{ "Event": { "analysis": "1", "date": "2026-03-30", "extends_uuid": "", "info": "[Threat Intel] Security brief: tax scams aim to steal funds from taxpayers", "protected": false, "publish_timestamp": "1775907145", "published": true, "threat_level_id": "3", "timestamp": "1775907145", "uuid": "1562042e-86f8-4511-8793-ee86faca8617", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#2d8ee7", "local": false, "name": "misp-galaxy:producer=\"Proofpoint\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#870443", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#65d24c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Identity Information - T1589\"", "relationship_type": "" }, { "colour": "#a3aa59", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", "relationship_type": "" }, { "colour": "#454726", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"", "relationship_type": "" }, { "colour": "#b206a3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Accounts - T1586\"", "relationship_type": "" }, { "colour": "#c9dbdd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#3d1dab", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Spearphishing - T1534\"", "relationship_type": "" }, { "colour": "#1acf09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Trusted Relationship - T1199\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#a0d02a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing for Information - T1598\"", "relationship_type": "" }, { "colour": "#6440db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Establish Accounts - T1585\"", "relationship_type": "" }, { "colour": "#cf2da1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Develop Capabilities - T1587\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774868418", "to_ids": false, "type": "link", "uuid": "8d2cc969-e3a2-46c2-b897-ea788a7b92c2", "value": "https://www.proofpoint.com/us/blog/threat-insight/security-brief-tax-scams-aim-steal-funds-taxpayers" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774868418", "to_ids": false, "type": "text", "uuid": "21500b3e-e6fa-417d-bd95-8caa05c11a84", "value": "Threat actors are exploiting tax season with numerous campaigns leveraging tax themes to deliver malware, remote monitoring tools, fraud attempts, and credential phishing. Over a hundred campaigns have been observed in 2026, with a notable increase in remote monitoring and management (RMM) payloads. Tactics include impersonating tax agencies, claiming expired documents, and requesting tax filing support. While primarily targeting the United States, campaigns have also been observed in Canada, Australia, Switzerland, and Japan. Notable actors include TA4922, a newly designated threat group delivering malware from the Winos4.0 ecosystem, and TA2730, focusing on credential phishing for financial institutions. Business email compromise actors are also using tax form lures to steal financial and personal data. These campaigns demonstrate the ongoing exploitation of timely and topical themes by cybercriminals to deceive users." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774868418", "to_ids": false, "type": "text", "uuid": "be6e151e-1720-491e-b07b-57b72a79a76d", "value": "Name: Security brief: tax scams aim to steal funds from taxpayers\nAuthor: AlienVault\nAdversary: \nTags: [\"tax scams\", \"bec\", \"valleyrat\", \"winos4.0\", \"social engineering\", \"phishing\", \"irs impersonation\", \"rmm\", \"credential theft\"]\nTgtd countries: []\nMlwr families: [\"Winos4.0\", \"ValleyRAT\"]\nAttack_ids: [\"T1192\", \"T1036\", \"T1589\", \"T1193\", \"T1584\", \"T1586\", \"T1608\", \"T1204\", \"T1534\", \"T1199\", \"T1566\", \"T1078\", \"T1598\", \"T1585\", \"T1587\"]\nIndustries: [\"Finance\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903606", "to_ids": true, "type": "ip-dst", "uuid": "9fa2fabc-ac3f-4781-94d7-14af24856582", "value": "121.127.232.253", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903627", "to_ids": true, "type": "url", "uuid": "809aca44-b5f6-48c2-8eda-804bb542795a", "value": "https://www.upsystems.one/Alex.exe", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903648", "to_ids": true, "type": "domain", "uuid": "323be244-6976-4bb5-89e7-3b79f67b02bd", "value": "akcjdrya.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903670", "to_ids": true, "type": "domain", "uuid": "c2fb359b-212a-499a-ba3b-ea9b94023841", "value": "bksgcefzqyb.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903691", "to_ids": true, "type": "domain", "uuid": "c390129a-ce57-44ab-b06b-403cc09f79d6", "value": "buwxkiy.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903712", "to_ids": true, "type": "domain", "uuid": "8329b5cd-2f65-44ae-8767-6242f1c31a92", "value": "eodrggi.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903733", "to_ids": true, "type": "domain", "uuid": "a34af2b9-27f7-4a74-aadb-2ff5bb4e1358", "value": "gyglowcq.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903754", "to_ids": true, "type": "domain", "uuid": "15185c26-40e7-4b47-b9cf-249a276900f5", "value": "iuzndfqr.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903775", "to_ids": true, "type": "domain", "uuid": "3d628a54-b592-4d35-a2f9-ecb31d237d24", "value": "nirbsff.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903797", "to_ids": true, "type": "domain", "uuid": "9f7cf037-6ff7-4a5c-8dad-c4a06f3709dd", "value": "rmwztbrr.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903818", "to_ids": true, "type": "domain", "uuid": "c35ea79d-27cf-4016-8fd0-c78be1ff85f6", "value": "whghfpytehu.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903839", "to_ids": true, "type": "domain", "uuid": "29a2220c-777c-4d05-88a0-a9587eb93081", "value": "wijgzsfh.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903860", "to_ids": true, "type": "hostname", "uuid": "3f76c7e4-e391-4262-a36d-56ad732cf516", "value": "www.upsystems.one", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "4b708e0d-436f-4843-8b85-e9631fbee0b7", "value": "aubrey162243her@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "7d3fdd5d-d789-47ee-ab8f-33e6abf7d836", "value": "baerg536714qrr@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "e83b63cf-5f56-43f4-abbd-4be6db18fa84", "value": "belinda319932ywa@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "d1329fd2-2e15-445c-94e9-ede1483f41e4", "value": "brenda26111993bbs@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "babb1f63-1cf9-4e90-b576-c3c33a1a3382", "value": "brett77124cnd@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "808be016-0810-446d-88f1-3935e6471cbf", "value": "clint15032004ye@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "5f74ba0b-a730-4677-a4ae-04bef45c8059", "value": "dan0600ups@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "3aa15966-40bf-4b40-ba55-d21d84448d64", "value": "darryl658773qfs@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "1bf946bc-5402-45d0-8aac-95d943b00463", "value": "elmer445637xqd@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "888b5cb0-0d0b-4fd2-9f01-cc66adbecab7", "value": "genet868615mfd@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "9418dddc-a662-403d-a43c-72b42783ae81", "value": "gilana406avh@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "fb916b02-852e-4510-8802-aa10b3952a35", "value": "gilbert6704ysw@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "cb0fcbd8-3b05-47b9-804d-edafc80da3a4", "value": "glenn0045bnk@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "f06a284d-3270-4d52-9189-b0050ecc4c22", "value": "greg2505880dbq@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "fa4c815e-94cd-458c-8b8d-20ea420faa9f", "value": "hilda2441790ajg@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "de18d156-4b65-4c5c-8c07-bd0069114352", "value": "kaitlyn135452qyw@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "9c85a691-8cfe-4f67-a602-30558fa82536", "value": "kayla383537cau@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "80f98a1f-a539-464b-a03f-6f4c006495e6", "value": "kelly5906byn@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "53af4566-2072-4986-ae2a-84684d5a4b28", "value": "mattie9227fdx@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "b6e5cc70-8f14-4f24-81fe-02d604715b7c", "value": "quirita42462vpp@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "4b9cc723-bdfb-4269-a88d-24a39d9944cd", "value": "rafael0746881jxk@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "fd359cfa-8a9c-4103-842b-2cdfabc1c948", "value": "sabah30035vrj@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "65108a51-ba2f-4e57-94af-eabf6f3d3b0d", "value": "tanisha535486nyg@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "636d7d20-85fc-4fb2-893c-f8fc114ed84a", "value": "violet82113vbv@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "38c38d1d-8a46-4487-9fbb-5db4c5cae831", "value": "violet900048ege@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "9256f840-7403-42ee-9155-f7aac862f2d3", "value": "yvette20071993pgc@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "b532d87e-78cb-46b3-a738-97cdde9330c3", "value": "yvonne8544809axa@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "dcdd4f8f-a5a0-41be-bf82-cde88cfa0e67", "value": "yobutler.jonasd8nc29@yahoo.com" }, { "category": "Network activity", "comment": "On port 8443", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "ip-dst|port", "uuid": "ff7b4bb7-4c62-4a42-95d0-43711614399c", "value": "121.127.232.253|8443" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "d8c3bb67-dcf6-45d9-8be6-3159439c689d", "value": "bella1987jenny8927@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "8abc711b-f5a7-4b17-9847-8f333ab16ff0", "value": "cedric1985mattie70601@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "972b5302-ae9a-44ff-abc9-0f7dae5c8eac", "value": "chappel1994sunkel79549@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "ed4af4f4-b153-4e51-9cbf-29358ef917b1", "value": "chris1987juanita79531@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "acc0b8c4-26ae-45da-b8ad-9757bad03d5a", "value": "elisa1966tamara82159@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "a4d1055b-3133-4206-864a-d561d0001703", "value": "ellis1986akihito92@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "310d5f81-1030-4915-8508-afc4f3d0548f", "value": "garrett2003jaime3246@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "3bbf12a8-3e1b-4db7-bd26-7bfd04fef692", "value": "ghaemmaghamiborg2909@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "3217bd3f-e697-4c40-8e4a-ccae9a89f89b", "value": "iris2003francis43001@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "74b4164c-9984-4bec-ac3e-b094e4e1681a", "value": "jo1990nelson506@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "7f5a24fb-9fa9-4835-b06f-641578968cb9", "value": "kamiisa1962eunice52@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "17616802-e17f-44f1-9eb5-0d0bf54f6725", "value": "katsaounissetlak6267@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "13b50dad-f5e9-4b5b-90e8-b711d1f859ab", "value": "lathrop1966alice63@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "12a57bd8-e20b-4d65-8536-a4769689382a", "value": "lucia1968sheryl4254@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "1d41a9fc-d417-41ca-9d04-ac30f1758152", "value": "lucinamcnear6104@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "6a0c9837-29c8-4ae6-ba03-a3a0b7510e31", "value": "morris1965cruz7189@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "8e52fcce-a657-4ba4-9b8a-917eade9a6f9", "value": "nabila2004eunice770@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "5e0936b8-e836-4411-8faa-49d717af4628", "value": "nicholwollan4783@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "4762d7fe-7e5b-46c1-8bb8-2b98676c27f0", "value": "peony1982jamila936@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "2229f6c6-2a83-470e-a62d-57aec5d566d9", "value": "quirita1980laraine303@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "218405a9-4952-477e-b5df-8890ff820379", "value": "sablanloretz4374@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "96bf4876-587c-4c4d-b667-4556c26a9010", "value": "sheryl1993sabah3812@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "67ce9fb4-0e2d-4938-b441-f04a6a908195", "value": "steadfastseefried8443@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "4b5d81e8-71dd-40c7-9aab-0d941cc84e13", "value": "terrell1980dawn020@hotmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "9e405504-44b2-491f-93b1-231ac0859073", "value": "vanessa1991gretel73372@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "266649ee-17bd-4112-8be2-3deb325570be", "value": "wafflemehta9842@outlook.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775884649", "to_ids": true, "type": "email-src", "uuid": "51cb1b96-f112-453a-94b0-9a3a516511ee", "value": "wendell1988lovice46@hotmail.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903882", "to_ids": true, "type": "url", "uuid": "a8acd931-75d7-4140-83f8-20414d2f8f05", "value": "https://bitbucket.org/pmlasobjekightailsians/rgww/downloads/amzn-s3-EfinTranscriptViewer.cm10_14_4_.EXE", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775903903", "uuid": "1b8854a8-829f-46fd-b536-f7be3eb6a85b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775903903", "to_ids": true, "type": "md5", "uuid": "c454b997-0f4b-459e-96be-96af218d3ecd", "value": "04e20b06dad0a6b69527a6efea668a31", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902619", "to_ids": true, "type": "sha1", "uuid": "0b7b15a5-0d9b-4d25-b331-4ba26a2f3541", "value": "7ba88ef7b2dce865d2bc4e95e982bf68dfff1ea4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902619", "to_ids": true, "type": "sha256", "uuid": "0c4664ca-b456-40e1-88a7-8336aecb9c3d", "value": "d338a7f85737cac1a7b4b5a1cca94e33d0aa8260548667c6733225d4c20cb848", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901473", "to_ids": true, "type": "ssdeep", "uuid": "4e9c13b6-eb5f-4fd4-9c1e-bf2a70456918", "value": "6144:7yZn33eDKysPuPKaX8mhqT9kwb8qyQSvNDsBOhTvYFV:ulpZPcHZ0ftM9xTAD" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901473", "to_ids": false, "type": "size-in-bytes", "uuid": "d64dd80e-51bc-48dd-b7ae-fdf3f59a970e", "value": "495424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775901473", "to_ids": true, "type": "vhash", "uuid": "40971f64-b9f6-4130-9a67-3b4de4a1b002", "value": "245036551511c0a97a29541d10" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901473", "to_ids": true, "type": "filename", "uuid": "0e67b1ca-ed5f-49b3-92a3-1ed4c7219104", "value": "SysUpdateSvc.exe" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 04/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901473", "to_ids": false, "type": "text", "uuid": "b62f6b40-b17d-424d-be72-2188bb7ce4fc", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/Sysn.MK!MTB\nVT Total Detection:48/72\nFirst Submission:2026-03-05T07:05:03.000000+00:00\nLast Submission:2026-03-05T07:05:03.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775903924", "uuid": "7cc4b32e-acaf-469d-b453-ab20c333c3e7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775903924", "to_ids": true, "type": "md5", "uuid": "4f612d10-7679-431c-aa1b-e81f8d11dee9", "value": "ab11a32f0d617e50eb0c710d63128f79", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902621", "to_ids": true, "type": "sha1", "uuid": "78113f98-d602-4d28-850c-e51075f619c0", "value": "5fa97aaf219b223159f9487b296bb916f073e4a0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902621", "to_ids": true, "type": "sha256", "uuid": "46498ea2-6f5e-41e8-a2b2-46d117e86b42", "value": "844202972ff19afa760447fc87963de0fbbc0ebc69d50164f03ecf5d4e67952f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901495", "to_ids": true, "type": "ssdeep", "uuid": "6dad8a2a-a109-4f95-9d5d-68783db9381c", "value": "393216:CvF/OiT86xvk7HiMPo7c7rd+ljUxrwn5UcmQMD1i:grRxvoC/7a0jUxX7h1i" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901495", "to_ids": false, "type": "size-in-bytes", "uuid": "e05789e7-9ca6-4130-bdb4-b1e24df3300b", "value": "14782000" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775901495", "to_ids": true, "type": "vhash", "uuid": "852c0d0c-5b0a-4045-b2fc-cfbed66d67c9", "value": "017046651d5557z500431e5z2025z72z29fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901495", "to_ids": true, "type": "filename", "uuid": "a0fea8d2-92ff-4c56-aa6f-6ac253e5adab", "value": "amzn-s3-EfinTranscriptViewer.cm10_14_4_.EXE" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 08/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901495", "to_ids": false, "type": "text", "uuid": "d8d6d332-f3c5-4abc-88a3-86a119f19fcb", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:28/72\nFirst Submission:2026-02-05T15:19:52.000000+00:00\nLast Submission:2026-02-06T05:02:45.000000+00:00" } ] } ] } }