{ "Event": { "analysis": "1", "date": "2026-05-05", "extends_uuid": "", "info": "[Threat Intel] InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise", "protected": false, "publish_timestamp": "1780386233", "published": true, "threat_level_id": "3", "timestamp": "1780368452", "uuid": "e30b1a07-b830-46e2-bf69-e67eee29d4af", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#717bc3", "local": false, "name": "misp-galaxy:producer=\"Trend Micro\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#48df7e", "local": false, "name": "misp-galaxy:target-information=\"Netherlands\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Education\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Electronic\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Food\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#680082", "local": false, "name": "ms-caro-malware:malware-platform=\"MacOS\"", "relationship_type": "" }, { "colour": "#7f009f", "local": false, "name": "ms-caro-malware:malware-platform=\"WinNT\"", "relationship_type": "" }, { "colour": "#accfc1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Component Object Model - T1559.001\"", "relationship_type": "" }, { "colour": "#d4fd6f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malvertising - T1583.008\"", "relationship_type": "" }, { "colour": "#30f613", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Mshta - T1218.005\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3a00e0", "local": false, "name": "rectifyq:action-taken=\"x\"", "relationship_type": "" }, { "colour": "#3b00e2", "local": false, "name": "rectifyq:action-taken=\"linkedin\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780010312", "to_ids": false, "type": "link", "uuid": "61239f35-67e2-4c06-b4fd-3cdaaa22fc7e", "value": "https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html" }, { "category": "Network activity", "comment": "Payload host (Stage 2) - Disease vector", "deleted": false, "disable_correlation": false, "timestamp": "1780301167", "to_ids": true, "type": "hostname", "uuid": "376a3900-835f-4d6c-bf88-195fba1d95c1", "value": "download-version.1-5-8.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Resolves to 77[.]91[.]97[.]244 - Disease vector", "deleted": false, "disable_correlation": false, "timestamp": "1780301188", "to_ids": true, "type": "hostname", "uuid": "bb4a8c96-5d76-48b0-909a-5afacb3946be", "value": "hosted-by.yeezyhost.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C&C attempt over TCP/443; resolves to hosted-by.yeezyhost[.]net", "deleted": false, "disable_correlation": false, "timestamp": "1780301209", "to_ids": true, "type": "ip-dst", "uuid": "cf099fcd-5d0d-4c12-9516-675916413c89", "value": "77.91.97.244", "Tag": [ { "colour": "#b7c1b9", "local": false, "name": "misp-galaxy:country=\"united kingdom\"", "relationship_type": "" }, { "colour": "#b34953", "local": false, "name": "asn:asn=\"215590\"", "relationship_type": "" }, { "colour": "#807877", "local": false, "name": "asn:as-owner=\"DPKGSOFT-AS\"", "relationship_type": "" }, { "colour": "#e1449b", "local": false, "name": "asn:as-country=\"GB\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C&C domain (Stage 4) - Disease vector", "deleted": false, "disable_correlation": false, "timestamp": "1780301230", "to_ids": true, "type": "domain", "uuid": "2bfc5eba-bc08-46ee-b403-e41ed4f3c744", "value": "oakenfjrod.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Disease vector", "deleted": false, "disable_correlation": false, "timestamp": "1780301251", "to_ids": true, "type": "url", "uuid": "a7fefa2b-ea2a-4511-9d4a-b43f0b5342fb", "value": "https://download-version.1-5-8.com/claude.msixbundle", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Disease vector", "deleted": false, "disable_correlation": false, "timestamp": "1780301272", "to_ids": true, "type": "url", "uuid": "c4edfa73-3120-44c4-a442-9c0f586015b4", "value": "oakenfjrod.ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Outbound - C&C server", "deleted": false, "disable_correlation": false, "timestamp": "1780301295", "to_ids": true, "type": "ip-dst", "uuid": "fc42a206-3371-4f16-8873-4990eeda439f", "value": "185.177.239.255", "Tag": [ { "colour": "#b7c1b9", "local": false, "name": "misp-galaxy:country=\"united kingdom\"", "relationship_type": "" }, { "colour": "#1e9433", "local": false, "name": "asn:asn=\"215826\"", "relationship_type": "" }, { "colour": "#04c4b8", "local": false, "name": "asn:as-owner=\"PARTNER-HOSTING-LTD\"", "relationship_type": "" }, { "colour": "#e1449b", "local": false, "name": "asn:as-country=\"GB\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Outbound - Untested", "deleted": false, "disable_correlation": false, "timestamp": "1780301316", "to_ids": true, "type": "ip-dst", "uuid": "141d159a-7e6d-420b-adad-119a34e51fcf", "value": "104.21.0.95", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" }, { "colour": "#c4bd10", "local": false, "name": "asn:asn=\"13335\"", "relationship_type": "" }, { "colour": "#60003e", "local": false, "name": "asn:as-owner=\"CLOUDFLARENET\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1780301337", "uuid": "229b623d-b71b-4242-bc12-dbf9411af6cb", "Attribute": [ { "category": "Payload delivery", "comment": "claude.msixbundle (ZIP/HTA polyglot, Stage 2)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1780301337", "to_ids": true, "type": "md5", "uuid": "93314a45-b22e-4ce3-bc70-3b43442ee6d4", "value": "45029deaf9033802d08b5f82b77978fa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "claude.msixbundle (ZIP/HTA polyglot, Stage 2)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1780298358", "to_ids": true, "type": "sha1", "uuid": "fc2199e8-1dea-4303-b672-523a6e220e59", "value": "fba90ff98a50c55fee4ef03de6dc9249c8a7a4b1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "claude.msixbundle (ZIP/HTA polyglot, Stage 2)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1780298358", "to_ids": true, "type": "sha256", "uuid": "99cd2a36-ae5b-4b35-a554-c6e1317f10cb", "value": "2b99ade9224add2ce86eb836dcf70040315f6dc95e772ea98f24a30cdf4fdb97", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1780010782", "to_ids": true, "type": "ssdeep", "uuid": "ab7c2a26-0eb1-453e-8854-1385627dbd5a", "value": "24576:u57DGEX9QpbUzzz11Y7n3746KkN3W2OJctDfPiUY5O3oc2sqh0vF28:u5N9QBUzz51Yb746K2hOJGDfPiUY5O3p" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1780010782", "to_ids": false, "type": "size-in-bytes", "uuid": "f2cd6440-c84b-4b62-a3f8-01afba460dda", "value": "1259331" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1780010782", "to_ids": true, "type": "vhash", "uuid": "0cdb0142-706e-4629-8a20-02f21e948764", "value": "e46428be482c919e06544ac595e8a249" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1780010782", "to_ids": true, "type": "filename", "uuid": "fa72d7c0-9fba-42a2-a87b-88fbeecad8ee", "value": "claude.msixbundle" }, { "category": "Other", "comment": "Checked: 29/05/2026\nLast-scan\t: 25/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1780010782", "to_ids": false, "type": "text", "uuid": "4b1b729c-1fe6-427d-a16a-e9a45994d7e4", "value": "claude.msixbundle (ZIP/HTA polyglot, Stage 2)\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:12/66\nFirst Submission:2026-04-07T00:18:11.000000+00:00\nLast Submission:2026-05-20T06:24:55.000000+00:00" }, { "category": "Other", "comment": "Checked: 01/06/2026\nLast-scan\t: 01/06/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1780296379", "to_ids": false, "type": "text", "uuid": "0193669c-9342-488a-9967-9c207eb46cef", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:21/65" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1780296379", "to_ids": true, "type": "ssdeep", "uuid": "08c0dfaf-13c9-4843-8458-2c9d4e08e4f2", "value": "24576:u57DGEX9QpbUzzz11Y7n3746KkN3W2OJctDfPiUY5O3oc2sqh0vF28:u5N9QBUzz51Yb746K2hOJGDfPiUY5O3p" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1780296379", "to_ids": false, "type": "size-in-bytes", "uuid": "c9b64515-a598-48ee-8bf8-a6689891cb22", "value": "1259331" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1780296379", "to_ids": true, "type": "vhash", "uuid": "0f036258-bab0-42d9-b762-d2ff4d9ce383", "value": "e46428be482c919e06544ac595e8a249" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1780296379", "to_ids": true, "type": "filename", "uuid": "9fc4fc3e-e17a-408a-9f6a-adec049ed945", "value": "claude.msixbundle" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1780301359", "uuid": "696c09af-7f09-4499-9477-fbb176427dc6", "Attribute": [ { "category": "Payload delivery", "comment": "(FINAL SHELLCODE)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1780301359", "to_ids": true, "type": "md5", "uuid": "f21f976b-1f3f-4036-a77d-ac96cfbd615c", "value": "67640d4378e7c13110c7ee268c667c43", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "(FINAL SHELLCODE)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1780298360", "to_ids": true, "type": "sha1", "uuid": "47377fcc-7a15-46af-8181-cb338a1a98c3", "value": "ce2480178287880610cbcef7155e64279837dfb0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "(FINAL SHELLCODE)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1780298360", "to_ids": true, "type": "sha256", "uuid": "052eee77-813d-4b70-af66-4f21c09cb88d", "value": "ec1206989449d30746b5ceb2b297cda9f3f09636a0e122ecafb40b1dc2e86772", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1780010805", "to_ids": true, "type": "ssdeep", "uuid": "c86ad82b-23fc-4c0d-b7ed-fa7f3b18eee9", "value": "6144:k3uaDBoL7nwnax3zBun2ZrvIHf8N1SkB+ArfX6yWhRJ7kUCCf:yDBoL7nwax3E2ZrgHf8NcDqWhRymf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1780010805", "to_ids": false, "type": "size-in-bytes", "uuid": "b2dceef3-921f-48d6-95a9-ad6832a4135c", "value": "292352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1780010805", "to_ids": true, "type": "vhash", "uuid": "82be2ed1-31c4-49c1-8f55-9ec0d7bbe2fa", "value": "0250566d1515156025z100147z27z13z6fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1780010805", "to_ids": true, "type": "filename", "uuid": "3bce3815-3971-44c1-83a0-4cffc72a6594", "value": "decompressed.bin" }, { "category": "Other", "comment": "Checked: 29/05/2026\nLast-scan\t: 28/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1780010805", "to_ids": false, "type": "text", "uuid": "008c36af-524c-4ca9-b99f-bfb34ab4a67c", "value": "(FINAL SHELLCODE)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:55/71\nFirst Submission:2026-04-18T23:13:33.000000+00:00\nLast Submission:2026-05-07T05:38:25.000000+00:00" }, { "category": "Other", "comment": "Checked: 01/06/2026\nLast-scan\t: 29/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1780296401", "to_ids": false, "type": "text", "uuid": "f6364a49-3fd8-47f5-a85d-d27c51f13410", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:54/71" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1780296401", "to_ids": true, "type": "ssdeep", "uuid": "e140ffe8-511c-4a45-82cf-03faa238b73d", "value": "6144:k3uaDBoL7nwnax3zBun2ZrvIHf8N1SkB+ArfX6yWhRJ7kUCCf:yDBoL7nwax3E2ZrgHf8NcDqWhRymf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1780296401", "to_ids": false, "type": "size-in-bytes", "uuid": "13c2fadc-c8c3-46b4-8095-bae9a30f20d8", "value": "292352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1780296401", "to_ids": true, "type": "vhash", "uuid": "d3be252d-00c8-47f9-b27e-81b3ddd75afd", "value": "0250566d1515156025z100147z27z13z6fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1780296401", "to_ids": true, "type": "filename", "uuid": "6e9d3cae-dd4f-4c80-a5b4-07b7e29f32da", "value": "decompressed.bin" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1780301380", "uuid": "863be4c1-4db5-4d05-8dc2-c99b3d1fd12c", "Attribute": [ { "category": "Payload delivery", "comment": "cloude-91267b64-989f-49b4-89b4-984e0154d4d1 (Stage 4 fileless payload)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1780301380", "to_ids": true, "type": "md5", "uuid": "d4157019-d479-4354-b58a-b02f14d4c0fd", "value": "d62297e291f43469181785a9d9131e37", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "cloude-91267b64-989f-49b4-89b4-984e0154d4d1 (Stage 4 fileless payload)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1780298363", "to_ids": true, "type": "sha1", "uuid": "571bcf66-4495-438c-9c83-8b7ea4806e54", "value": "811fbf0ff6b6acabe4b545e493ec0dd0178a0302", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "cloude-91267b64-989f-49b4-89b4-984e0154d4d1 (Stage 4 fileless payload)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1780298363", "to_ids": true, "type": "sha256", "uuid": "23f1ce25-636f-4b93-9705-944e05922bdd", "value": "2f04ba77bb841111036b979fc0dab7fcbae99749718ae1dd6fd348d4495b5f74", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1780010828", "to_ids": true, "type": "ssdeep", "uuid": "47625536-b379-4e73-b3d8-f36cc8636bf5", "value": "49152:2cKBmBNKAsKGrqSSuKhTGLVJhKIiK1Rp7XpW1SKbWKzzHkXKf1CpK8vb:A" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1780010828", "to_ids": false, "type": "size-in-bytes", "uuid": "9e06738a-4da5-4756-badf-49209fba3d82", "value": "17523842" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1780010828", "to_ids": true, "type": "filename", "uuid": "2d552ac3-7672-41d6-b355-0d399937ea06", "value": "cloude-91267b64-989f-49b4-89b4-984e0154d4d1" }, { "category": "Other", "comment": "Checked: 29/05/2026\nLast-scan\t: 21/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1780010828", "to_ids": false, "type": "text", "uuid": "74e6e507-1a5e-40a7-a754-11d3db55674a", "value": "cloude-91267b64-989f-49b4-89b4-984e0154d4d1 (Stage 4 fileless payload)\r\nType Description: Powershell\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:27/61\nFirst Submission:2026-04-06T08:58:04.000000+00:00\nLast Submission:2026-04-06T08:58:04.000000+00:00" }, { "category": "Other", "comment": "Checked: 01/06/2026\nLast-scan\t: 29/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1780296423", "to_ids": false, "type": "text", "uuid": "b02759ce-0558-4c88-b4c2-59b7906c740f", "value": "Type Description: Powershell\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:27/61" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1780296423", "to_ids": true, "type": "ssdeep", "uuid": "fe02cec7-845f-4dc2-8b04-c2244df49472", "value": "49152:2cKBmBNKAsKGrqSSuKhTGLVJhKIiK1Rp7XpW1SKbWKzzHkXKf1CpK8vb:A" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1780296423", "to_ids": false, "type": "size-in-bytes", "uuid": "a8d95017-3d94-4160-91a1-d5b0f1207360", "value": "17523842" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1780296423", "to_ids": true, "type": "filename", "uuid": "fda829c8-0040-4822-8602-344fa9e9625b", "value": "cloude-91267b64-989f-49b4-89b4-984e0154d4d1" } ] } ] } }