{ "Event": { "analysis": "1", "date": "2026-04-08", "extends_uuid": "", "info": "[Threat Intel] New Lua-based malware LucidRook observed in targeted attacks against Taiwanese organizations", "protected": false, "publish_timestamp": "1776719997", "published": true, "threat_level_id": "2", "timestamp": "1776719982", "uuid": "03f9b92b-3a00-4ed1-be92-e1e2ab740af5", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#7c6ad9", "local": false, "name": "misp-galaxy:producer=\"Cisco Talos Intelligence Group\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#870443", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"NGO\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775703608", "to_ids": false, "type": "link", "uuid": "5fc61d0b-905e-4fcb-8856-57c1ff761952", "value": "https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775703608", "to_ids": false, "type": "text", "uuid": "46527fb0-8059-45ec-abe9-a8cd59cf667c", "value": "Cisco Talos observed a spear-phishing attack delivering LucidRook, a newly identified stager that targeted a Taiwanese NGO in October 2025. The metadata in the email suggests that it was delivered via authorized mail infrastructure, which implies potential misuse of legitimate sending capabilities." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775703608", "to_ids": false, "type": "text", "uuid": "2c6c6ca7-13d5-4ed6-b71b-4e3e8f990fed", "value": "Name: New Lua-based malware LucidRook observed in targeted attacks against Taiwanese organizations\nAuthor: AlienVault\nAdversary: \nTags: [\"lucidrook\", \"spearphishing\", \"lucidpawn\", \"lucidknight\", \"taiwan\"]\nTgtd countries: [\"Taiwan\"]\nMlwr families: [\"LucidKnight\", \"LucidPawn\", \"LucidRook\"]\nAttack_ids: [\"T1192\"]\nIndustries: [\"Government\", \"Education\"]" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776719457", "to_ids": true, "type": "sha256", "uuid": "ed132e3f-63c9-468a-abf8-7f698e586753", "value": "0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776719478", "to_ids": true, "type": "sha256", "uuid": "4a99a7ca-b84c-44a9-b838-5b220d240d26", "value": "11ae897d79548b6b44da75f7ab335a0585f47886ce22b371f6d340968dbed9ae", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "malicious LNK No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776719500", "to_ids": true, "type": "sha256", "uuid": "fd81359a-3d0f-45a9-962b-ba5a3af7e0d9", "value": "166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776719521", "to_ids": true, "type": "sha256", "uuid": "11932a52-be04-46f9-95c7-d444a0e1fffe", "value": "6aba7b5a9b4f7ad4203f26f3fb539911369aeef502d43af23aa3646d91280ad9", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776719542", "to_ids": true, "type": "sha256", "uuid": "98efcb4a-2bbb-4536-a644-d52bf1bc21a1", "value": "7e851b73bd59088d60101109c9ebf7ef300971090c991b57393e4c793f5e2d33", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776719563", "to_ids": true, "type": "sha256", "uuid": "879bf6bb-146b-4c88-a8cb-a42bc007452f", "value": "852a80470536cb1fdab1a04d831923616bf00c77320a6b4656e80fc3cc722a66", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776719584", "to_ids": true, "type": "sha256", "uuid": "47a4704c-7b4a-49ec-9407-c864adf10278", "value": "a42ad963c53f2e0794e7cd0c3632cc75b98f131c3ffceb8f2f740241c097214a", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776719606", "to_ids": true, "type": "sha256", "uuid": "981704ad-e8ab-4300-8b4a-95aba502c4a4", "value": "aa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776719627", "to_ids": true, "type": "sha256", "uuid": "f30ba8f5-7ae1-4590-b25f-96b3d039f7fb", "value": "ab72813444207dba5429cf498c6ffbc69e1bd665d8007561d0973246fa7f8175", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "payload from C2 No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776719822", "to_ids": true, "type": "sha256", "uuid": "c7d5454a-18c9-4e78-aebf-88dcc2cfb697", "value": "fd11f419e4ac992e89cca48369e7d774b7b2e0d28d0b6a34f7ee0bc1d943c056", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776691123", "to_ids": true, "type": "ip-dst", "uuid": "43a2ef55-935f-49db-985e-b45cbeef893f", "value": "1.34.253.131", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776043796", "to_ids": true, "type": "ip-dst", "uuid": "36c4172d-86c3-4b68-9da3-85ffc5eebb70", "value": "59.124.71.242", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776043818", "to_ids": true, "type": "domain", "uuid": "4ca0665f-bc3d-4e1b-872d-d85640289251", "value": "powerscrews.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776043839", "to_ids": true, "type": "hostname", "uuid": "759fad73-ff69-4c4d-a6a5-551b9d24a283", "value": "d.2fcc7078.digimg.store", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776007730", "to_ids": false, "type": "threat-actor", "uuid": "d694d830-bc53-4c18-9769-5599c3be38d2", "value": "UAT-10362" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776007749", "to_ids": true, "type": "email-src", "uuid": "c6d936e9-56d6-4830-abba-6b77384d9f26", "value": "fexopuboriw972@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776007749", "to_ids": true, "type": "email-src", "uuid": "b7881da3-9141-47a4-a681-21efcf25ae3a", "value": "crimsonanabel@powerscrews.com" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776719629", "uuid": "ce1a6546-9a00-4606-994e-32225b38efd8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776719628", "to_ids": true, "type": "md5", "uuid": "adee39ac-8e20-4e68-b769-48aff27caf9a", "value": "08e44f25c764212f33b1d05900a14978", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776719628", "to_ids": true, "type": "sha1", "uuid": "5329c122-ba52-4b69-8e6e-0144403cdc1b", "value": "7248e5992138a3bcea882c1fe8d5e498c2392150", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776719629", "to_ids": true, "type": "sha256", "uuid": "a0e4949d-e6fe-4519-9197-1ad60f470a8c", "value": "adf676107a6c2354d1a484c2a08c36c33d276e355a65f77770ae1ae7b7c36143", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776719628", "to_ids": true, "type": "ssdeep", "uuid": "9bef4200-dc69-41ad-a5eb-acf3b039ef20", "value": "24576:76QIiiP8QTO67Vhcd0rCbzLmVXqRdCTjbH0kIW4:Gn/jh7V+73mqR0/bH2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776719628", "to_ids": false, "type": "size-in-bytes", "uuid": "4c17e069-fa5e-4c7b-936c-2d3406d7a77e", "value": "926114" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776719628", "to_ids": true, "type": "filename", "uuid": "e53bfffe-bff3-48ab-957d-c83d089749d1", "value": "46f38t.exe" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776719628", "to_ids": false, "type": "text", "uuid": "4f2f80ec-033d-4d6e-ae4b-b33a22cc596a", "value": "Type Description: 7ZIP\nMicrosoft: None\nVT Total Detection:3/63\nFirst Submission:2025-12-04T07:55:04.000000+00:00\nLast Submission:2025-12-04T08:10:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776719650", "uuid": "c9d93c63-41cb-4894-9d6d-035faa89defa", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776719650", "to_ids": true, "type": "md5", "uuid": "a9b7d97d-0443-4f39-a3c6-80b59ce767dc", "value": "8422c64dcafc83841e8a0ebd93564874", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776719650", "to_ids": true, "type": "sha1", "uuid": "687ab7d4-1e7a-451d-8773-44894e968dbf", "value": "4f19a836b020159e71e263cd5bcefc6ee5e9f868", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776719650", "to_ids": true, "type": "sha256", "uuid": "68c5fe2b-b980-4807-b702-de8d58a0d628", "value": "b480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776719650", "to_ids": true, "type": "ssdeep", "uuid": "b9c6e054-eb9b-40fe-8fe3-d495a6c810ab", "value": "49152:EZa512xOvOTX0MN85mAwGq3nqWi/79hFsxQt0J9Gp06YIUQ+AvCkDVPrsopHtJA/:" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776719650", "to_ids": false, "type": "size-in-bytes", "uuid": "ca1a61fc-405e-4637-878a-24533bb2aa2d", "value": "5102080" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776719650", "to_ids": true, "type": "vhash", "uuid": "96a9e5ef-e2af-4356-aad7-87f4743b2ec1", "value": "056026151\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776719650", "to_ids": true, "type": "filename", "uuid": "21ed8af4-869a-4f57-a206-949fa6eadd64", "value": "Cleanup.exe" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776719650", "to_ids": false, "type": "text", "uuid": "745c8223-71f1-4f2b-8b44-b73e202e7439", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:41/72\nFirst Submission:2025-12-04T08:15:22.000000+00:00\nLast Submission:2025-12-04T08:15:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776719672", "uuid": "ae023fe4-0a55-4370-ac7c-16d2ec7d53b3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776719672", "to_ids": true, "type": "md5", "uuid": "5cbf54f1-5710-4a50-9f40-f64a56205521", "value": "d4eacad2b7c0a659713216ae62f77b50", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776719672", "to_ids": true, "type": "sha1", "uuid": "cb2fb8a9-13c5-4577-b010-2b92444860b2", "value": "1d4e3b32c7e71e7f71f1afb654b7e990462e4849", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776719672", "to_ids": true, "type": "sha256", "uuid": "44079231-8495-4803-b6c4-6016a2db9362", "value": "bdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776719671", "to_ids": true, "type": "ssdeep", "uuid": "e1e2e659-5874-44fb-b819-2478a62a3ee9", "value": "24576:mc0103fC7e99xBORwKyvCteH8seYnkeeezHyfp:S1x7e9BORwpSa8MkWsp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776719671", "to_ids": false, "type": "size-in-bytes", "uuid": "70c74ec8-18c8-4840-8822-d55f9c867226", "value": "1049088" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776719671", "to_ids": true, "type": "vhash", "uuid": "c96ba2f3-c18c-49b8-99f6-adfdba462c96", "value": "116056657d15551az413z41z3035z13z15z86z5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776719671", "to_ids": true, "type": "filename", "uuid": "c56999ee-a36d-463b-9ef8-773bc4b6c94c", "value": "DismCore.dll" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776719671", "to_ids": false, "type": "text", "uuid": "eeac0c91-7278-4f9b-9ed3-6fff379bbc43", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:39/72\nFirst Submission:2025-10-15T07:11:39.000000+00:00\nLast Submission:2026-04-14T15:29:59.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776719694", "uuid": "4253696b-9e7b-439b-b5e9-bfffadce5ff6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776719693", "to_ids": true, "type": "md5", "uuid": "4e49c746-6067-492d-bcc0-fbd3cfd7780b", "value": "2b27f9936aebde7f4797fca3f0500eef", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776719694", "to_ids": true, "type": "sha1", "uuid": "122ce249-46d2-4307-ae21-c6fec94a48bc", "value": "a4271c542dabea3c9e51e81ee49b87409d340143", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776719694", "to_ids": true, "type": "sha256", "uuid": "d9f394be-1801-4451-9cb5-224c63970b7e", "value": "c2d983d3812b5b6d592b149d627b118db2debd33069efe4de4e57306ba42b5dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776719693", "to_ids": true, "type": "ssdeep", "uuid": "2b20e1ab-3317-4ce4-ad0d-1a801b68802b", "value": "49152:vZa512xOvOTX0MN85mAwGq3nqWi/79hFsxQt0J9Gp06YIUQ+AvCkDVPrsop9tJA4:S" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776719693", "to_ids": false, "type": "size-in-bytes", "uuid": "dbb4f08c-4e1a-4812-87d0-b7fcf1f0b1de", "value": "5110860" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776719693", "to_ids": true, "type": "vhash", "uuid": "f0b3c5c2-b83b-427d-83d7-e6a2a42aec5f", "value": "056026151\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776719693", "to_ids": true, "type": "filename", "uuid": "816c4fc5-f4de-4e11-b59d-1476e38a8df4", "value": "Cleanup.exe" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776719693", "to_ids": false, "type": "text", "uuid": "08fee9b7-0ced-4988-80fa-66eb0a36a52e", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:45/72\nFirst Submission:2025-12-05T18:25:19.000000+00:00\nLast Submission:2025-12-05T18:25:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776719715", "uuid": "32deb610-aa11-4083-974c-d73c87b75549", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776719715", "to_ids": true, "type": "md5", "uuid": "d3b03da1-536d-4286-881f-a81d4fc6d4dc", "value": "7a9d42393f803b5b9b90eac05ad6a65a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776719715", "to_ids": true, "type": "sha1", "uuid": "1efc9d44-fe5c-48e2-9d2f-54db525655cd", "value": "0e16c23f7d44bb70d0f47e7386323cb0ce3400f4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776719715", "to_ids": true, "type": "sha256", "uuid": "e1fc4381-241c-409a-9fb5-8b471c0c9c22", "value": "d49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776719715", "to_ids": true, "type": "ssdeep", "uuid": "2a577fdf-e5fc-453c-b5d6-062fe4dce14f", "value": "49152:dFt5zMf/tCelVrJijFO9dJHtDGiRbp1GVz:d1zM3t7Vr0E9dNX1az" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776719715", "to_ids": false, "type": "size-in-bytes", "uuid": "1a66eb37-65aa-4b88-a378-99092e3232ad", "value": "1677586" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776719715", "to_ids": true, "type": "vhash", "uuid": "52bc4cc4-b947-478b-933f-a22d16af5cd8", "value": "2ee85e2d8297d2701387a3978f6618db" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776719715", "to_ids": true, "type": "filename", "uuid": "14a2183d-718d-4f5e-acdd-935e4cd59424", "value": "7a9d42393f803b5b9b90eac05ad6a65a___1f784977-ceed-451b-98c2-ba535e745341.7zip" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 21/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776719715", "to_ids": false, "type": "text", "uuid": "a79aa1e3-32f2-47bc-8912-328e3d8072f7", "value": "Type Description: 7ZIP\nMicrosoft: None\nVT Total Detection:30/64\nFirst Submission:2025-10-15T07:11:18.000000+00:00\nLast Submission:2026-04-14T15:15:27.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776719737", "uuid": "ad56c23b-59f0-4bf3-8a07-30a77acd3262", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776719737", "to_ids": true, "type": "md5", "uuid": "bd61d461-9411-4d53-9a4a-d0a0de19d551", "value": "edae483fb8698a3f30b680a02c92525b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776719737", "to_ids": true, "type": "sha1", "uuid": "4a2f491f-466d-480b-ac20-8c4ad5991955", "value": "982539c2253d8e25d7242f1d0f3f2d89b985326d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776719737", "to_ids": true, "type": "sha256", "uuid": "b8109b10-9d11-4c39-a594-df6f6e53e464", "value": "d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776719736", "to_ids": true, "type": "ssdeep", "uuid": "f570e184-2178-463a-9389-1e7c962a01c4", "value": "12288:VSsfCe8L4BB40EkAkeJh+kp2P9O+1lXns9qsHwf3g63foOLSgTHyfpXPy:VFRa4Br6kP931lXnOH1Ag0Hyfp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776719736", "to_ids": false, "type": "size-in-bytes", "uuid": "3fa279bf-30d8-49ab-97cc-f5babe8b2fd8", "value": "890368" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776719736", "to_ids": true, "type": "vhash", "uuid": "d284afa8-c9aa-4117-ba48-a4ddc332f880", "value": "185056657d15555az44z41z3035z13z1ez5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776719736", "to_ids": true, "type": "filename", "uuid": "874e418b-bbdc-4264-999a-d211fd7a2255", "value": "DismCore.dll" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776719736", "to_ids": false, "type": "text", "uuid": "164101ed-bd48-4d31-90a3-cccbf10dfa23", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:44/72\nFirst Submission:2025-09-28T01:26:40.000000+00:00\nLast Submission:2025-10-13T03:42:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776719759", "uuid": "184ed07c-d03b-460e-9d73-1b600d85b656", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776719758", "to_ids": true, "type": "md5", "uuid": "db5f6cdc-7265-4bd5-8e45-c56e1508f268", "value": "ed7a850c9b87054da2c1173797bb5bd7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776719758", "to_ids": true, "type": "sha1", "uuid": "664eb2a1-4371-442c-9fd9-629e294b282c", "value": "72abfdee582c1c12f2ea97402af1a3e271ce4972", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776719759", "to_ids": true, "type": "sha256", "uuid": "6c31a51a-28e8-43bb-b9ae-03a41ce4736b", "value": "edb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776719758", "to_ids": true, "type": "ssdeep", "uuid": "4975cbca-c812-4845-8b9a-5eaa3a7c1705", "value": "24576:6+fpKkq9AjOfAKumUNKOxo9cXn6ys+aZCW14rseozgGBo6qj25:6+hKkq9Aj5xmUk+oWn6ys+ihL5BofK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776719758", "to_ids": false, "type": "size-in-bytes", "uuid": "be1eeec1-f605-4365-a1c8-d5d25bc25364", "value": "1571840" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776719758", "to_ids": true, "type": "vhash", "uuid": "09054ae5-cc8b-4432-af44-25927763a2e2", "value": "116056655d156550a8z3e3z43z1023z13z15za6z5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776719758", "to_ids": true, "type": "filename", "uuid": "1dd8f98a-b6c4-4d1d-898d-8fc8fa836b3e", "value": "dismcore.dll" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776719758", "to_ids": false, "type": "text", "uuid": "8bda54e0-d5fa-417d-b421-e782a11fdb35", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win64/LucidRook.DB!MTB\nVT Total Detection:40/72\nFirst Submission:2025-12-04T08:15:34.000000+00:00\nLast Submission:2025-12-04T08:15:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776719780", "uuid": "9a24c1fd-0747-493a-adbb-edeb85875ec4", "Attribute": [ { "category": "Payload delivery", "comment": "malicious LNK", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776719780", "to_ids": true, "type": "md5", "uuid": "096ab81c-6adc-41f1-8c0e-ac03f22735cb", "value": "263d2f844fec137f085cece4d6ae45e5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "malicious LNK", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776719780", "to_ids": true, "type": "sha1", "uuid": "8fbcebb2-47f5-4a21-bbb9-3489816fc536", "value": "d88b571b886e3b285593fb1259d6bac6c056e565", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "malicious LNK", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776719780", "to_ids": true, "type": "sha256", "uuid": "f7c04a94-0819-4d04-8f86-f7ca9aaffacf", "value": "f279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776719779", "to_ids": true, "type": "ssdeep", "uuid": "ce8255f6-f667-415e-b7ac-3f7cd99a05f0", "value": "12:8IkXXdp+3ojsi/5D46Sup64qbdpksgAoOSATwJ+Bblbl9OZNJ47+lbYul85ypWU:8LHdoYFnjOdmxOJTwxJiabh85" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776719779", "to_ids": false, "type": "size-in-bytes", "uuid": "0b28647f-a362-4b5a-a2e7-7167856b37b8", "value": "1112" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776719780", "to_ids": true, "type": "vhash", "uuid": "d3a59745-d089-4fc8-9396-ea9182cf7d32", "value": "ca12721adac6b0e5b5ad58c829f1cd45" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776719780", "to_ids": true, "type": "filename", "uuid": "653c0b1a-9f9a-4a0c-b59d-9de36971ea8b", "value": "1140060150.pdf.lnk" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776719780", "to_ids": false, "type": "text", "uuid": "b0d36635-861b-4115-b1e8-6d2a64354f0b", "value": "malicious LNK\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:LNK/Malgent!MSR\nVT Total Detection:27/63\nFirst Submission:2025-10-15T07:11:39.000000+00:00\nLast Submission:2025-10-15T07:11:39.000000+00:00" } ] } ] } }