{ "Event": { "analysis": "1", "date": "2026-03-06", "extends_uuid": "", "info": "[Threat Intel] MAAS VIP_Keylogger Campaign", "protected": false, "publish_timestamp": "1774021949", "published": true, "threat_level_id": "3", "timestamp": "1774012179", "uuid": "16088282-de0d-47cd-a130-112eefede0b9", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#77a4ec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#55e7ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001\"", "relationship_type": "" }, { "colour": "#4bc785", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"", "relationship_type": "" }, { "colour": "#e2a873", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steganography - T1027.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"7347d685-8e08-4ed9-9f34-264e5e4b567a\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658807", "to_ids": false, "type": "link", "uuid": "c54c1e12-d278-4051-ba35-9e92b84d2d73", "value": "https://labs.k7computing.com/index.php/maas-vip_keylogger-campaign", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773658807", "to_ids": false, "type": "text", "uuid": "4428e31b-ddfb-4978-b5e7-cbf309a8a9b4", "value": "A sophisticated keylogger campaign has been discovered, utilizing spear-phishing emails with attachments containing hidden malware. The campaign targets multiple countries, employing various packaging styles and execution methods. The malware, known as VIP_Keylogger, is delivered using steganography and process hollowing techniques. It focuses on stealing sensitive information from browsers, email clients, and other applications. The keylogger captures browser data, decrypts passwords, and exfiltrates information through multiple channels, including email. While some features appear disabled, the malware demonstrates advanced capabilities in data theft and evasion techniques." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773658807", "to_ids": false, "type": "text", "uuid": "285b508e-ec41-497c-9db9-5b9e8827420c", "value": "Name: MAAS VIP_Keylogger Campaign\nAuthor: AlienVault\nAdversary: \nTags: [\"spear-phishing\", \"vip_keylogger\", \"browser-targeting\", \"process-hollowing\"]\nTgtd countries: []\nMlwr families: [\"VIP_Keylogger\"]\nAttack_ids: [\"T1113\", \"T1056.001\", \"T1114\", \"T1566.001\", \"T1115\", \"T1555\", \"T1555.003\", \"T1557.001\", \"T1055.012\", \"T1027.003\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/03/2026 No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774012180", "to_ids": true, "type": "md5", "uuid": "0cd9e5c4-c8cc-4153-8262-cb127e17d79c", "value": "9375cff0413111d3b88a00104b2a6676", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773999605", "to_ids": true, "type": "ip-dst", "uuid": "fd22f1c1-77ab-478a-ab5c-17ba9d9075db", "value": "51.38.247.67", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773999627", "to_ids": true, "type": "hostname", "uuid": "3b607a4a-7247-42fb-ba02-9d9b4a5fa122", "value": "aborters.duckdns.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773999648", "to_ids": true, "type": "hostname", "uuid": "49e5e16c-97aa-486b-9a31-f35581153ffe", "value": "anotherarmy.dns.army", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773999669", "to_ids": true, "type": "hostname", "uuid": "56dc546d-e924-4172-9cde-3a0057cb113e", "value": "varders.kozow.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774012068", "uuid": "aa299bae-a760-4d23-b2ef-303fb8f2bc91", "Attribute": [ { "category": "Payload delivery", "comment": "Spyware", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773999691", "to_ids": true, "type": "md5", "uuid": "e8f96d01-eaf5-49a7-b8f7-f492324807b2", "value": "694c313b660123f393332c2f0f7072b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Spyware", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999063", "to_ids": true, "type": "sha1", "uuid": "62151d49-6c45-49c1-8919-0bc2d26c8020", "value": "ee790ec841b7761679a05771d551a154c7f87a93", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Spyware", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999063", "to_ids": true, "type": "sha256", "uuid": "226ef517-0e1c-4187-b4f4-03e76e32c3b5", "value": "95892f0bc179246961e3cf5eeac444143a4f9b455ab740746dad3ecc32c93e62", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773997509", "to_ids": true, "type": "ssdeep", "uuid": "6d26c5a0-4ee3-4a5b-a110-d07e8533e896", "value": "6144:UQcYxDKmPIqYEKCSWzJDiiAbbvuogkeMR9+AU2MVXA9y1nVb2ntb:UDkKB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773997509", "to_ids": false, "type": "size-in-bytes", "uuid": "88a4d5b8-47ca-416f-95af-a8ee56d2e848", "value": "274432" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773997509", "to_ids": true, "type": "vhash", "uuid": "021ac848-8f84-484c-9ee2-5db61121c3ac", "value": "225036555512307166c413360" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773997509", "to_ids": true, "type": "filename", "uuid": "78dbe8d5-23e7-4893-a896-0ba79a96108b", "value": "Remington.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 17/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773997509", "to_ids": false, "type": "text", "uuid": "1d0ca165-a9d5-40f8-ad53-67c863c87769", "value": "Spyware\r\nType Description: Win32 EXE\nMicrosoft: Backdoor:MSIL/Bladabindi.AMBE!MTB\nVT Total Detection:62/72\nFirst Submission:2025-10-21T01:03:44.000000+00:00\nLast Submission:2026-03-10T06:16:16.000000+00:00" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 17/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774012068", "to_ids": false, "type": "text", "uuid": "f6b11af7-51d6-4f42-8834-6ff54de22512", "value": "Type Description: Win32 EXE\nMicrosoft: Backdoor:MSIL/Bladabindi.AMBE!MTB\nVT Total Detection:62/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774012068", "to_ids": true, "type": "ssdeep", "uuid": "e813a16b-d40d-4147-8ebe-8ef853a57202", "value": "6144:UQcYxDKmPIqYEKCSWzJDiiAbbvuogkeMR9+AU2MVXA9y1nVb2ntb:UDkKB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774012068", "to_ids": false, "type": "size-in-bytes", "uuid": "60412ecf-a21f-4148-a037-9ff5ea988a6a", "value": "274432" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774012068", "to_ids": true, "type": "vhash", "uuid": "7a33a639-6e8c-4f11-b62e-2708d2d5fd50", "value": "225036555512307166c413360" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774012068", "to_ids": true, "type": "filename", "uuid": "f4148913-0a6e-447c-b603-61790f635bcc", "value": "Remington.exe" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774012091", "uuid": "8ccad8cb-3aeb-42c0-aa30-0d444125c59c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773999712", "to_ids": true, "type": "md5", "uuid": "ededb4e2-79cf-4ec4-a3e5-d4f498195499", "value": "d1df5d64c430b79f7e0e382521e96a14", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999065", "to_ids": true, "type": "sha1", "uuid": "30195b1a-b5e2-42a1-9f52-15cb3f456147", "value": "e48938008fc0faa1c7b47af5c0b25df4b37a6af3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999065", "to_ids": true, "type": "sha256", "uuid": "170849c9-51c0-4dee-a5c5-fb123ae45662", "value": "ce4fda69ff042264003b4eb03bc158fc690aef8802aa1b1db8232a93a8bf0145", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773997555", "to_ids": true, "type": "ssdeep", "uuid": "1a8fbd00-ef0d-4d25-8235-c117447662cf", "value": "6144:JH5AsMGa2azxBEED7wq3QpTgIP4kVHm+XH0jFkqX20nYb+8tb:fO8B" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773997555", "to_ids": false, "type": "size-in-bytes", "uuid": "33f8f116-4ce0-4488-bf45-284468203d03", "value": "269824" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773997555", "to_ids": true, "type": "vhash", "uuid": "e7568759-c0c6-413b-b88e-80a10836b89b", "value": "025026555\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773997555", "to_ids": true, "type": "filename", "uuid": "8c35d8b3-3838-4c68-96d8-025136d95093", "value": "Camden.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 17/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773997555", "to_ids": false, "type": "text", "uuid": "13292651-5adf-4524-b4f8-c49abe108027", "value": "Type Description: Win32 EXE\nMicrosoft: Backdoor:MSIL/Bladabindi.AMBE!MTB\nVT Total Detection:56/72\nFirst Submission:2025-12-29T19:20:43.000000+00:00\nLast Submission:2026-03-10T06:15:02.000000+00:00" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 17/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774012091", "to_ids": false, "type": "text", "uuid": "ce17ffe4-a1ed-481d-93df-1d40cd75f0e5", "value": "Type Description: Win32 EXE\nMicrosoft: Backdoor:MSIL/Bladabindi.AMBE!MTB\nVT Total Detection:56/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774012091", "to_ids": true, "type": "ssdeep", "uuid": "230c3a2e-57a2-4d8f-a40b-436301222921", "value": "6144:JH5AsMGa2azxBEED7wq3QpTgIP4kVHm+XH0jFkqX20nYb+8tb:fO8B" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774012091", "to_ids": false, "type": "size-in-bytes", "uuid": "651a3d41-4612-4d17-a977-558b7d33e11c", "value": "269824" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774012091", "to_ids": true, "type": "vhash", "uuid": "34987e0e-5a27-45fa-b0a3-4653e1defe30", "value": "025026555\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774012091", "to_ids": true, "type": "filename", "uuid": "00884004-e159-43bf-a34a-e47b19f2cc67", "value": "Camden.exe" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774012113", "uuid": "3554ca33-58ec-48f1-a4cd-c6a07078935a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773999734", "to_ids": true, "type": "md5", "uuid": "5d570d9f-2ff0-436e-ac0c-98ce5f1cb5fb", "value": "e7c42f2d0ff38f1b9f51dc5d745418f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999067", "to_ids": true, "type": "sha1", "uuid": "f95d59ca-90f3-4958-a13d-5eefaef42245", "value": "079d198a000ae523f12c3c0f23b3697140d96a86", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999067", "to_ids": true, "type": "sha256", "uuid": "98452ea4-5730-4df7-8ae9-f14bd3a9be9d", "value": "bba56d9918978e618e27cacf2997e3aeebed5d85bf657daaf0841b89b6cc4cb3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773997579", "to_ids": true, "type": "ssdeep", "uuid": "30835861-aaa3-4aef-a3d6-0c5f401b0058", "value": "6144:RBWGA72eiYbVYq6g3NS4raLg4W+9/pvSxRb9zBiDjaJgxpHDO:RBWD7iY+qhQ4rKgfM8V2DjaWpjO" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773997579", "to_ids": false, "type": "size-in-bytes", "uuid": "1386db0c-1668-4563-9075-dd7791b7684e", "value": "307712" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773997579", "to_ids": true, "type": "vhash", "uuid": "760cdceb-babe-441f-a797-5724ef63e45d", "value": "035046551d751bza!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773997579", "to_ids": true, "type": "filename", "uuid": "2bbe40c3-2941-402b-9ffd-1476cfa55ab3", "value": "odemePlani.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 18/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773997579", "to_ids": false, "type": "text", "uuid": "117d66eb-9c71-4777-945f-291a5aa14401", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/DonutLoader.PGDO!MTB\nVT Total Detection:53/72\nFirst Submission:2026-02-17T11:55:01.000000+00:00\nLast Submission:2026-03-10T06:15:17.000000+00:00" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 18/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774012113", "to_ids": false, "type": "text", "uuid": "68757c0e-56f4-41d8-895d-b01afdf8e5fa", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/DonutLoader.PGDO!MTB\nVT Total Detection:53/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774012113", "to_ids": true, "type": "ssdeep", "uuid": "9ae53b40-a535-49fd-bd0f-9ed049040b65", "value": "6144:RBWGA72eiYbVYq6g3NS4raLg4W+9/pvSxRb9zBiDjaJgxpHDO:RBWD7iY+qhQ4rKgfM8V2DjaWpjO" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774012113", "to_ids": false, "type": "size-in-bytes", "uuid": "0824bcae-45e1-4049-bfee-333a08a2ec4b", "value": "307712" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774012113", "to_ids": true, "type": "vhash", "uuid": "323d3341-0fc3-45d6-a627-fffb908bb537", "value": "035046551d751bza!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774012113", "to_ids": true, "type": "filename", "uuid": "628a096a-3122-40e9-9fb9-e308d1863ac4", "value": "odemePlani.exe" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774012137", "uuid": "76ade73d-890f-46c8-a52f-b4f781b242c1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773999756", "to_ids": true, "type": "md5", "uuid": "66eea59c-ff00-47cb-8cd3-6b62fe101ad8", "value": "ea72845a790da66a7870da4da8924eb3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999068", "to_ids": true, "type": "sha1", "uuid": "2119567f-f234-42bf-b6ef-280d28f4e701", "value": "4fc672fe7dd8272a4f4da6ffc078a91e234f04ee", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999068", "to_ids": true, "type": "sha256", "uuid": "3484953d-a215-46e3-844e-d0ba490d0a91", "value": "03ae7b3bdaa1614aee51a35e9426ade258bb30498743467823bd80b19de0ad9b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773997602", "to_ids": true, "type": "ssdeep", "uuid": "9a639db8-26bc-4fdb-908d-68c3f0b50e45", "value": "24576:hKnOguQBc0MnHIfHrmWwKPmJ6Y33ijYjj:QnHubNQUKe6Y33gY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773997602", "to_ids": false, "type": "size-in-bytes", "uuid": "bd504ccc-79ea-4a3f-9e88-791410d9e123", "value": "957952" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773997602", "to_ids": true, "type": "vhash", "uuid": "9f88a897-2e64-45bf-98b3-9486f10e0371", "value": "29503675151240855442100161" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773997602", "to_ids": true, "type": "filename", "uuid": "460bcf76-af71-423b-be98-93b4b67dc253", "value": "mHPPn.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 17/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773997602", "to_ids": false, "type": "text", "uuid": "9a43246d-105c-4bd1-a505-97d9c059ddb8", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/Taskun.STDF!MTB\nVT Total Detection:54/72\nFirst Submission:2026-02-09T07:24:54.000000+00:00\nLast Submission:2026-02-09T08:37:06.000000+00:00" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 17/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774012137", "to_ids": false, "type": "text", "uuid": "42f2d964-b1c0-4c1e-bb74-9f0fdf7bfbb1", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/Taskun.STDF!MTB\nVT Total Detection:54/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774012137", "to_ids": true, "type": "ssdeep", "uuid": "8c757b24-ac1a-4580-89a8-2012fa5acec8", "value": "24576:hKnOguQBc0MnHIfHrmWwKPmJ6Y33ijYjj:QnHubNQUKe6Y33gY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774012137", "to_ids": false, "type": "size-in-bytes", "uuid": "f4d17ef6-62a4-436e-9e79-96a83d25567b", "value": "957952" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774012137", "to_ids": true, "type": "vhash", "uuid": "242afb9d-0a04-4583-8b5c-34fff9ca921c", "value": "29503675151240855442100161" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774012137", "to_ids": true, "type": "filename", "uuid": "643404a8-89b7-4fd8-afdf-4a6c62479d6e", "value": "mHPPn.exe" } ] } ] } }