{ "Event": { "analysis": "1", "date": "2026-04-23", "extends_uuid": "", "info": "[Threat Intel] Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla", "protected": false, "publish_timestamp": "1779545370", "published": true, "threat_level_id": "3", "timestamp": "1779545370", "uuid": "321fb1a2-b200-4804-a30e-9f8aa3a65ea7", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#ece0df", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Video Capture - T1125\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#237502", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Transfer Protocols - T1071.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compiled HTML File - T1218.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Agent Tesla\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942031", "to_ids": false, "type": "link", "uuid": "6babc841-5e13-438b-b421-d24df206f5f1", "value": "https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/?pdf=download&lg=en&_wpnonce=aa318d37cb" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776942031", "to_ids": false, "type": "text", "uuid": "6ad3b42e-65dc-4f4e-9c6b-a3167ea4d553", "value": "This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776942031", "to_ids": false, "type": "text", "uuid": "7c888a58-05ee-485a-ab1c-10d6841b643c", "value": "Name: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla\nAuthor: AlienVault\nAdversary: \nTags: [\"information stealer\", \"anti-analysis techniques\", \"agent tesla\", \"powershell\", \"chm files\", \"compiled html help\", \"ftp exfiltration\", \"javascript obfuscation\"]\nTgtd countries: []\nMlwr families: [\"Agent Tesla - S0331\"]\nAttack_ids: [\"T1113\", \"T1056.001\", \"T1204.002\", \"T1566.001\", \"T1106\", \"T1140\", \"T1555\", \"T1055\", \"T1125\", \"T1497\", \"T1041\", \"T1059.001\", \"T1071.002\", \"T1218.001\", \"T1027\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321681", "to_ids": true, "type": "hostname", "uuid": "ca2eb831-6af7-41cd-9e14-d1922ac1276a", "value": "ftp.videoalliance.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321702", "to_ids": true, "type": "domain", "uuid": "0c3d3457-7a7d-4adf-8f7d-b6aa4de962a8", "value": "pk-consult.hr", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942031", "to_ids": false, "type": "vulnerability", "uuid": "7fe582df-2998-41e3-8102-5066441c4921", "value": "CVE-2022-1388" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321723", "to_ids": true, "type": "url", "uuid": "8eb36524-01b1-465d-b549-a8612acabf76", "value": "http://pk-consult.hr/N2.jpg", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942031", "to_ids": false, "type": "vulnerability", "uuid": "2359036c-fcaf-4100-9099-da86d786cf8c", "value": "CVE-2025-55182" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545359", "uuid": "47bf0b32-52e4-4bb9-a7c3-e11b396f78af", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545358", "to_ids": true, "type": "md5", "uuid": "1cd631ac-912e-40d8-b6c5-c482a4311263", "value": "91dbec3653b27c394719fcf5341fe460", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545359", "to_ids": true, "type": "sha1", "uuid": "878c93e7-1c0a-4289-bb56-e1f6e94b4024", "value": "f8dbeaf04a5d6667f79b27b3d3deb63e3c89e706", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545359", "to_ids": true, "type": "sha256", "uuid": "96c605fc-f5ac-4eab-b0dd-1770eb07f44e", "value": "081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777312629", "to_ids": true, "type": "ssdeep", "uuid": "0e613d9c-fd50-452a-9228-47b592bfcb26", "value": "96:8OgLtCVByCciFhVPYtIHNvpeAgCcsISP:8OhVBFFeItYh1sIS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777312629", "to_ids": false, "type": "size-in-bytes", "uuid": "6eee9554-75c4-465a-858c-4ad94172e02f", "value": "11793" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777312629", "to_ids": true, "type": "filename", "uuid": "9c1032a7-cffd-4ab1-9f74-26c570d7ee6a", "value": "ORDER OF CONTRACT-pdf.chm" }, { "category": "Other", "comment": "Checked: 28/04/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777312629", "to_ids": false, "type": "text", "uuid": "436b5576-6003-4556-ac9d-e9f223a01bf0", "value": "Type Description: Compiled HTML Help\nMicrosoft: None\nVT Total Detection:38/61\nFirst Submission:2022-01-17T07:49:27.000000+00:00\nLast Submission:2022-01-20T22:00:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545362", "uuid": "529c9d14-074e-4ff9-8253-9d487016ef44", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545361", "to_ids": true, "type": "md5", "uuid": "83a3f0f5-610c-44b1-9063-99ca5fff3a7a", "value": "92ee63cb3b5c54d37b805335ecdb8aa6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545361", "to_ids": true, "type": "sha1", "uuid": "3086fd5e-40a4-41a7-b0bf-8691644e3d1a", "value": "2f69d9c1873e66d93862b8ab1e206a358579f7fd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545362", "to_ids": true, "type": "sha256", "uuid": "2b065351-4b9e-4f12-9862-88ab1769991a", "value": "0fd2e47d373e07488748ac63d9229fdef4fd83d51cf6da79a10628765956de7a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777312651", "to_ids": true, "type": "ssdeep", "uuid": "d6466202-b7f1-40da-873e-cac2fad3b702", "value": "3072:6YsKHDHXcNR2BPwuoqW0GcvLiHiD0sEX5wzDNAHmbGsQT5nhAcvLiHiD0QEX5wz7:9XDsRgwmW0liTD5IAGbGso5nhniTP5Ib" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777312651", "to_ids": false, "type": "size-in-bytes", "uuid": "ec7c0a01-e0d1-4e1a-9efa-d8a2a2841a7c", "value": "161792" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777312651", "to_ids": true, "type": "vhash", "uuid": "38b6c26c-1b69-491a-b84e-f8f9e2c0b0f8", "value": "31503675151130d71012021" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777312651", "to_ids": true, "type": "filename", "uuid": "c665328c-deaa-4e62-a3ba-c1f7c9a1c59a", "value": "GC.dll" }, { "category": "Other", "comment": "Checked: 28/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777312651", "to_ids": false, "type": "text", "uuid": "7b5c4294-9725-41ca-83ea-3f515fb225bd", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Sabsik!rfn\nVT Total Detection:44/71\nFirst Submission:2022-01-19T01:12:58.000000+00:00\nLast Submission:2022-01-20T21:35:41.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545365", "uuid": "09454723-d13f-4b09-bc4b-4b2b1d9507e7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545364", "to_ids": true, "type": "md5", "uuid": "1706d98e-9a81-4056-9feb-e470800a007b", "value": "7a23f4d94da4fcf01f375c6a7d90be80", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545364", "to_ids": true, "type": "sha1", "uuid": "c980f2cd-fcac-4b5a-9347-37ef9da362d9", "value": "a50c2a927bc2d793bd21e29529a267e4de51f48b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545365", "to_ids": true, "type": "sha256", "uuid": "7deec582-24b8-4276-9922-91102d15f2c1", "value": "9ba024231d4aed094757324d8c65c35d605a51cdc1e18ae570f1b059085c2454", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777312673", "to_ids": true, "type": "ssdeep", "uuid": "0dbbda7b-b71c-4e9f-a26f-5bdce9355906", "value": "24576:UoQPLxjTvOfOlbnIeIYW8C7fDP/1n2VOvXUJKs50/crSpGyWRTYjgW/jTv9+TWeD:UoQPLxjTvOfOlbnIeIYW8C7fDP/1n2Vt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777312673", "to_ids": false, "type": "size-in-bytes", "uuid": "fc79be96-14d6-4410-aad1-e73e07803020", "value": "1227736" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777312673", "to_ids": true, "type": "vhash", "uuid": "9a2f93e6-2f69-45bf-8c3d-46a8d6015f98", "value": "797838a780ae6096684e47caebcd8c11" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777312673", "to_ids": true, "type": "filename", "uuid": "bacf7b4c-31af-43a2-bdb2-6456d1030b4e", "value": "9ba024231d4aed094757324d8c65c35d605a51cdc1e18ae570f1b059085c2454.unknown" }, { "category": "Other", "comment": "Checked: 28/04/2026\nLast-scan\t: 04/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777312673", "to_ids": false, "type": "text", "uuid": "a5365da3-9f38-4c47-9dd3-45bbbdf429b2", "value": "Type Description: Powershell\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:33/63\nFirst Submission:2022-01-17T09:23:38.000000+00:00\nLast Submission:2023-07-11T08:58:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545367", "uuid": "399d7553-0b8e-4922-9962-768abef1ab04", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545367", "to_ids": true, "type": "md5", "uuid": "39895d20-099b-45e5-9b4d-2ecbd6a56352", "value": "ea370cb200e0c11b48f89e095c6a975e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545367", "to_ids": true, "type": "sha1", "uuid": "85c3cb72-4698-4338-9306-dd59200d8f34", "value": "7d69e251a3ae370ba996380e6712ca117ea2a1b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545367", "to_ids": true, "type": "sha256", "uuid": "c1320623-1def-45a5-8c51-4760f3a04f8d", "value": "3446ec621506d87d372c596e1d384d9fd2c1637b3655d7ccadf5d9f64678681e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777312694", "to_ids": true, "type": "ssdeep", "uuid": "28c1666e-bdcf-4c39-b54b-a467e8ff0b26", "value": "96:ay6w+cGOvDTMm4STz+nY+Ef1jaFHdpKfKA17fm7VUb5:aC+cGOvDIllnyf1GF9EfPdaUF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777312694", "to_ids": false, "type": "size-in-bytes", "uuid": "e2028dbe-bf73-4f95-89eb-ffa4de7db5f1", "value": "4022" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777312694", "to_ids": true, "type": "vhash", "uuid": "c7f9c447-2370-460d-9e0f-8bcdeb57f6c4", "value": "276a7220494c5017dcc2c2a4edad6280" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777312694", "to_ids": true, "type": "filename", "uuid": "d7272ec4-ba9e-457c-a1ef-9aba702dfa4c", "value": "ORDER OF CONTRACT-pdf.7z" }, { "category": "Other", "comment": "Checked: 28/04/2026\nLast-scan\t: 13/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777312694", "to_ids": false, "type": "text", "uuid": "a13b0bb5-e4ad-4242-88c8-0e0a0696c1ab", "value": "Type Description: ZIP\nMicrosoft: Trojan:HTML/Phish.SS!MTB\nVT Total Detection:40/66\nFirst Submission:2022-01-18T08:53:22.000000+00:00\nLast Submission:2022-01-21T18:44:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545370", "uuid": "e08bf4aa-0d3b-4fc8-bae9-02b8bdb0c97d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545369", "to_ids": true, "type": "md5", "uuid": "34e4af8a-cd67-4fe1-bb54-0369ddbea8bc", "value": "3a5cb5689b6d4a97ddbe845e2c392e49", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545370", "to_ids": true, "type": "sha1", "uuid": "73f7e5ed-8a98-4d42-b79d-a65af83827da", "value": "66cb7df3aebcf43c89f590647910d334570d6069", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545370", "to_ids": true, "type": "sha256", "uuid": "34b38c68-9180-4b6f-853c-013e7027834d", "value": "c684f1a6ec49214eba61175303bcaacb91dc0eba75abd0bd0e2407f3e65bce2a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777312716", "to_ids": true, "type": "ssdeep", "uuid": "c264e4d6-8ce3-4f2d-9d44-6e672e041e3d", "value": "3072:N9WkNes5pJMvlDXd0eUsnXtBp1kPYoBCFYQ1cGAluyK2ypxUExMlJnb2GufotUPT:NSvlZfUGBXkAGJuAlGIExMl52xEUP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777312716", "to_ids": false, "type": "size-in-bytes", "uuid": "6efb1f3b-42ea-45e1-a70f-b991b8ee0c66", "value": "221696" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777312716", "to_ids": true, "type": "vhash", "uuid": "8923d283-95eb-4ea9-888c-135805a60dea", "value": "225036651512302149a5730a0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777312716", "to_ids": true, "type": "filename", "uuid": "85ef16ed-fbdd-40d3-b00a-2587be7a924e", "value": "JmGdVvcqHKTObKbyFFugeZAoBpXHL.exe" }, { "category": "Other", "comment": "Checked: 28/04/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777312716", "to_ids": false, "type": "text", "uuid": "b09d6a75-634d-4024-a74b-d8d93503b495", "value": "Type Description: Win32 EXE\nMicrosoft: PWS:MSIL/DarkStealer!MTB\nVT Total Detection:61/71\nFirst Submission:2022-01-21T14:49:53.000000+00:00\nLast Submission:2022-01-21T14:49:53.000000+00:00" } ] } ] } }