{ "Event": { "analysis": "1", "date": "2026-05-07", "extends_uuid": "", "info": "[Threat Intel] TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook", "protected": false, "publish_timestamp": "1779546851", "published": true, "threat_level_id": "3", "timestamp": "1779546850", "uuid": "31e26c64-8653-4eb8-9977-4da1d6c0cc22", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#5f1b93", "local": false, "name": "misp-galaxy:producer=\"Elastic\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#17c030", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Window Discovery - T1010\"", "relationship_type": "" }, { "colour": "#62e1b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Session Hijacking - T1185\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#0c8fe6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Email Collection - T1114.001\"", "relationship_type": "" }, { "colour": "#7eb739", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Msiexec - T1218.007\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Language Discovery - T1614.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Time Based Evasion - T1497.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Portal Capture - T1056.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#c94db5", "local": false, "name": "misp-galaxy:target-information=\"Brazil\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Bank\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238036", "to_ids": false, "type": "link", "uuid": "f57c5d6a-aec9-459d-98c7-88846d7fb35f", "value": "https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778238036", "to_ids": false, "type": "text", "uuid": "a93fa2cd-ab49-4c81-b3c5-348088b605f5", "value": "A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778238036", "to_ids": false, "type": "text", "uuid": "b699b0b6-1d3d-44ac-971d-e094e05998dd", "value": "Name: TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook\nAuthor: AlienVault\nAdversary: REF3076\nTags: [\"whatsapp worm\", \"tclbanker\", \"maverick\", \"sorvepotel\"]\nTgtd countries: []\nMlwr families: [\"TCLBANKER\", \"MAVERICK\", \"SORVEPOTEL\"]\nAttack_ids: []\nIndustries: [\"Finance\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1778238036", "to_ids": false, "type": "threat-actor", "uuid": "e9997af2-b03b-4d45-bebf-4885145a924c", "value": "REF3076" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:16/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546850", "to_ids": true, "type": "sha1", "uuid": "33ca3c0b-c706-4124-8a56-69c1fe411224", "value": "91fafaa1240676afe5c55d931261e3798797c408", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778951228", "to_ids": true, "type": "domain", "uuid": "0200c80f-8a41-4345-ad5f-2fc364cec8f9", "value": "afonsoferragista.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778951249", "to_ids": true, "type": "domain", "uuid": "73c0ee82-f1e2-4443-92dc-f235cc986b92", "value": "arquivos-omie.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778951270", "to_ids": true, "type": "domain", "uuid": "6805bb3d-da96-45eb-b71b-a5e192e8e076", "value": "doccompartilhe.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778951291", "to_ids": true, "type": "domain", "uuid": "382527de-e649-4990-b9ad-4571105aec4d", "value": "documentos-online.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778951312", "to_ids": true, "type": "domain", "uuid": "4fa17f5e-55ee-4684-bd34-82eb77b8db56", "value": "mxtestacionamentos.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778951333", "to_ids": true, "type": "domain", "uuid": "0bbd9aff-8dea-4e6a-bcb2-530cbb01067d", "value": "recebamais.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778951354", "to_ids": true, "type": "domain", "uuid": "78848f56-34d6-4f4c-ab2b-783048361d12", "value": "saogeraldoshiping.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778951376", "to_ids": true, "type": "hostname", "uuid": "4283b72b-c26a-4506-b4fe-a1b98ccbb8ea", "value": "window.navigator.chrome", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778951397", "to_ids": true, "type": "hostname", "uuid": "99e352e0-82d4-4773-9236-2be7dd69b4ae", "value": "campanha1-api.ef971a42.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778951418", "to_ids": true, "type": "hostname", "uuid": "8ac5d846-8bce-4428-a576-ef5019178efa", "value": "documents.ef971a42.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546841", "uuid": "e4a76d36-6797-4237-b86b-ed83522648c3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546840", "to_ids": true, "type": "md5", "uuid": "5acca133-cdbd-4bb2-a79e-f4398b401679", "value": "e0d1eedaa0c1f98f50726df729594edc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546840", "to_ids": true, "type": "sha1", "uuid": "999a8d19-c6ca-49e1-aa0c-e2bd297a028c", "value": "94f21c140afd18b43d5a0f274216545442b3f6cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546841", "to_ids": true, "type": "sha256", "uuid": "7736abc4-d28b-4209-8a21-3701b41e0633", "value": "701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778945433", "to_ids": true, "type": "ssdeep", "uuid": "46b5ef5f-f082-40e6-81a2-96a24c8bc324", "value": "196608:SSgRI7ouwcNWtiUp8CWaiZGeCA7eMU3YJWk3HH6aFUWphuOabdIXQdNUDuhm68Me:hScGoIoUaWkXXU6wtNURYu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778945433", "to_ids": false, "type": "size-in-bytes", "uuid": "567ada4d-7ecf-47d8-8a95-a38d30657089", "value": "16603648" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778945433", "to_ids": true, "type": "vhash", "uuid": "48360d56-5a33-4c21-83ce-502cbd92b60f", "value": "117076657d155d05155018z66?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778945433", "to_ids": true, "type": "filename", "uuid": "adbfa191-f6cb-4a6f-bae5-297b82bb3ecc", "value": "screen_retriever_plugin.dll" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778945433", "to_ids": false, "type": "text", "uuid": "da672a0e-d52a-49fa-98ca-3af649fb1466", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win64/AgentB.AHC!MTB\nVT Total Detection:41/71\nFirst Submission:2026-03-30T15:03:49.000000+00:00\nLast Submission:2026-03-30T15:03:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546843", "uuid": "26da7667-1dc4-4509-95a6-39cd8d996408", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546843", "to_ids": true, "type": "md5", "uuid": "ac3bfc23-1d99-4c31-884b-417a823a1176", "value": "87d4f447e11e571dc12f8d1985299ad0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546843", "to_ids": true, "type": "sha1", "uuid": "1c569c52-34ce-4224-871b-e23fd026f0fd", "value": "5c9a4742edde81e56dc3ca7367e085187a7f0dda", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546843", "to_ids": true, "type": "sha256", "uuid": "b62d0e2a-1c57-4b21-8534-861fe48e1912", "value": "63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778945475", "to_ids": true, "type": "ssdeep", "uuid": "1a51b7ff-7270-433a-a107-d06a60c2f1f9", "value": "393216:S2o1wYwN/eixCpRLIxFx6fKp2WkSHFrpf96+WhN07Tfd6dJ7dg1qRlBKX57KWG7y:StwYwZxuVwTxpf9YN07TV6dtdg1KoX51" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778945475", "to_ids": false, "type": "size-in-bytes", "uuid": "902877c4-3ce1-4c0f-aa98-027a72efde4a", "value": "24457914" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778945475", "to_ids": true, "type": "vhash", "uuid": "c3bd82af-c53c-41f2-ab4d-942af3d28213", "value": "f370b69e37c705b96502311f31f41df5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778945475", "to_ids": true, "type": "filename", "uuid": "8c77fa2e-a461-45cc-8edf-7a3b9be46aa6", "value": "XXL_21042026-181516.zip" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778945475", "to_ids": false, "type": "text", "uuid": "07bb2b3f-86db-42c5-9b70-6e85dd68a5c7", "value": "Type Description: ZIP\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:28/65\nFirst Submission:2026-05-06T15:09:07.000000+00:00\nLast Submission:2026-05-06T15:09:07.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546846", "uuid": "0c8c3617-11aa-4699-9889-3a669a4e7212", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546845", "to_ids": true, "type": "md5", "uuid": "35db5689-8bda-4df0-a11d-8f6d2c506a69", "value": "1b143123e7d27f4e9eb429afe465c483", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546846", "to_ids": true, "type": "sha1", "uuid": "6f64ccb1-f27d-4701-9916-252d86279392", "value": "22f6e2b777f86fe5445a5823b988c5618ed05317", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546846", "to_ids": true, "type": "sha256", "uuid": "e771a247-2d9e-4200-b4a8-78ecec6e8369", "value": "668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778945497", "to_ids": true, "type": "ssdeep", "uuid": "35ff36df-1280-4690-b373-0e662100c3b0", "value": "98304:nPrKtY9b4SMx6U9pkEKBRe2SFbI278Bmsim:z990S4aEKO2SFbI2YA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778945497", "to_ids": false, "type": "size-in-bytes", "uuid": "dafc1a89-2d4b-459a-8644-5e6bcb6534ee", "value": "3845120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778945497", "to_ids": true, "type": "vhash", "uuid": "d8add459-bd6b-472e-9cac-75c00a044180", "value": "136076657d155d05155018z69?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778945497", "to_ids": true, "type": "filename", "uuid": "a532646b-8744-41cf-b184-d3cc2e6dabc2", "value": "screen_retriever_plugin.dll" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778945497", "to_ids": false, "type": "text", "uuid": "a12403b1-5d9d-463a-b1a1-5459961dc8f2", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Malgent\nVT Total Detection:44/71\nFirst Submission:2026-05-06T15:09:49.000000+00:00\nLast Submission:2026-05-06T15:09:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546849", "uuid": "a8e51a26-5b69-4091-b2e0-3a3c331bfac0", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546848", "to_ids": true, "type": "md5", "uuid": "798e59e8-46c8-4850-85db-fd508e228c10", "value": "d2ca15781ebc104a7031c8982dafa8ab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546848", "to_ids": true, "type": "sha1", "uuid": "03706693-8f2b-4c75-857a-db2964d901bf", "value": "4544e11195c4ccea90a0482a6ab2d38cc0e5f253", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546849", "to_ids": true, "type": "sha256", "uuid": "c64557d1-832a-47ad-9d72-6ffa5c1fa4d9", "value": "8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778945519", "to_ids": true, "type": "ssdeep", "uuid": "18f39581-2794-4c18-87ac-8b86b5c287fe", "value": "98304:+Zuq4kUWhOA6IqJAJ8m7uW4+NDiCYjvvSD+htuv:+Eq4kpgpSg0DiCUvy+h" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778945519", "to_ids": false, "type": "size-in-bytes", "uuid": "04f7fc36-7c91-4b9c-96d9-13d63fb05d88", "value": "3844096" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778945519", "to_ids": true, "type": "vhash", "uuid": "f077d17e-0825-440c-b78f-426404833a01", "value": "136076657d155d05155018z69?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778945519", "to_ids": true, "type": "filename", "uuid": "f0d5c063-7434-43b4-810d-59274d52b5cb", "value": "screen_retriever_plugin.dll" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778945519", "to_ids": false, "type": "text", "uuid": "fa5c7499-1721-4611-8144-617e9bb6c74a", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win64/TclBanker.DA!MTB\nVT Total Detection:50/71\nFirst Submission:2026-04-22T22:11:40.000000+00:00\nLast Submission:2026-04-27T16:44:08.000000+00:00" } ] } ] } }