{ "Event": { "analysis": "1", "date": "2026-04-16", "extends_uuid": "", "info": "[Threat Intel] Beyond the breach: inside a cargo theft actor's post-compromise playbook", "protected": false, "publish_timestamp": "1776767194", "published": true, "threat_level_id": "3", "timestamp": "1776767194", "uuid": "1f4df831-2927-4742-9661-5a8be90a40ef", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#2d8ee7", "local": false, "name": "misp-galaxy:producer=\"Proofpoint\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#f146c3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Sharepoint - T1213.002\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#3bc6ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Code Signing - T1553.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#98f3da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776394808", "to_ids": false, "type": "link", "uuid": "bff8f98f-526d-493b-9162-30a2a525f32b", "value": "https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776394808", "to_ids": false, "type": "text", "uuid": "8458ea84-83d7-491e-b401-70d7d3fc2fd0", "value": "A cargo theft threat actor maintained access to a decoy environment for over a month, providing extensive visibility into post-compromise operations. The attacker established redundant persistence using multiple remote access tools, including four ScreenConnect instances, Pulseway RMM, and SimpleHelp RMM. A previously unknown signing-as-a-service capability was employed to evade detection by re-signing ScreenConnect installers with fraudulent code-signing certificates. Extensive reconnaissance targeted financial platforms, payment systems, cryptocurrency wallets, and transportation-specific services including fuel card providers, fleet payment platforms, and load board operators. The activity strongly aligns with financially motivated crimes against the transportation industry, including freight diversion and cargo theft operations." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776394808", "to_ids": false, "type": "text", "uuid": "008c4e7f-1bc6-4697-b73b-792a1941c32a", "value": "Name: Beyond the breach: inside a cargo theft actor's post-compromise playbook\nAuthor: AlienVault\nAdversary: \nTags: [\"cargo theft\", \"freight fraud\", \"screenconnect\", \"rmm tools\", \"transportation targeting\", \"cryptocurrency stealer\", \"load board compromise\", \"signing-as-a-service\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1053.005\", \"T1033\", \"T1213.002\", \"T1539\", \"T1204.002\", \"T1566.001\", \"T1119\", \"T1553.002\", \"T1082\", \"T1219\", \"T1036\", \"T1555.003\", \"T1083\", \"T1059.001\", \"T1547.001\", \"T1078\", \"T1102.002\", \"T1012\", \"T1518.001\", \"T1070.004\", \"T1027.002\", \"T1071.001\", \"T1059.005\", \"T1105\"]\nIndustries: [\"Transportation\", \"Finance\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692825", "to_ids": true, "type": "domain", "uuid": "4746e8dd-b268-422a-8f5d-80f84b37a888", "value": "qto12q.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692847", "to_ids": true, "type": "domain", "uuid": "e82af56d-1604-41bf-a67b-e812b28fa006", "value": "carrier-packets-docs.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692868", "to_ids": true, "type": "url", "uuid": "2da4bca5-30a8-4305-984b-ac0ea28c75a0", "value": "https://carrier-packets-docs.com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692889", "to_ids": true, "type": "url", "uuid": "f3e0db1e-726f-43a9-bdeb-b00495ae5ff9", "value": "https://qto12q.top/pdf.ps1", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776692025", "to_ids": true, "type": "sha1", "uuid": "88e19550-981b-4199-a9a8-9a055c86097d", "value": "d45d60b20006bc3a39ae1761cb5f5f5b067b4ee5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692911", "to_ids": true, "type": "domain", "uuid": "2c5649ad-cc8a-43e6-8627-78de4f3ab610", "value": "amtechcomputers.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692932", "to_ids": true, "type": "domain", "uuid": "b1253d02-7fce-4c1c-a797-a225ff36a6df", "value": "nq251os.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692953", "to_ids": true, "type": "domain", "uuid": "634b6268-32b0-43fb-8ee0-978477e4e898", "value": "officcee404.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692974", "to_ids": true, "type": "hostname", "uuid": "c343dec4-0ed1-4d09-9bc7-6f681065b286", "value": "af124i1agga.anondns.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776692995", "to_ids": true, "type": "hostname", "uuid": "9694eafe-200f-4bc2-9992-7bd5112903a9", "value": "screlay.amtechcomputers.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693016", "to_ids": true, "type": "hostname", "uuid": "65dbe1c5-cef0-43b9-88e4-63d0b4fa7a91", "value": "signer.bulbcentral.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693037", "to_ids": true, "type": "ip-dst", "uuid": "fb9aceb2-9d8d-437c-9e54-5395cc236f82", "value": "147.45.218.0", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776693059", "to_ids": true, "type": "hostname", "uuid": "47d81e5d-9ea4-49bc-84ba-08d4382cde52", "value": "services-sc-files.s3.us-east-2.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776693080", "uuid": "9a45b574-ad89-46fa-b7cd-6960ef84a2ff", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776693080", "to_ids": true, "type": "md5", "uuid": "712f7bec-c14d-4f0f-90c6-040d28a004e9", "value": "03b8a9da7ca89c139a13681e360d3082", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692016", "to_ids": true, "type": "sha1", "uuid": "88795514-a05e-4257-bd72-fe5473b17017", "value": "7a9c717f71abf2642b96e3162bf044a5bb9c5935", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692016", "to_ids": true, "type": "sha256", "uuid": "2af3cf4e-4be6-48cb-8f7a-1e800cb26dc1", "value": "1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689179", "to_ids": true, "type": "ssdeep", "uuid": "65c81966-7c33-4514-9ef3-cbd5e8aa45ad", "value": "6:j+q9NqhnHsny+1nEK+oyrsCvJ8Vusdj02qGUrwv:KqahHsnBnEdlrsiNyjJqrsv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689179", "to_ids": false, "type": "size-in-bytes", "uuid": "82b723f6-e7e7-4ea8-be04-26d6336c2bc1", "value": "261" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689179", "to_ids": true, "type": "vhash", "uuid": "f33a5603-f3d9-4bc8-abde-402309e9cbab", "value": "7ec83e35a8fff0f3ae371293bff56272" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689179", "to_ids": true, "type": "filename", "uuid": "f4dee2ac-8397-4036-9ffe-dec74dc20b1f", "value": "FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689179", "to_ids": false, "type": "text", "uuid": "4518b567-c00c-43eb-9f31-1f1d311c1f95", "value": "Type Description: VBA\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:10/62\nFirst Submission:2026-02-27T17:47:40.000000+00:00\nLast Submission:2026-02-27T20:46:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776693102", "uuid": "df6bba78-8e14-42f4-a960-71d793428257", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776693102", "to_ids": true, "type": "md5", "uuid": "de80158b-7a80-4e7e-ad2a-a5bae388dc0c", "value": "68c2c19869c6ed14de1712dc43de571f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692017", "to_ids": true, "type": "sha1", "uuid": "8397a767-16fe-45be-9c91-35b0dbc0aee2", "value": "f83b203b6832d6d62dde2f9c66b7a43c759e250b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692017", "to_ids": true, "type": "sha256", "uuid": "7b26873f-f856-4ef3-9798-21a63e703dc0", "value": "3dcb89430bae8d89b9879da192351506f4fdb7c67e253a27f58b3bf52101cd4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689222", "to_ids": true, "type": "ssdeep", "uuid": "fcddb609-5dde-4838-8f66-9dfc6d7774ba", "value": "384:jyEnoY/3htyUxHF3nPY4cL8uOz312AEiBiqG6lXk:+YNJaL8zb1zEi9tk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689222", "to_ids": false, "type": "size-in-bytes", "uuid": "4bb09da6-1dc2-4520-8154-1f661fb8ecf7", "value": "14924" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689222", "to_ids": true, "type": "vhash", "uuid": "d234e0e1-d4a1-4559-8f4b-15f3af52fac6", "value": "e9cd49a63f80ae3bd5b04931bbe0a21b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689222", "to_ids": true, "type": "filename", "uuid": "e81d7d5a-e30c-443f-9417-4cd4839c0861", "value": "HR_Report.txt" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689222", "to_ids": false, "type": "text", "uuid": "002341a9-9e34-4559-99d1-915d12ae83d6", "value": "Type Description: Powershell\nMicrosoft: None\nVT Total Detection:4/65\nFirst Submission:2026-04-15T21:17:29.000000+00:00\nLast Submission:2026-04-15T21:17:29.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776693123", "uuid": "e2fc6c64-ddf0-4d5b-8682-807f1649e26a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776693123", "to_ids": true, "type": "md5", "uuid": "9aab9e16-f5a1-4ec1-a9fa-6783ab0ca7d7", "value": "329535ee70626eb4d9f87fd511c2c54c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692018", "to_ids": true, "type": "sha1", "uuid": "4f688f93-3c3d-41c7-9dd3-cd0ddbf2ccd6", "value": "751633f41766fe6644b7fbc82b05256fdc7b03f8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692018", "to_ids": true, "type": "sha256", "uuid": "28313304-770d-45ba-acd2-e0917007d128", "value": "7f54cf5e2beb3f1f5d2b3ba1c6a16ce1927ffecd20a9d635329b1e16cb74fb14", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689244", "to_ids": true, "type": "ssdeep", "uuid": "a4397677-ce5c-4ab5-a808-4aa006d5e5c2", "value": "196608:lrnLYG3zDhukOGrnLYG3zfrnLYG3z5rnLYG3zrrnLYG3zGrnLYG3zxrnLYG3z8:lbDDDgvGbDDfbDD5bDDrbDDGbDDxbDD8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689244", "to_ids": false, "type": "size-in-bytes", "uuid": "a0b2f66b-c6ae-4033-8537-75059f236e64", "value": "13430784" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689244", "to_ids": true, "type": "vhash", "uuid": "f76a9279-1730-42b2-a661-13528204bd5a", "value": "45155b83172cd3ff230fec9025027227" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689244", "to_ids": true, "type": "filename", "uuid": "2488d956-ac7a-46c8-bf11-52c65bb2ca98", "value": "404newbotvbs.msi" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689244", "to_ids": false, "type": "text", "uuid": "26505ed0-22e6-4e24-9354-6f4a632a22a5", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:13/63\nFirst Submission:2026-04-15T19:54:19.000000+00:00\nLast Submission:2026-04-15T19:54:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776693144", "uuid": "799e6381-5365-402b-8f6e-e6b4a4b423bf", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776693144", "to_ids": true, "type": "md5", "uuid": "359e0d1c-11ee-463f-9474-1d158fcd5a5c", "value": "5910e350b1f109be941c30b4277b7773", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692019", "to_ids": true, "type": "sha1", "uuid": "678323ef-592b-4b10-961e-3e7d17a3c701", "value": "b138501b71918d3d2a630ca5368e824c3234d3c7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692019", "to_ids": true, "type": "sha256", "uuid": "0e4a3e22-e3c6-423c-92f8-f092a1904ca0", "value": "82d603c0b387116b7effdee6f361ca982c188de0c208e681e942300a0139c03f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689266", "to_ids": true, "type": "ssdeep", "uuid": "7ca1c89f-d2dc-4e29-a123-cc87d80be579", "value": "196608:0uY6/ID0pUzPLhQNQm8NkKekA1HeT39IigwqPauDXURuAThJw4jekBAR78C:i63pUTLfhJe1+TtIiFqCuARuATzw4j54" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689266", "to_ids": false, "type": "size-in-bytes", "uuid": "5da64155-9649-4b92-baed-0b7589b32984", "value": "12268667" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689266", "to_ids": true, "type": "vhash", "uuid": "b6fb39cf-af00-4e76-b7c2-d3ae5fe67442", "value": "017076655d155515755048z64!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689266", "to_ids": true, "type": "filename", "uuid": "3060128e-5837-4421-80ea-e2574a4cd361", "value": "44tspt23.exe" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689266", "to_ids": false, "type": "text", "uuid": "f503238f-6dc2-4358-9a65-c14fafbc6c4f", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:15/72\nFirst Submission:2026-02-26T21:41:11.000000+00:00\nLast Submission:2026-03-07T21:37:53.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776693165", "uuid": "e6d60bf5-25ab-4766-b728-951e23cb0ecb", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776693165", "to_ids": true, "type": "md5", "uuid": "494584c0-28d3-4c70-b0ce-406756631d80", "value": "61bfe4b57c261ed4a90d84457d1de032", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692019", "to_ids": true, "type": "sha1", "uuid": "8af6b74f-c918-4f7c-afe1-da5f18027bd6", "value": "4eac6894e9f872a240fb527edebd099d41378fde", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692019", "to_ids": true, "type": "sha256", "uuid": "394223c8-4948-4817-a187-b74a3067a763", "value": "8a3d6a6870b64767ad2cc9ad4db728abf08bae84726b06be6cb97faac6c14ae4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689288", "to_ids": true, "type": "ssdeep", "uuid": "c205f3d9-99b5-49a2-9071-21af9df1e07a", "value": "393216:RmkEdr03NldJmkEdMmkEdjmkEdAmkEdLmkEdCmkEd:LEtcxjEOETEWEHEEE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689288", "to_ids": false, "type": "size-in-bytes", "uuid": "06c87d38-1d5b-4de6-b379-58162ebfa574", "value": "15872000" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689288", "to_ids": true, "type": "vhash", "uuid": "065f8cbc-6b5a-4454-88ef-c52f27127d07", "value": "45155b83172cd3ff230fec9025027227" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689288", "to_ids": true, "type": "filename", "uuid": "7ebb1b7f-bb40-4194-88c4-e7eaa85bd221", "value": "ScreenConnect.ClientSetup.signed.msi" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689288", "to_ids": false, "type": "text", "uuid": "7fa18739-ddde-4de9-bdd5-9340c3e7f7a6", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:13/63\nFirst Submission:2026-04-15T21:14:55.000000+00:00\nLast Submission:2026-04-15T21:14:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776693187", "uuid": "e1ea9302-b89c-46a0-9994-df6b8f363bc6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776693187", "to_ids": true, "type": "md5", "uuid": "ea3d3257-1279-47b0-8f50-9d336514835c", "value": "a7314f3343ab053d76054628ad7fe4d4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692020", "to_ids": true, "type": "sha1", "uuid": "78b610f4-b2f8-4102-ab8e-1be9068dfb50", "value": "83947aad0e152645c2cb5826ccf1cd22617efa14", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692020", "to_ids": true, "type": "sha256", "uuid": "38224388-77fe-4668-a028-7e838f7b7a63", "value": "b861e3682ca3326d6b29561e4b11f930f4a9f10e9588a3d48b09aa6c36a8ea80", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689310", "to_ids": true, "type": "ssdeep", "uuid": "522553ce-246c-4dc9-b706-b364c7f124a5", "value": "786432:/rKU6DT0ucbTbMv22zAeV/X+0tdshTc3XyPteDeCOdeuKF1bt:/uRf+nAu2FuQd73XyFeDMnKTt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689310", "to_ids": false, "type": "size-in-bytes", "uuid": "50b747dd-b2c2-4cd0-a3dc-6d43707d4276", "value": "38833672" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689310", "to_ids": true, "type": "vhash", "uuid": "0a74bce7-19f3-4533-a689-18c0908d7201", "value": "037056656d1555607016z71mz191zc019z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689310", "to_ids": true, "type": "filename", "uuid": "f26972b6-8932-47f1-8c71-0eeda36792bb", "value": "Remote Access-windows64-offline.exe_ico" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689310", "to_ids": false, "type": "text", "uuid": "c6a26676-824c-4831-a773-3add38686934", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.A!ml\nVT Total Detection:24/72\nFirst Submission:2026-02-17T21:38:42.000000+00:00\nLast Submission:2026-02-17T21:38:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776693208", "uuid": "cfe38e7c-6018-4528-8a1b-77fce801611f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776693208", "to_ids": true, "type": "md5", "uuid": "4bdd7828-b0ac-44ae-9327-95dcbbd55086", "value": "9a2b3b96b7986e19537586d450305bb0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692022", "to_ids": true, "type": "sha1", "uuid": "d43b34a5-4d17-400e-a672-b066db50c950", "value": "10f86cda57c91a5553aece5ee0541de44a0f967b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692022", "to_ids": true, "type": "sha256", "uuid": "b82939d2-f20d-4a74-b2e9-74e10d92498c", "value": "d9832d9208b2c4a34cf5220b1ebaf11f0425cf638ac67bf4669b11c80e460f58", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689332", "to_ids": true, "type": "ssdeep", "uuid": "7413c924-b479-447f-9fa6-f903d0a5fd7d", "value": "786432:iv2fI6Dr8dqHfYaUqVy9uZiFpZJi5Ly6Ba:/fIo+F5JfZE1xa" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689332", "to_ids": false, "type": "size-in-bytes", "uuid": "d296d919-786e-4311-a46e-c708a94625c7", "value": "26414592" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689332", "to_ids": true, "type": "vhash", "uuid": "9880934b-e2b3-452d-992f-a902336560bd", "value": "bb11f80b2812176f4fe77ff62711e031" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689332", "to_ids": true, "type": "filename", "uuid": "e69f8693-d352-4a65-8d53-604ab94b07e9", "value": "windows_agent_x64.msi" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689332", "to_ids": false, "type": "text", "uuid": "eff59c5b-338b-4230-bd9e-16a2f9228e8a", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:0/64\nFirst Submission:2026-02-09T18:23:29.000000+00:00\nLast Submission:2026-03-27T09:06:29.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776693229", "uuid": "48dd2281-edcc-4888-a70b-bfafc9544ac6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776693229", "to_ids": true, "type": "md5", "uuid": "11492ce9-1c85-463e-a70a-ef5571cc5773", "value": "c567c15b5723e8a79f9d7d7d2dbe5404", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692023", "to_ids": true, "type": "sha1", "uuid": "1fbe3fb7-dce4-4ff0-8c48-a184d5d0645e", "value": "4edd36aed5acc23fa3fa65620fc15bd98428c3b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692023", "to_ids": true, "type": "sha256", "uuid": "8c865ea1-e958-4e29-8b96-68d292732ae2", "value": "de30bb1e367d8c9b8b7d5e04e5178f2758157302638f81480ba018331a6f853e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689354", "to_ids": true, "type": "ssdeep", "uuid": "18452b6b-82a5-4c3c-b5f2-ee2c4191179d", "value": "196608:/Hxcp9ym3nltDUJVHHxcp9ym3pHxcp9ym3VHxcp9ym3ZHxcp9ym3uHxcp9ym3YHk:JGplpkGp7GpHGprGp8GpmGp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689354", "to_ids": false, "type": "size-in-bytes", "uuid": "5d0d52f6-6a98-4685-8a31-0760e6be4f03", "value": "13795328" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689354", "to_ids": true, "type": "vhash", "uuid": "7dd8ced3-bf30-4231-b00d-0e3d874b00a5", "value": "45155b83172cd3ff230fec9025027227" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689354", "to_ids": true, "type": "filename", "uuid": "1a7da273-3b08-4ae3-bc10-cc35435021ec", "value": "msi.msi" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689354", "to_ids": false, "type": "text", "uuid": "7bf77226-63e3-4069-b4d1-8efedb052f9e", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:17/63\nFirst Submission:2026-04-15T21:12:38.000000+00:00\nLast Submission:2026-04-15T21:12:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776693250", "uuid": "3fe8c9be-73cb-4a77-895d-6b3b30e55f0e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776693250", "to_ids": true, "type": "md5", "uuid": "0d707fca-11ea-4311-bba3-84ceec9cf216", "value": "f7583a7ce6f7fdde9b532ef5c10b27b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692023", "to_ids": true, "type": "sha1", "uuid": "08574b56-febf-478d-8dbb-a47ca9205f5d", "value": "796e552ca0972547d04688c770691e7c18d8e442", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692023", "to_ids": true, "type": "sha256", "uuid": "ea616dcf-1174-4150-98a3-d6fd17c681e5", "value": "f4977bfeae2a957add1aaf01804d2de2a5a5f9f1338f719db661ac4f53528747", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776689375", "to_ids": true, "type": "ssdeep", "uuid": "44cb1d5e-36da-4081-af69-72fe1ef3d3cb", "value": "196608:kHxcp9ym3nltDUJV4Hxcp9ym3uHxcp9ym3GHxcp9ym36Hxcp9ym3eHxcp9ym3oHk:CGplpzGp8GpUGpIGpsGp2Gp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776689375", "to_ids": false, "type": "size-in-bytes", "uuid": "da93e735-858e-4ce9-833f-417eeef7c729", "value": "13578240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776689375", "to_ids": true, "type": "vhash", "uuid": "335085f3-0b67-4c8e-a2f2-7b6978de718b", "value": "45155b83172cd3ff230fec9025027227" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776689375", "to_ids": true, "type": "filename", "uuid": "2c6f7da7-a5af-48e8-bd44-2242d0582b1b", "value": "1abde.msi" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776689375", "to_ids": false, "type": "text", "uuid": "9b277208-0b10-415c-bcd9-dfd8e410e2e3", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:26/63\nFirst Submission:2026-02-27T19:30:13.000000+00:00\nLast Submission:2026-02-27T19:30:13.000000+00:00" } ] } ] } }