uuid": "962da983-33ae-4efd-b5f7-6100df9b2772", "Attribute": [ { "category": "Payload delivery", "comment": "MgBot keylogger plugin", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746834388", "to_ids": true, "type": "md5", "uuid": "06cb3fce-8afd-499e-99cb-6d078eedd7ac", "value": "d7a70062736c8d34823cfb835cf5c34c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot keylogger plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746792480", "to_ids": true, "type": "sha1", "uuid": "72b3ef93-1e4e-49ed-a6a5-a99ca762ec07", "value": "d60ee17418cc4202bb57909bec69a76bd318eeb4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot keylogger plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746792480", "to_ids": true, "type": "sha256", "uuid": "d361af80-324d-4d0a-aeb6-4271b3e328ef", "value": "81044813cf55c2398d7e2179e75c06ed8bcbcfc0328f9e0e2cc0b67e2e3d2e4a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746792480", "to_ids": true, "type": "ssdeep", "uuid": "c1dfd72d-9e23-4cf4-896d-2c5ed90663bc", "value": "1536:u2RBGNq2mU6XdBi5R9IplS0vfSKLt1XWzZ+Tfj:uKgcUEidolS0v0l+Tfj" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746792480", "to_ids": false, "type": "size-in-bytes", "uuid": "00ad72e3-eebf-4534-9aa2-e26083c4fd5b", "value": "82432" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746792480", "to_ids": true, "type": "vhash", "uuid": "4f7dd1e1-3058-428a-9cf0-55bfbfbd5c03", "value": "184056655d15551az57hz1061zeez2" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 06/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746792480", "to_ids": false, "type": "text", "uuid": "fd777637-7b04-4b91-a452-d7ee164a3020", "value": "MgBot keylogger plugin\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:41/72\nFirst Submission:2025-04-28T00:02:15.000000+00:00\nLast Submission:2025-04-28T00:02:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746834410", "uuid": "36583e53-0f40-44e3-b0e1-6fa7cf331ffe", "Attribute": [ { "category": "Payload delivery", "comment": "MgBot cookie stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746834410", "to_ids": true, "type": "md5", "uuid": "8128ce51-844b-4198-9734-cc71f4c44e7f", "value": "b2a36442e68848944365d3d1b8b7554a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot cookie stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746792502", "to_ids": true, "type": "sha1", "uuid": "0fa03df2-ace1-4e2c-8c41-ad2c15044b63", "value": "2ac41ffcde6c8409153df22872d46cd259766903", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot cookie stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746792502", "to_ids": true, "type": "sha256", "uuid": "50f0bb36-3014-4b87-a71e-942b6a74d46a", "value": "62b72607762e6b67e5bb66a5febadda72ff4fce88f996861b978a58cd418eeb1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746792501", "to_ids": true, "type": "ssdeep", "uuid": "7ff603a0-e57a-420e-b478-76969631c323", "value": "98304:E/nDNY244LNeuTVggYdzSNJAb28AQ8+Y2q/vQHnUy6vdlhQO4wvmSx:UnjRg7WNJnQfY1iUtv7lvmq" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746792501", "to_ids": false, "type": "size-in-bytes", "uuid": "8b53dc64-cd01-47eb-9cab-a6b60a704e6e", "value": "6414336" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746792501", "to_ids": true, "type": "vhash", "uuid": "15dd4ea5-3a19-4013-8c65-93fd8e4b53b1", "value": "166076657d551d15556013z12zab9z15z2071z2ez4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746792501", "to_ids": true, "type": "filename", "uuid": "ad3d7e2a-1906-43f4-8662-d3279fec1ece", "value": "b2a36442e68848944365d3d1b8b7554a.virus" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 16/11/2024", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746792501", "to_ids": false, "type": "text", "uuid": "6a3ba5ba-6e95-4270-96fa-179030267ce8", "value": "MgBot cookie stealer plugin\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:44/73\nFirst Submission:2024-03-21T17:40:41.000000+00:00\nLast Submission:2024-03-21T17:40:41.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746834431", "uuid": "d2cce8c1-dfb5-4b0f-8e7c-234c3408d128", "Attribute": [ { "category": "Payload delivery", "comment": "MgBot information stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746834431", "to_ids": true, "type": "md5", "uuid": "0729d660-cdbb-4fe0-8ed0-149d81f76e5a", "value": "889a7ae42fb44390ab99af071dd3d6b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot information stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746792523", "to_ids": true, "type": "sha1", "uuid": "29bd7e95-ddeb-4167-b9fa-ca4dcec57a0b", "value": "0781a2b6eb656d110a3a8f60e8bce9d407e4c4ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot information stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746792523", "to_ids": true, "type": "sha256", "uuid": "a82111e9-4e1e-436e-aa6e-72d27ae3b7a5", "value": "ee6a3331c6b8f3f955def71a6c7c97bf86ddf4ce3e75a63ea4e9cd6e20701024", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746792522", "to_ids": true, "type": "ssdeep", "uuid": "8e722ca9-d4b6-480e-9e2b-43879edbe7dc", "value": "3072:5hukT8QowKlpMGTxfZBxGEHZXNu2Rh/DwwcyZgnk8MjATHVCGJkFNcLa:5hukiwKlDTTjGEtdDDbceATHorF2La" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746792522", "to_ids": false, "type": "size-in-bytes", "uuid": "78ba973a-004e-49a2-9484-0fb96222265b", "value": "204288" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746792522", "to_ids": true, "type": "vhash", "uuid": "7ec3aa58-04f4-4988-a3f1-e981e943cfc6", "value": "125056655d55555058z757z31z13z1021z303cz5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746792522", "to_ids": true, "type": "filename", "uuid": "55fc8a0e-8efa-4c41-be4c-0eb25bcfecff", "value": "qmsdp.dll" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 22/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746792522", "to_ids": false, "type": "text", "uuid": "0df846b4-d1c7-45c1-8713-6ab1e3681889", "value": "MgBot information stealer plugin\r\nType Description: Win32 DLL\nMicrosoft: TrojanDownloader:Win32/Tnega!MSR\nVT Total Detection:55/72\nFirst Submission:2022-03-26T21:06:09.000000+00:00\nLast Submission:2025-04-30T01:50:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746834452", "uuid": "be3ae7ca-c596-404a-ae81-2d2ab607ecb8", "Attribute": [ { "category": "Payload delivery", "comment": "MgBot audio capture plugin", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746834452", "to_ids": true, "type": "md5", "uuid": "a9ff0fd9-8add-4afd-a170-d31dff045ba7", "value": "07df8d223f8a370cd703d177d7e93a36", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot audio capture plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746792544", "to_ids": true, "type": "sha1", "uuid": "c91e8592-77f1-4c36-b178-3282d24d917e", "value": "9d1ecbbe8637fed0d89fca1af35ea821277ad2e8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot audio capture plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746792544", "to_ids": true, "type": "sha256", "uuid": "4e819af4-0ace-4c09-865f-7d73e2bd870a", "value": "2c0cfe2f4f1e7539b4700e1205411ec084cbc574f9e4710ecd4733fbf0f8a7dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746792544", "to_ids": true, "type": "ssdeep", "uuid": "24875f1e-763d-469c-b7d3-a069c7a5127f", "value": "3072:FvuyK6OvtzzjymM0EAA8QYgfVtuUUDH9A6PvMg6H8D/XR8:Fw6eLy+tAzruUUDH9A6XXR8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746792544", "to_ids": false, "type": "size-in-bytes", "uuid": "148ef9c2-667e-4437-a64f-71547113ae83", "value": "124416" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746792544", "to_ids": true, "type": "vhash", "uuid": "c1619fd3-0b20-48c6-9c25-c8925b12f6c2", "value": "115056655d15556az647z47z1071z1ez2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746792544", "to_ids": true, "type": "filename", "uuid": "6f5e9bf7-4fe1-481c-8440-ed25ac992580", "value": "pRsm.dll" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 09/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746792544", "to_ids": false, "type": "text", "uuid": "0163eb02-c66e-4c43-8a57-6b96cde36519", "value": "MgBot audio capture plugin\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Agent.VFT\nVT Total Detection:52/72\nFirst Submission:2023-04-18T01:11:51.000000+00:00\nLast Submission:2025-05-07T19:59:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746834473", "uuid": "7e25b0af-7b9c-4b31-b47a-232388a0974e", "Attribute": [ { "category": "Payload delivery", "comment": "MgBot clipboard text capture plugin", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746834473", "to_ids": true, "type": "md5", "uuid": "671c634a-ba92-4b99-b3da-6290ae562261", "value": "ae5d92ef69074050a822f6669fe267b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot clipboard text capture plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746792565", "to_ids": true, "type": "sha1", "uuid": "f01f375e-d414-4372-b3c5-eb9d1a853df9", "value": "22532a8c8594cd8a3294e68ceb56accf37a613b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot clipboard text capture plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746792565", "to_ids": true, "type": "sha256", "uuid": "897eefcb-ef4e-4c15-ab69-2c0fa848b4cc", "value": "d9eec27bf827669cf13bfdb7be3fdb0fdf05a26d5b74adecaf2f0a48105ae934", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746792565", "to_ids": true, "type": "ssdeep", "uuid": "d129f00c-00c4-4b66-95f0-ec03bb2732cc", "value": "3072:8reVv9GIsJyLEjpUmLgAP3OY3UyloycT28SaPKeZVzZdZ6sAF:8G9PsJYupUcJr9l3sKe/Z7A" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746792565", "to_ids": false, "type": "size-in-bytes", "uuid": "4ecc5d46-37a0-49bd-94cf-210743e34e71", "value": "160768" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746792565", "to_ids": true, "type": "vhash", "uuid": "43a2a83a-4a37-43d7-91ce-c4436efd4bc3", "value": "115056655d15556048z5chz1021z4ez2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746792565", "to_ids": true, "type": "filename", "uuid": "8594bbcd-a504-4d4d-b14a-999d424aa9ac", "value": "cbmrpa.dll" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 29/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746792565", "to_ids": false, "type": "text", "uuid": "b8c9aa80-7b85-4ee1-b4a6-3fde90a57858", "value": "MgBot clipboard text capture plugin\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:50/72\nFirst Submission:2023-04-14T09:10:33.000000+00:00\nLast Submission:2025-05-04T04:11:41.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746834494", "uuid": "3872ccf6-8bd5-4193-aa54-9e781e935810", "Attribute": [ { "category": "Payload delivery", "comment": "MgBot credential stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746834494", "to_ids": true, "type": "md5", "uuid": "760e23b5-499f-4c0d-bbe6-e7dd54321ad1", "value": "f553ea019b79742eabcbacd387231623", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot credential stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746792586", "to_ids": true, "type": "sha1", "uuid": "e291e9ec-42aa-47ee-a736-8f5c079fd48d", "value": "970babe49945b98efada72b2314b25a008f75843", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot credential stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746792586", "to_ids": true, "type": "sha256", "uuid": "4cd0bc1a-152b-46b4-8ef7-93a171d5d53c", "value": "174a62201c7e2af67b7ad37bf7935f064a379f169cf257ca16e912a46ecc9841", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746792586", "to_ids": true, "type": "ssdeep", "uuid": "74dd7a03-4b62-4653-b5cb-02e22bc9c2a4", "value": "49152:MNk0f0TEwRoYAxBI6mPPusyr32BrqhrQqsXhqdDsvlVSGkItBaL:H0f0wwO4us9WFQqsOovlVSUt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746792586", "to_ids": false, "type": "size-in-bytes", "uuid": "b480a1b8-8a2c-4f63-bb49-9b8ed8b63b1d", "value": "2051584" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746792586", "to_ids": true, "type": "vhash", "uuid": "107e19d1-8ef3-4307-9250-f2276173afdf", "value": "126056657d655560b3z12za17z47z1091z2ez9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746792586", "to_ids": true, "type": "filename", "uuid": "daebafae-0e81-4f75-a7bb-57258e754bdb", "value": "cred-stealer" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 17/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746792586", "to_ids": false, "type": "text", "uuid": "ceeefa5c-1c60-4c4d-a180-b80cd9b77e08", "value": "MgBot credential stealer plugin\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:52/72\nFirst Submission:2022-03-26T10:37:03.000000+00:00\nLast Submission:2023-10-01T16:01:54.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746834515", "uuid": "4194cb11-e224-4158-a6ec-adefc3e6a689", "Attribute": [ { "category": "Payload delivery", "comment": "MgBot credential stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746834515", "to_ids": true, "type": "md5", "uuid": "d5b924a5-6dc1-4e0f-b316-089edc52bbb7", "value": "cc6e4be68c511637a5727a2cc02c1161", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot credential stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746792608", "to_ids": true, "type": "sha1", "uuid": "bd59e100-db08-417c-a729-c61198fd50af", "value": "8a98a023164b50dec5126eda270d394e06a144ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MgBot credential stealer plugin", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746792608", "to_ids": true, "type": "sha256", "uuid": "fb3135ed-7b94-434e-9ff7-5267c4cbb814", "value": "cb7d9feda7d8ebfba93ec428d5a8a4382bf58e5a70e4b51eb1938d2691d5d4a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746792607", "to_ids": true, "type": "ssdeep", "uuid": "b48cb914-4055-4103-8cb0-8ee9c7827928", "value": "3072:GmG3vRTlVD33IcznhZKtu3vkRPJv6qN4hLW3X:LG3vnJ4YZ2u3vkRhCi3X" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746792607", "to_ids": false, "type": "size-in-bytes", "uuid": "e22d5043-13c6-453f-8312-551f45e7dede", "value": "108544" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746792607", "to_ids": true, "type": "vhash", "uuid": "d94f2b77-5326-447f-906a-c5d933b460a1", "value": "115056655d15556043z12z4cjz50011ez4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746792607", "to_ids": true, "type": "filename", "uuid": "0e0f3a4e-8047-4e53-b12c-4611fbb2f058", "value": "maillfpassword.dll" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 06/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746792607", "to_ids": false, "type": "text", "uuid": "bae85039-fccf-48e2-98a8-09c6ba123083", "value": "MgBot credential stealer plugin\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:48/72\nFirst Submission:2023-07-21T17:24:47.000000+00:00\nLast Submission:2025-04-28T17:17:12.000000+00:00" } ] } ] } }