{ "Event": { "analysis": "1", "date": "2026-04-09", "extends_uuid": "", "info": "[Threat Intel] In-Memory Loader Drops ScreenConnect", "protected": false, "publish_timestamp": "1776175455", "published": true, "threat_level_id": "3", "timestamp": "1776175455", "uuid": "2dbd1228-a857-407a-bc73-c4928975784a", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6dbaba", "local": false, "name": "misp-galaxy:producer=\"Zscaler\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#1b0fe1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#98f3da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#d74cce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#7eb739", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Msiexec - T1218.007\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#73cdf4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Portable Executable Injection - T1055.002\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#9e51c3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create Process with Token - T1134.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775818811", "to_ids": false, "type": "link", "uuid": "1b3a930a-dbaf-4682-a876-e705ecf04bfb", "value": "https://www.zscaler.com/blogs/security-research/memory-loader-drops-screenconnect" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775818811", "to_ids": false, "type": "text", "uuid": "8409b932-dbd6-419a-bc0e-880ef67045e2", "value": "In February 2026, an attack chain was discovered that utilized a fraudulent Adobe Acrobat Reader download page to deceive victims into installing ConnectWise's ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The attack employs sophisticated evasion techniques including heavy obfuscation, .NET reflection for in-memory payload execution, and dynamic code construction. A VBScript loader initiates the chain by downloading and executing obfuscated PowerShell commands that compile C# code entirely in memory. The loader manipulates the Process Environment Block to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass User Account Control without user prompts. This multi-layered approach successfully evades signature-based defenses and hinders forensic analysis while ultimately deploying ScreenConnect for unauthorized remote access." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775818811", "to_ids": false, "type": "text", "uuid": "110ff9ad-54d6-4225-840a-835e0a7e0714", "value": "Name: In-Memory Loader Drops ScreenConnect\nAuthor: AlienVault\nAdversary: \nTags: [\"in-memory execution\", \"powershell staging\", \"com abuse\", \"remote access tool\", \"peb manipulation\", \"screenconnect\", \"vbscript loader\", \"uac bypass\"]\nTgtd countries: []\nMlwr families: [\"ScreenConnect\"]\nAttack_ids: [\"T1036.004\", \"T1027\", \"T1566.002\", \"T1059.005\", \"T1106\", \"T1204.002\", \"T1548.002\", \"T1497.001\", \"T1218.007\", \"T1562.001\", \"T1055.002\", \"T1027.002\", \"T1059.001\", \"T1134.002\", \"T1105\", \"T1140\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:13/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776166998", "to_ids": true, "type": "md5", "uuid": "fd9b3c0e-bfe2-4193-be8c-da7fe712159a", "value": "c02448e016b2568173de3eedadd80149", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:13/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776166999", "to_ids": true, "type": "md5", "uuid": "9dbbc24b-8fd5-4549-a36f-973b12e4d114", "value": "e4b594a18fc2a6ee164a76bdea980bc0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167358", "to_ids": true, "type": "url", "uuid": "21c3bf86-32d3-40cd-9e99-9955ef86da7b", "value": "http://eshareflies.im/ad/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ScreenConnect installer download", "deleted": false, "disable_correlation": false, "timestamp": "1776167379", "to_ids": true, "type": "url", "uuid": "affcadc1-9805-4216-8677-965aea364c33", "value": "http://x0.at/qOfN.msi", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ScreenConnect installer download", "deleted": false, "disable_correlation": false, "timestamp": "1776167400", "to_ids": true, "type": "url", "uuid": "627b2e86-d69c-4366-9fbd-eba60509937a", "value": "https://x0.at/qOfN.msi", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776167421", "to_ids": true, "type": "domain", "uuid": "57efb218-bff5-4aa2-9837-ca6a7741d0bd", "value": "eshareflies.im", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Fraudulent page URL", "deleted": false, "disable_correlation": false, "timestamp": "1776167442", "to_ids": true, "type": "url", "uuid": "866b65bb-1f59-43da-8f06-870454226b7d", "value": "eshareflies.im/ad/", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TXT download", "deleted": false, "disable_correlation": false, "timestamp": "1776167463", "to_ids": true, "type": "url", "uuid": "381ea3b3-1e0c-4901-be7d-0feb203665c9", "value": "drive.google.com/uc?id=1TVJir-OlNZrLjm5FyBMk_hDjG9BV1zCy&export=downloadcccccdcjeegrekhllfijllutvbrrcifehuenfirtelit", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TXT download", "deleted": false, "disable_correlation": false, "timestamp": "1776167485", "to_ids": true, "type": "url", "uuid": "828c00cf-1039-4737-b6bf-4f0e1ba74bc1", "value": "drive.google.com/uc?id=1pyyQRpUmH0YtPG-VqvMNzKUo9i8-RZ7L&export=download", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "TXT download", "deleted": false, "disable_correlation": false, "timestamp": "1776167506", "to_ids": true, "type": "url", "uuid": "d2e0b224-e16b-462e-b4a1-f5a696e31ddd", "value": "drive.google.com/uc?id=1xuJR29UP5VcY6Nvwc7TDtt7fmcGGqIVc&export=download", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776167527", "uuid": "1aa2ef7f-22b2-467a-a9fd-52e3c50faa61", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776167527", "to_ids": true, "type": "md5", "uuid": "63599fcb-3b3f-41ce-affe-4a14ed6392bd", "value": "07720d8220abc066b6fdb2c187ae58f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776166991", "to_ids": true, "type": "sha1", "uuid": "4438e991-00eb-4715-97cd-55f6d0348b79", "value": "77e4c373b7efb59fc6bac7ad31bed0ce52735095", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776166991", "to_ids": true, "type": "sha256", "uuid": "18f20b6c-5825-423a-a449-dc2d0c7e5ce8", "value": "788a9f6845d257e1a61883f7961ca6ed6a77e6eae960f9ea579251cad985c887", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776072144", "to_ids": true, "type": "ssdeep", "uuid": "3e3bc4d8-9296-44ef-9a8a-2da65934c156", "value": "192:comjWAt1rxGDnlNl/vHOBYaYhYYGYYhYYGLnGvWYYhb3chDvUs0prhLUcX:1mM" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776072144", "to_ids": false, "type": "size-in-bytes", "uuid": "bdfbe57b-c777-4f07-bcb4-6ea277c36612", "value": "14775" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776072144", "to_ids": true, "type": "vhash", "uuid": "447c5622-b837-4a87-ab60-6fdb162d1182", "value": "66f0b2a24ab21c090efdc4e4698d9a0f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776072144", "to_ids": true, "type": "filename", "uuid": "a575a53a-b21f-474a-8475-66e78170c371", "value": "updatv35.vbs" }, { "category": "Other", "comment": "Checked: 13/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776072144", "to_ids": false, "type": "text", "uuid": "9891b4f4-bc3f-497f-97e6-4086b38c1a62", "value": "Type Description: VBA\nMicrosoft: Trojan:VBS/Obfuse.PAD!MTB\nVT Total Detection:26/62\nFirst Submission:2026-02-24T19:18:54.000000+00:00\nLast Submission:2026-02-25T12:54:44.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776167549", "uuid": "940a2844-5cef-4338-84fc-19968bb0a1c4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776167549", "to_ids": true, "type": "md5", "uuid": "85c4ca14-0bfe-4597-aaa4-e5d8be13bdf4", "value": "07f95ff34fb330875d80afadca3f0d5b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776166992", "to_ids": true, "type": "sha1", "uuid": "3727b569-0b93-442a-b44c-00e3c9d6cdc2", "value": "d1d10b9fe669a423312b24864e0a9eafbbd2d9e1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776166992", "to_ids": true, "type": "sha256", "uuid": "c346d3fb-1071-4e3e-a5e7-0a8896df45cd", "value": "a5fc49f0952e1dd2b481f9a7b0f6010b2be25660eeebb9094247f3370c517394", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776072166", "to_ids": true, "type": "ssdeep", "uuid": "27499fe6-fc5b-4695-9d50-8398d1441a29", "value": "1536:UlbLsHpX/3mbmtNYNYzRgxtkg3lIzhBzE4V4Ep7YdEn4hDIx4mxhLnhVGNTsV/lP:h" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776072166", "to_ids": false, "type": "size-in-bytes", "uuid": "46b83849-42c1-4b67-b1f8-9a6e8256460e", "value": "669569" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776072166", "to_ids": true, "type": "filename", "uuid": "4fc9fe45-24ae-4323-bc00-fad0d4a2e725", "value": "drive.google.com_sample.bin" }, { "category": "Other", "comment": "Checked: 13/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776072166", "to_ids": false, "type": "text", "uuid": "cdde6e05-e3d6-43b9-93c0-b4138f348532", "value": "Type Description: Text\nMicrosoft: None\nVT Total Detection:3/62\nFirst Submission:2026-02-24T22:51:47.000000+00:00\nLast Submission:2026-03-05T16:07:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776167570", "uuid": "be3abc98-a9d3-44c4-a42c-1e53a8b4faa3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776167570", "to_ids": true, "type": "md5", "uuid": "4f9ad74c-8639-4224-9a90-1739e9378bc1", "value": "3d389886e95f00fade1eea67a6c370d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776166994", "to_ids": true, "type": "sha1", "uuid": "ee05e703-89b4-4f51-a25e-6df21f939824", "value": "7781dbc943c880989dd6be0c5c5ebe5bfabe61b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776166994", "to_ids": true, "type": "sha256", "uuid": "44598944-5504-4eab-851f-ee99a57e229e", "value": "c87dcb5474f9d8ad685ec3fcafd7be9ddc6d82286b8a76b09a89eadb321b4ad4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776072188", "to_ids": true, "type": "ssdeep", "uuid": "e2164905-ce2f-488e-ab64-1ab20e07e170", "value": "393216:MmkEdQ03NldhmkEdLmkEdvmkEdYmkEdXmkEdumkEd:0E2cxbE7E/EWELEQE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776072188", "to_ids": false, "type": "size-in-bytes", "uuid": "11e8ff78-346c-4532-acba-334972662418", "value": "15499264" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776072188", "to_ids": true, "type": "vhash", "uuid": "22f0b4df-5905-4e40-9c15-104e645d8894", "value": "45155b83172cd3ff230fec9025027227" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776072188", "to_ids": true, "type": "filename", "uuid": "9defc611-c929-46ad-b2b9-cc725bd9eeab", "value": "qOfN.msi" }, { "category": "Other", "comment": "Checked: 13/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776072188", "to_ids": false, "type": "text", "uuid": "4279eccb-18d0-47ae-9917-82766a821072", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:14/63\nFirst Submission:2026-04-09T17:31:51.000000+00:00\nLast Submission:2026-04-10T12:26:44.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776167591", "uuid": "2fcaf1fc-8e21-4a97-b977-9480a7e74413", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776167591", "to_ids": true, "type": "md5", "uuid": "df44b2f5-009c-4cf6-bc2c-b29ff61821ef", "value": "3effadb977eddd4c48c7850c8dc03b13", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776166995", "to_ids": true, "type": "sha1", "uuid": "23e214f8-d2ef-407a-891b-dd66935bc9ab", "value": "aa56b3768ddd6b3de0be0e2992d6b41ddc5d4eb9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776166995", "to_ids": true, "type": "sha256", "uuid": "2074e621-9e26-4512-89d4-b5e61786ebfe", "value": "0d59c7ebaa3db186b1fb0dc3437804dffdf36ac0894885d687701cea51356d2e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776072210", "to_ids": true, "type": "ssdeep", "uuid": "46d97d81-f914-483a-865f-623a77e5739b", "value": "1536:UwVEnHpX/3mbmtNYNYzRgxtkg3lIzhBzE4V4Ep7YdEn4hDIx4mxhLnhVGNTsV/la:B" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776072210", "to_ids": false, "type": "size-in-bytes", "uuid": "147780a1-d142-4181-a76b-34cc0be07bf3", "value": "680989" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776072210", "to_ids": true, "type": "filename", "uuid": "a14263da-3746-4c11-9339-cea7595e6185", "value": "STB_Test.txt" }, { "category": "Other", "comment": "Checked: 13/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776072210", "to_ids": false, "type": "text", "uuid": "fb88bc4f-c659-4669-aa3f-ce8376e62f8a", "value": "Type Description: Text\nMicrosoft: None\nVT Total Detection:2/62\nFirst Submission:2026-04-10T17:00:17.000000+00:00\nLast Submission:2026-04-10T17:00:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776167612", "uuid": "aad30b60-a8a7-4849-aa5f-31d8c518d089", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776167612", "to_ids": true, "type": "md5", "uuid": "e1ed50de-50b9-4914-91f1-df449f3753bf", "value": "a7e5dbec37c8f431d175dfd9352db59f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776166996", "to_ids": true, "type": "sha1", "uuid": "e62200c7-e376-4098-b6dc-890939cff57e", "value": "a2d6cdfa8f80ab5378cb676aa75838e531a53f2b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776166996", "to_ids": true, "type": "sha256", "uuid": "e4311ae8-4369-426a-bd66-111d39f75c33", "value": "7dd8a469122c18d2c18c808b58e3ec9cab78a51b9e48884929ab2d4fad1ed38f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776072231", "to_ids": true, "type": "ssdeep", "uuid": "8721af5f-e51c-441e-986a-958392a677c7", "value": "1536:U4OhgZHpX/3mbmtNYNYzRgxtkg3lIzhBzE4V4Ep7YdEn4hDIx4mxhLnhVGNTsV/j:H" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776072231", "to_ids": false, "type": "size-in-bytes", "uuid": "40298c3c-ac80-4ee5-8ce0-48ba7645d6bc", "value": "681239" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776072231", "to_ids": true, "type": "filename", "uuid": "64e15803-1f7c-4e0d-b8e9-38e17e6a8391", "value": "filer.txt" }, { "category": "Other", "comment": "Checked: 13/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776072231", "to_ids": false, "type": "text", "uuid": "036e6c0e-c28e-4414-a52e-5b84dfb68df8", "value": "Type Description: Text\nMicrosoft: None\nVT Total Detection:3/62\nFirst Submission:2026-02-24T19:24:30.000000+00:00\nLast Submission:2026-03-06T17:25:56.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776167633", "uuid": "a096bb29-4f4e-4211-b0e1-eec8abec506a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776167633", "to_ids": true, "type": "md5", "uuid": "e0b31f3e-df50-4ad7-bfb3-60cbc328706f", "value": "c36910c4c8d23ec93f6ae7d7a2496ce5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776166997", "to_ids": true, "type": "sha1", "uuid": "4cd10e17-7fbd-4ad2-aefc-5a53cc5e3f9b", "value": "8c645913e0755ed00c5260440916096aa89aed8c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776166997", "to_ids": true, "type": "sha256", "uuid": "a3517ed8-1f0a-441d-adde-c03fe5daf9b9", "value": "7577ae95e892eda34e00304308715c65a197216854a85cecfbfd402a3a8964e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776072274", "to_ids": true, "type": "ssdeep", "uuid": "353fdde2-8c77-4656-81c5-87bd50dc2fc8", "value": "192:VomhAt1rxGDnlNl/vHORYPYYOYYMLnGvWYYhb3chDvUs0prhLUcX:qmR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776072275", "to_ids": false, "type": "size-in-bytes", "uuid": "e2fa3e3b-55f1-4b33-834a-2e2f45521cfe", "value": "14763" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776072275", "to_ids": true, "type": "vhash", "uuid": "b7de8c6c-e298-4368-8368-0b879459c312", "value": "66f0b2a24ab21c090efdc4e4698d9a0f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776072275", "to_ids": true, "type": "filename", "uuid": "53094eff-b62d-42d3-8c33-7d38e1c60126", "value": "yklu9u.exe" }, { "category": "Other", "comment": "Checked: 13/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776072275", "to_ids": false, "type": "text", "uuid": "ff50ff73-582c-4aa8-a8b7-7e8981d58258", "value": "Type Description: VBA\nMicrosoft: Trojan:VBS/Obfuse.PAD!MTB\nVT Total Detection:29/62\nFirst Submission:2026-02-24T22:47:19.000000+00:00\nLast Submission:2026-03-05T08:01:28.000000+00:00" } ] } ] } }