{ "Event": { "analysis": "2", "date": "2020-10-15", "extends_uuid": "", "info": "[Threat Intel] IAmTheKing and the SlothfulMedia malware family", "protected": false, "publish_timestamp": "1780039920", "published": true, "threat_level_id": "1", "timestamp": "1772901996", "uuid": "a0553f5e-cf74-4193-a83c-ab30e3891287", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#1ebce4", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"SlothfulMedia\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#e4d611", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"LaZagne\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MimiKatz\"", "relationship_type": "" }, { "colour": "#15cd0b", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"143 - Central Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"151 - Eastern Europe\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Defense\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740522589", "to_ids": false, "type": "link", "uuid": "11b5caf1-daaa-41b4-974a-3151d5be40c3", "value": "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/" }, { "category": "Payload delivery", "comment": "JackOfHearts No sample in VT\r\nLast check:09/05/2025", "deleted": false, "disable_correlation": false, "timestamp": "1746789997", "to_ids": true, "type": "md5", "uuid": "9f3dc5c6-6cb7-4afd-bda7-019cdf144454", "value": "97c6cfa181c849eb87759518e200872f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1740522687", "uuid": "d0d5bd81-7d98-4858-9ce3-58d93519eeba", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1740522687", "to_ids": false, "type": "comment", "uuid": "6e4016ed-d73e-4ebf-981c-88beb6a1940d", "value": "Matches IAmTheKing's KingOfHearts C++ implant" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1740522687", "to_ids": true, "type": "yara", "uuid": "e3d3ae84-50c9-4a95-a394-2ac286ac0092", "value": "rule apt_IAmTheKing_KingOfHearts {\r\n meta:\r\n description = \"Matches IAmTheKing's KingOfHearts C++ implant\"\r\n author = \"Kaspersky Lab\"\r\n copyright = \"Kaspersky Lab\"\r\n version = \"1.0\"\r\n type = \"APT\"\r\n filetype = \"PE\"\r\n last_modified = \"2020-01-20\"\r\n strings:\r\n $payload_fmt = \"cookie=%s;type=%s;length=%s;realdata=%send\" ascii\r\n $cmd1 = \"HEART\" ascii\r\n $cmd2 = \"CMDINFO\" ascii\r\n $cmd3 = \"PROCESSINFO\" ascii\r\n $cmd4 = \"LISTDRIVE\" ascii\r\n $cmd5 = \"LISTFILE\" ascii\r\n $cmd6 = \"DOWNLOAD\" ascii\r\n condition:\r\n uint16(0) == 0x5A4D and filesize < 1MB and\r\n ($payload_fmt or all of ($cmd*))\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1740522687", "to_ids": false, "type": "text", "uuid": "e6bbe592-a73a-468c-a5f3-329a5f13cafc", "value": "apt_IAmTheKing_KingOfHearts" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1740522710", "uuid": "0f19c33c-0b3f-43ca-bcea-823002e3bb38", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1740522710", "to_ids": false, "type": "comment", "uuid": "3cb37e0c-b145-4ab8-b974-8bac71256b0d", "value": "Matches IAmTheKing's KingOfHearts JSON C++ implant" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1740522710", "to_ids": true, "type": "yara", "uuid": "3da8bcf0-3059-4254-a3e2-8cc653abe556", "value": "rule apt_IAmTheKing_KingOfHearts_json {\r\n meta:\r\n \r\n description = \"Matches IAmTheKing's KingOfHearts JSON C++ implant\"\r\n author = \"Kaspersky Lab\"\r\n copyright = \"Kaspersky Lab\"\r\n version = \"1.0\"\r\n type = \"APT\"\r\n filetype = \"PE\"\r\n last_modified = \"2020-01-20\"\r\n strings:\r\n $user_agent = \"Mozilla/4.0 (compatible; )\" ascii\r\n $error = \"write info fail!!! GetLastError-->%u\" ascii\r\n $multipart = \"Content-Type: multipart/form-data; boundary=--MULTI-PARTS-FORM-DATA-BOUNDARY\\x0D\\x0A\" ascii\r\n condition:\r\n uint16(0) == 0x5A4D and filesize < 1MB and all of them\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1740522710", "to_ids": false, "type": "text", "uuid": "b0f3f686-bf24-493e-87ac-d152013db577", "value": "apt_IAmTheKing_KingOfHearts_json" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1740522729", "uuid": "8c32f770-ca6c-4e05-998c-261e002e7988", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1740522729", "to_ids": false, "type": "comment", "uuid": "09162ccf-c662-49bf-9e90-14a6aed1aa95", "value": "Find IAmTheKing's QueenOfHearts 2020 variants" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1740522729", "to_ids": true, "type": "yara", "uuid": "06a318e2-31d0-4985-8d73-c138401b377e", "value": "rule apt_IAmTheKing_QueenOfHearts_2020 {\r\n meta:\r\n author = \"Kaspersky\"\r\n copyright = \"Kaspersky\"\r\n version = \"1.0\"\r\n type = \"APT\"\r\n filetype = \"PE\"\r\n description = \"Find IAmTheKing's QueenOfHearts 2020 variants\"\r\n last_modified = \"2020-09-29\"\r\n strings:\r\n $s1 = \"www.yahoo.com\" fullword wide\r\n $s2 = \"8AAAAHicJY9HDsIwFAXnMmQHIsGULKKIUPZwA0SNqCEIcXwGI+vL781vdknNjR17PvQ48eLKhZKGlsJMwoE7T2nBipSKNQtpy0PSlSSqRr0j1208WVRprNqa6Vs3ju6s\" ascii\r\n $s3 = \"kgAAAHicHYy7DoJAEEXPp2xMKJVEehoKSwsLSqMLCRh5BDTK33vWTHbuzpk7NzLQEMiJ9pmJDy0LK536tA7q1xfYcVJf7Km96jlz5yGJsiCtdN+8XJ1q9yMFR67ySf/M\" ascii\r\n $s4 = \"2gAAAHicHY/JDoJAEAXrZ+SmEUSUAyEueNc/MOBCVFwwxs+3nEw6/V71lilp6Wg48GXEmTc3rpQ86SmsRBy585IWbIlZsqOS9jwkQ0mkeqobct3elwQVh67ayti+WXAX\" ascii\r\n $s5 = \"MyScreen.jpg\" fullword wide\r\n $s6 = \"begin mainthread\" fullword wide\r\n $s7 = \"begin mainthread ok\" fullword wide\r\n $s8 = \"getcommand error\" fullword wide\r\n $s9 = \"querycode error\" fullword wide\r\n $s10 = \"{'session':[{'name':'admin_001','id':21,'time':12836123}],'jpg':\" fullword ascii\r\n $s11 = \"cookie size :%d\" fullword wide\r\n $s12 = \"send request error:%d\" fullword wide\r\n $s13 = \"AABBCCDDEEFFGGHH\" fullword wide\r\n $s14 = \" inflate 1.2.8 Copyright 1995-2013 Mark Adler \" fullword ascii\r\n $s15 = \" Type Descriptor'\" fullword ascii\r\n $s16 = \" constructor or from DllMain.\" fullword ascii\r\n $s17 = \" Base Class Descriptor at (\" fullword ascii\r\n $ex = \"ping 127.0.0.1\" ascii fullword\r\n condition:\r\n ( uint16(0) == 0x5A4D ) and \r\n ( filesize > 70KB and filesize < 3MB ) and \r\n ( 12 of them ) and\r\n ( not $ex )\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1740522729", "to_ids": false, "type": "text", "uuid": "4ebabf55-754c-4c51-bcb0-8c18ac590062", "value": "apt_IAmTheKing_QueenOfHearts_2020" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981388", "uuid": "b73c5424-dea4-446f-902c-5c89c468f623", "Attribute": [ { "category": "Payload delivery", "comment": "KingOfHearts (urlencode variant)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981388", "to_ids": true, "type": "md5", "uuid": "dd31597e-55b3-4485-891b-afc4f094e959", "value": "00e415e72a4fc4c8634d4d3815683ce8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "KingOfHearts (urlencode variant)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746746442", "to_ids": true, "type": "sha1", "uuid": "9e4bf53f-b183-4915-af65-2ae447deb0c7", "value": "7bb8125433e69b0c0722a17ddee54b144e34fe1d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "KingOfHearts (urlencode variant)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746746442", "to_ids": true, "type": "sha256", "uuid": "7538d23c-f159-4c9e-a17f-75e458068e57", "value": "6c9a40572d66c58abe6c1baf33e27a19f5493c3b74a03d35a62d5e8062948a86", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746746442", "to_ids": true, "type": "ssdeep", "uuid": "e58c5f21-d71b-46f8-8d72-e5b0dc287ca9", "value": "1536:rjRgTsv7S+8Q6Z1E7o3ZT9w2wRVqDR1HYLo:6ADSvZ1E8Vwb8R1HGo" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746746442", "to_ids": false, "type": "size-in-bytes", "uuid": "980169cc-d9cf-47c9-a6d9-4a12c57c13b7", "value": "69632" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746746442", "to_ids": true, "type": "vhash", "uuid": "c33df77d-6b49-4fea-869e-bb8e1229467e", "value": "064036655d1038z52hz1bz87z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746746442", "to_ids": true, "type": "filename", "uuid": "d7826c0b-da79-4da6-bb92-577bfef42aa3", "value": "VirusShare_00e415e72a4fc4c8634d4d3815683ce8" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 09/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746746442", "to_ids": false, "type": "text", "uuid": "37e03ddb-bb56-415d-8cb2-4b0376ebe074", "value": "KingOfHearts (urlencode variant)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Tiggre!rfn\nVT Total Detection:61/72\nFirst Submission:2017-08-22T12:40:57.000000+00:00\nLast Submission:2023-07-20T11:31:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981388", "uuid": "d21a8831-17da-47ed-ae38-b98ba58dcd3d", "Attribute": [ { "category": "Payload delivery", "comment": "KingOfHearts (JSON variant)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981388", "to_ids": true, "type": "md5", "uuid": "ec42ad06-e997-4f0f-a345-6b3871428470", "value": "4e2c2e82f076ad0b5d1f257706a5d579", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "KingOfHearts (JSON variant)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746746463", "to_ids": true, "type": "sha1", "uuid": "7c73bec6-b113-461c-b2ed-661d9e2d791d", "value": "b8b7841a97e990f8e20665ca742415d328c0b392", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "KingOfHearts (JSON variant)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746746463", "to_ids": true, "type": "sha256", "uuid": "e49f8f58-533a-43d7-9748-72ff69dc9029", "value": "445102a3b23335779722f13a41a9b651061ab7148cead7eeb9ee3acca9d5bf0c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746746463", "to_ids": true, "type": "ssdeep", "uuid": "e79c373e-d4d0-4e35-9525-3df701aeff60", "value": "6144:2aG+PB68XT4C2kYft9otftNywAGaxC3mjavsQAQ+O6es/y0BiCj:0eB6WTB2FjYtNywAGaM3KxVj" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746746463", "to_ids": false, "type": "size-in-bytes", "uuid": "c0979898-7dbe-49d1-ba6c-7345e3eb9060", "value": "464896" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746746463", "to_ids": true, "type": "vhash", "uuid": "7c3c38f5-df48-4b39-88da-9ef9be4674a5", "value": "045056655d155550a8z6b7z47z33z2030e1z67z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746746463", "to_ids": true, "type": "filename", "uuid": "2f5316cc-beda-43a6-a80c-a544b1d382fa", "value": "Copyright" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 19/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746746463", "to_ids": false, "type": "text", "uuid": "5415459c-ec74-4857-ae12-9fcfbb245b9e", "value": "KingOfHearts (JSON variant)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Popool.B\nVT Total Detection:58/73\nFirst Submission:2018-09-04T23:28:49.000000+00:00\nLast Submission:2018-10-03T18:54:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981388", "uuid": "272caac8-9dcc-4b13-89ef-a558d44ccaf9", "Attribute": [ { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981388", "to_ids": true, "type": "md5", "uuid": "00b91309-a1e3-40e4-9868-01f269775e31", "value": "ab956623b3a6c2ac5b192e07b79cbb5b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746746484", "to_ids": true, "type": "sha1", "uuid": "023f4a05-b148-420b-8696-30e13beec9fb", "value": "ae324efa7b2c04f19062de8d152d3bb83da8e763", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746746485", "to_ids": true, "type": "sha256", "uuid": "671d80ee-8644-464e-9b0e-ca5de0ec7116", "value": "a63600e5c28a4c1770a53d310ff017abd3cb9c20cb58a85d53df0c06bcae1864", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746746484", "to_ids": true, "type": "ssdeep", "uuid": "2cb2b705-b8d8-4213-98cd-a69d39dab8b6", "value": "49152:fMTBmP65HrdNlBVRrkhcIns9lUtkRy9r+QNdaPkNd/JInAFidAeAqpzWTGZiK:4D5HrPlB3IhcIHtk01PNdaPMJIn4idAZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746746484", "to_ids": false, "type": "size-in-bytes", "uuid": "71810fdb-214f-4ca7-a1f5-ce1ae2925a6d", "value": "1700864" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746746484", "to_ids": true, "type": "vhash", "uuid": "b5fbfe3f-e5b6-4f83-8415-68d7c8c203e2", "value": "016046655d1551e01010261za86z130a5z90600d8031z1057z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746746484", "to_ids": true, "type": "filename", "uuid": "d098c0a8-17de-4519-a223-816cde213518", "value": "a63600e5c28a4c1770a53d310ff017abd3cb9c20cb58a85d53df0c06bcae1864.exe" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 31/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746746484", "to_ids": false, "type": "text", "uuid": "afbb876d-52a6-4e8a-91d7-8a7c3bd3a816", "value": "QueenOfHearts\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CryptInject!MSR\nVT Total Detection:61/73\nFirst Submission:2020-01-31T01:28:42.000000+00:00\nLast Submission:2023-07-20T17:12:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981389", "uuid": "04f5122f-8f53-4f76-8bf9-78316b42114b", "Attribute": [ { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981389", "to_ids": true, "type": "md5", "uuid": "e8bc1c45-ead8-4921-8930-3d9d90f78301", "value": "4bbd5869aa39f144faddad85b5eeca12", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746746506", "to_ids": true, "type": "sha1", "uuid": "739f7fb3-6cfc-43e2-a781-abf48fc3d7eb", "value": "36f6a5012e664fd91fb187d15af7435c424918ce", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746746506", "to_ids": true, "type": "sha256", "uuid": "ca6db2ef-fe27-4933-89a0-24c16c6ef2cf", "value": "f110ebee387c2dfac08beb674a8efec20940bc562c5231e9bb4a90296476c29f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746746505", "to_ids": true, "type": "ssdeep", "uuid": "411b1e1b-e1ac-4527-92ff-ebda228cb988", "value": "6144:PepOG12EtzjcgOzsB/sXn2ky24rzLFZv4ua2HcETB2LZVVBwpdE:P611OzsB/sX2ky24rzT4H2HcETULZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746746505", "to_ids": false, "type": "size-in-bytes", "uuid": "82c2eb21-af90-40f2-984e-c0270bb152ab", "value": "313344" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746746505", "to_ids": true, "type": "vhash", "uuid": "b6a986af-a06d-4d4f-982d-5307a09e5e4c", "value": "035056655d15551163z217009az3013z1010050033z57z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746746505", "to_ids": true, "type": "filename", "uuid": "28a61457-46e5-4b8b-a4dd-92bf888ac82d", "value": "f110ebee387c2dfac08beb674a8efec20940bc562c5231e9bb4a90296476c29f.exe" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 15/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746746505", "to_ids": false, "type": "text", "uuid": "082ffed1-260b-471f-b45b-969ae423dde2", "value": "QueenOfHearts\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Popool!MSR\nVT Total Detection:59/72\nFirst Submission:2020-01-31T01:25:22.000000+00:00\nLast Submission:2023-07-20T18:12:57.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746979368", "uuid": "ed318382-4899-4d6f-884b-93cf0057e586", "Attribute": [ { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746979368", "to_ids": true, "type": "md5", "uuid": "bba3c543-6396-4dc9-8b15-f03580e10486", "value": "4076ddaf9555031b336b09ebab402b95", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746746527", "to_ids": true, "type": "sha1", "uuid": "08089f50-d542-49ac-93a4-7034150bad46", "value": "6f862af62041a46a043ca6342bb3da5084b19b10", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746746527", "to_ids": true, "type": "sha256", "uuid": "d5a01fa0-fb64-4856-b993-36cb4e00bdb4", "value": "301f5125ea24dc82022e2f9f59418523a19b0cefc5546345e1ae624c11add1cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746746527", "to_ids": true, "type": "ssdeep", "uuid": "97880168-76aa-4a23-8340-f0729631d78a", "value": "49152:fMTBmP65HrdNlBVRrkhcIns9lUtkRy9r+QNdaPkNd/JInAFidAeAqpzWTGZi5:4D5HrPlB3IhcIHtk01PNdaPMJIn4idAZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746746527", "to_ids": false, "type": "size-in-bytes", "uuid": "d0129e19-ab15-44c2-b377-743469607571", "value": "1700864" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746746527", "to_ids": true, "type": "vhash", "uuid": "566f1686-6d65-45d8-a725-3c37ec1705f9", "value": "016046655d1551e01010261za86z130a5z90600d8031z1057z" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 15/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746746527", "to_ids": false, "type": "text", "uuid": "bf38287e-6df8-443b-a26e-4efef22fc247", "value": "QueenOfHearts\r\nType Description: Win32 EXE\nMicrosoft: VirTool:MSIL/CryptInject\nVT Total Detection:59/72\nFirst Submission:2020-01-31T01:26:37.000000+00:00\nLast Submission:2020-01-31T01:26:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981389", "uuid": "8d63c463-2020-430a-bc6f-dcf5db53da30", "Attribute": [ { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981389", "to_ids": true, "type": "md5", "uuid": "1281e90f-cfa7-4181-977a-5bbb5dd4438f", "value": "096f7084d274166462d445a7686d1e5c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746746548", "to_ids": true, "type": "sha1", "uuid": "5edde718-20ec-47f5-a9c4-678f85044960", "value": "946367e507b9c039558492f6721d059e2c477c67", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "QueenOfHearts", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746746548", "to_ids": true, "type": "sha256", "uuid": "b0f8b1a7-0615-43c9-90dd-340e6662723f", "value": "8d4b46cefdfe68f3ad53b53d1d26f60d4361868554f50ccdd7f482e9d0c95ccf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746746548", "to_ids": true, "type": "ssdeep", "uuid": "aefadcf5-bc6e-45be-a553-731202a50cdb", "value": "49152:fMTBmP65HrdNlBVRrkhcIns9lUtkRy9r+QNdaPkNd/JInAFidAeAqpzWTGZi6:4D5HrPlB3IhcIHtk01PNdaPMJIn4idAZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746746548", "to_ids": false, "type": "size-in-bytes", "uuid": "4bf0a291-dffe-40bf-8df2-55bf39f4bbbd", "value": "1700864" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746746548", "to_ids": true, "type": "vhash", "uuid": "2c1918fa-dee8-48d4-b0a4-c47de1168a8c", "value": "016046655d1551e01010261za86z130a5z90600d8031z1057z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746746548", "to_ids": true, "type": "filename", "uuid": "bab44c31-3790-430e-84d6-f639c242a9c3", "value": "8d4b46cefdfe68f3ad53b53d1d26f60d4361868554f50ccdd7f482e9d0c95ccf.exe" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 05/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746746548", "to_ids": false, "type": "text", "uuid": "e9d9d815-0fbe-4163-87de-b6b5babb6b4c", "value": "QueenOfHearts\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:60/73\nFirst Submission:2019-08-15T01:55:56.000000+00:00\nLast Submission:2023-07-20T11:25:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981389", "uuid": "4d219a55-5459-4296-9bd0-f1566065c661", "Attribute": [ { "category": "Payload delivery", "comment": "QueenOfClubs", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981389", "to_ids": true, "type": "md5", "uuid": "889ef63f-ca4b-4e84-801a-ca02853efe7b", "value": "29aa501447e6e20762893a24bfce05e9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "QueenOfClubs", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746746569", "to_ids": true, "type": "sha1", "uuid": "5724ec91-8e09-4c38-ad3d-e46bd0f24b32", "value": "1ad7eee85c8f1b360cdbcd0ef7c1aee48ee1462a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "QueenOfClubs", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746746570", "to_ids": true, "type": "sha256", "uuid": "92bc9f40-0e68-4889-a8dc-4f6b89d11e26", "value": "b0a1da4fc5526365df495094f65660d88487ce5e60192e5fb4075e815f9481d3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746746569", "to_ids": true, "type": "ssdeep", "uuid": "3731503e-ad6f-475c-9121-f171861dac58", "value": "1536:HxJjBbgQzWsS6rjdkRDgSnpxUkm12iSa8FDk/DXbdLaO5dEDH:RJjbzWsdjdGDvpyS9SDFaO5dA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746746569", "to_ids": false, "type": "size-in-bytes", "uuid": "880535de-b6d4-42c4-a906-6a8ccfd6a4f2", "value": "116224" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746746569", "to_ids": true, "type": "vhash", "uuid": "633f19c6-355a-49ac-a4c0-2c20120f9185", "value": "015056655d15051115z6006e7z31z13z1011z50309bz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746746569", "to_ids": true, "type": "filename", "uuid": "a6987acb-584d-4bd8-a7ca-ccda07d050f4", "value": "b0a1da4fc5526365df495094f65660d88487ce5e60192e5fb4075e815f9481d3.exe" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 08/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746746569", "to_ids": false, "type": "text", "uuid": "bd9efc97-b037-4b37-b553-b6475f102c73", "value": "QueenOfClubs\r\nType Description: Win32 EXE\nMicrosoft: TrojanDownloader:Win32/Upatre.LQ!MTB\nVT Total Detection:60/73\nFirst Submission:2020-04-16T07:41:53.000000+00:00\nLast Submission:2020-10-21T15:20:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981389", "uuid": "518f208e-c355-4fc1-9784-3ebaa0094a9c", "Attribute": [ { "category": "Payload delivery", "comment": "Screenshot capture utility", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981389", "to_ids": true, "type": "md5", "uuid": "df1cd82a-5b83-4f60-8fe5-6e73190114ce", "value": "7db4f1547d0e897ef6e6f01ecc484314", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Screenshot capture utility", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746746611", "to_ids": true, "type": "sha1", "uuid": "d4da310a-fcac-4906-beae-3c7bbf29d107", "value": "225f90a5a3fa3a308297abd007f76a750b875a5d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Screenshot capture utility", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746746611", "to_ids": true, "type": "sha256", "uuid": "ec856024-1d23-4d5c-8679-49c1ec6a8522", "value": "f441e6239b592ac15538a8ba8903e5874283b066050a5a7e514ce33e84237f4e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746746611", "to_ids": true, "type": "ssdeep", "uuid": "deca6428-d5dc-4cba-9605-62bb9f43d17e", "value": "192:0Ex7PKmJ9csnjK7T1Yz8UKTQbXdthBbzqiOy3l1efEgR4/3iFJUrOWqwfZpRpCK:1Msno+8U6aXbhOyV0fEN/SFcOWRtCK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746746611", "to_ids": false, "type": "size-in-bytes", "uuid": "a67d83d0-6558-4d01-a19b-108f94d69be8", "value": "15872" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746746611", "to_ids": true, "type": "vhash", "uuid": "6a70d84c-8c94-44a2-b719-d6c1a7da1637", "value": "014056655d155517zf001a7z2dz4az261z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746746611", "to_ids": true, "type": "filename", "uuid": "2c95d53b-6d59-452f-a0ee-ff2937d3f996", "value": "f441e6239b592ac15538a8ba8903e5874283b066050a5a7e514ce33e84237f4e.exe" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 02/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746746611", "to_ids": false, "type": "text", "uuid": "24877e24-ba17-4cbe-9542-3d9323499f20", "value": "Screenshot capture utility\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:55/73\nFirst Submission:2019-10-04T14:49:44.000000+00:00\nLast Submission:2022-01-20T14:37:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746979452", "uuid": "99b88d1d-a987-4287-a8aa-1482e7cd552a", "Attribute": [ { "category": "Payload delivery", "comment": "Malicious LNK", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746979452", "to_ids": true, "type": "md5", "uuid": "408c7475-10e8-4d82-bcb5-1c1e296cdb66", "value": "60d78b3e0d7ffe14a50485a19439209b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious LNK", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746746633", "to_ids": true, "type": "sha1", "uuid": "7c8c637d-d115-4849-9fd0-8e97c26ff592", "value": "bc975e4fb9ca2fb544e66036c70c322c3393022e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious LNK", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746746633", "to_ids": true, "type": "sha256", "uuid": "320a94d1-e94d-49f2-ae38-9734a9c84666", "value": "4d99bcc5bf01b4e3763550fbae09ab65cd833422b7c7ba61cc1b3c79a8bc4e97", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746746632", "to_ids": true, "type": "ssdeep", "uuid": "1b08d4a0-d1d9-4191-b53f-aadeb48c7eec", "value": "48:8u8MGKltwlpFloh/ZQEglvOlP4terNY0mlcqN81HQoItvl5Kc:8lMGfoHQbawKY0m1N8yHMc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746746632", "to_ids": false, "type": "size-in-bytes", "uuid": "08ca02ef-3055-430f-9c7a-85f5ca9ca708", "value": "3007" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746746632", "to_ids": true, "type": "vhash", "uuid": "78ac1079-f378-474d-9ef9-b1b3eaeabddb", "value": "31fda0e5914cef26e58e923041f7df43" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746746632", "to_ids": true, "type": "filename", "uuid": "2b09a23e-31e3-4669-81e0-c96d5f6405ac", "value": "4d99bcc5bf01b4e3763550fbae09ab65cd833422b7c7ba61cc1b3c79a8bc4e97.bin" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 08/04/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746746632", "to_ids": false, "type": "text", "uuid": "964ba673-3432-4546-9d21-67ca23470aed", "value": "Malicious LNK\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:PowerShell/Piychan.C\nVT Total Detection:32/60\nFirst Submission:2019-11-07T04:20:50.000000+00:00\nLast Submission:2020-10-19T07:15:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1746979473", "uuid": "9a5bdf81-7a6f-447a-a9b5-b0f3e5719381", "Attribute": [ { "category": "Payload delivery", "comment": "Keylogger", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1746979473", "to_ids": true, "type": "md5", "uuid": "1d2e4fe5-04a0-4b90-99d9-0b7b00d12687", "value": "90ef53d025e04335f1a71cb9aa6d6592", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Keylogger", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1746746654", "to_ids": true, "type": "sha1", "uuid": "5e17288f-6fa4-46b0-ad40-d1101b7e0599", "value": "7ae67b1fff354544e0d3ff150690e79c3691a227", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Keylogger", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1746746654", "to_ids": true, "type": "sha256", "uuid": "123355c3-827e-48ab-8b84-8417973549ed", "value": "4c6995cb65ffeac1272d296eb3273b9fbca7f4d603312a5085b5c3be96154915", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1746746654", "to_ids": true, "type": "ssdeep", "uuid": "121bf85e-8bbe-45d4-9f84-12e55737a73c", "value": "768:nRD042Ge2KrwX9N2mrBCl/RYLxte5Nc5V/pxrPhGXTy9q7qPU4cEDEXnmNteQj:RD04rz99HrBGSLxaN8V/ph5GXlGPsW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1746746654", "to_ids": false, "type": "size-in-bytes", "uuid": "35758b13-31fb-4777-8659-c15af273bc08", "value": "60416" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1746746654", "to_ids": true, "type": "vhash", "uuid": "a3176b12-8815-456d-9c9e-6400c0ef9707", "value": "064046655d155az4anz9fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1746746654", "to_ids": true, "type": "filename", "uuid": "3b99c746-ca09-49b8-a4d4-1bb3529b7315", "value": "4c6995cb65ffeac1272d296eb3273b9fbca7f4d603312a5085b5c3be96154915.bin" }, { "category": "Other", "comment": "Checked: 09/05/2025\nLast-scan\t: 19/03/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1746746654", "to_ids": false, "type": "text", "uuid": "f630adaf-1bbb-4446-b078-6819c063069f", "value": "Keylogger\r\nType Description: Win32 EXE\nMicrosoft: TrojanSpy:Win32/KeyLogger!MSR\nVT Total Detection:55/73\nFirst Submission:2018-10-16T12:23:13.000000+00:00\nLast Submission:2020-10-19T07:15:17.000000+00:00" } ] } ] } }