{ "Event": { "analysis": "1", "date": "2026-03-18", "extends_uuid": "", "info": "[Threat Intel] Technical Analysis of SnappyClient", "protected": false, "publish_timestamp": "1774245875", "published": true, "threat_level_id": "3", "timestamp": "1774245875", "uuid": "3dfcb7d5-8cc6-4dcc-8d62-b0b2a00eb9fb", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6dbaba", "local": false, "name": "misp-galaxy:producer=\"Zscaler\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#17c030", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Window Discovery - T1010\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003f", "local": false, "name": "rectifyq:sub-category=\"tool-profile\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889211", "to_ids": false, "type": "link", "uuid": "262193da-a74e-4cdb-924c-8bd64a4d8a26", "value": "https://www.zscaler.com/blogs/security-research/technical-analysis-snappyclient" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773889211", "to_ids": false, "type": "text", "uuid": "db51d3e8-51ac-48df-ad35-a4426f38c1a1", "value": "Zscaler ThreatLabz identified a new command-and-control framework implant called SnappyClient, delivered via HijackLoader. SnappyClient is a C++-based implant with data theft and remote access capabilities. It employs evasion techniques like AMSI bypass, Heaven's Gate, direct system calls, and transacted hollowing. The malware receives configuration files from its C2 server and uses a custom encrypted network protocol. SnappyClient's main functions include stealing browser data, taking screenshots, keylogging, and providing remote shell access. Analysis suggests potential ties to HijackLoader based on code similarities. The primary goal appears to be cryptocurrency theft, targeting wallet addresses and crypto-related applications." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773889211", "to_ids": false, "type": "text", "uuid": "daf6de4e-0ec8-4ff1-afff-de909352279e", "value": "Name: Technical Analysis of SnappyClient\nAuthor: AlienVault\nAdversary: \nTags: [\"hijackloader\", \"cryptocurrency\", \"snappyclient\", \"data theft\", \"command and control\", \"evasion\", \"remote access\"]\nTgtd countries: [\"Germany\"]\nMlwr families: [\"SnappyClient\", \"HijackLoader\"]\nAttack_ids: [\"T1053.005\", \"T1113\", \"T1056.001\", \"T1539\", \"T1204.002\", \"T1115\", \"T1082\", \"T1140\", \"T1555\", \"T1055\", \"T1010\", \"T1083\", \"T1057\", \"T1041\", \"T1547.001\", \"T1566\", \"T1562.001\", \"T1027\", \"T1573\"]\nIndustries: [\"Finance\"]" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774235071", "to_ids": true, "type": "sha256", "uuid": "223f1e64-86d3-4f87-a936-280025269b48", "value": "61e103db36ebb57770443d9249b5024ee0ae4c54d17fe10c1d44e87e2fc5ee99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 3333", "deleted": false, "disable_correlation": false, "timestamp": "1774230463", "to_ids": true, "type": "ip-dst|port", "uuid": "4e552ea6-6871-4ec9-b05e-6a3c49aed295", "value": "151.242.122.227|3333" }, { "category": "Network activity", "comment": "On port 3334", "deleted": false, "disable_correlation": false, "timestamp": "1774230463", "to_ids": true, "type": "ip-dst|port", "uuid": "ddac33d9-b789-4abc-b621-74ed18590c6e", "value": "151.242.122.227|3334" }, { "category": "Network activity", "comment": "On port 3333", "deleted": false, "disable_correlation": false, "timestamp": "1774230463", "to_ids": true, "type": "ip-dst|port", "uuid": "974d32ba-8aca-4a9b-86c6-92da75b378c1", "value": "179.43.167.210|3333" }, { "category": "Network activity", "comment": "On port 3334", "deleted": false, "disable_correlation": false, "timestamp": "1774230463", "to_ids": true, "type": "ip-dst|port", "uuid": "3364ede3-33c1-4ba3-9f6f-c79aa0170a47", "value": "179.43.167.210|3334" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774240237", "uuid": "43410ccd-568a-4de9-9a23-6cb2baef02e8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774240237", "to_ids": true, "type": "md5", "uuid": "4e5e8cfb-ae17-45ca-bff4-f877ff4a113b", "value": "0fee3f06df7564529864392d6ea3b49f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774235063", "to_ids": true, "type": "sha1", "uuid": "6c6e7785-f0ba-48ff-aedd-a8c9c28fd62b", "value": "7906a43b474fa52d61d40a005085f9808756139e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774235063", "to_ids": true, "type": "sha256", "uuid": "7cfc077e-c24f-4252-8089-802ff907dde9", "value": "00019221fb0b61b769d4168664f11c1258e4d61659bd3ffecb126eaf92dbfe2f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774233202", "to_ids": true, "type": "ssdeep", "uuid": "098e8e0a-3197-4526-acf3-28a65cbe90d0", "value": "49152:JiBjBTIM/b+Q3qL32UiTMye9G9TyzfpoXDAgGnJAWkyXMV22258m+FFO9VCaQV7h:UFBTLiLj2/jOTz4DzW/Om+FFOCa6NQml" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774233202", "to_ids": false, "type": "size-in-bytes", "uuid": "acbba3a7-99e3-4fdb-a5bc-562715c637fa", "value": "3645612" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774233202", "to_ids": true, "type": "vhash", "uuid": "650d5d3c-8420-4e5e-8663-aad91ab1c7ff", "value": "036046655d656182z110e00e37za083z1040600624z287z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774233202", "to_ids": true, "type": "filename", "uuid": "5f688be9-5982-4801-ad6f-7ca916b6bb74", "value": "2026-03-20_0fee3f06df7564529864392d6ea3b49f_amadey_darkgate_elex_glassworm_luca-stealer_lynx_njrat" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774233202", "to_ids": false, "type": "text", "uuid": "9d04587d-a89a-4c36-9d94-c0e663eebdc8", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:40/71\nFirst Submission:2025-11-29T01:39:27.000000+00:00\nLast Submission:2026-03-20T02:33:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774240259", "uuid": "67eee693-6921-4581-b41a-1a363ff99e1b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774240259", "to_ids": true, "type": "md5", "uuid": "c726f41b-c8a4-4d09-a617-8d8b9c6f6602", "value": "7dfca0187d003c53201173b8dcbc664b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774235065", "to_ids": true, "type": "sha1", "uuid": "aa02cd47-f292-4124-ad7d-8fab2b254a5e", "value": "6fd1ea3e4e7215d35ca6f8bad16490c191a56187", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774235065", "to_ids": true, "type": "sha256", "uuid": "dc06c9a7-068d-43fe-bc6f-0f1e5d5e10a2", "value": "23e2a0c25c95eebe1a593b27ac1b81a73b23ddad7617b3b11c69a89c3d49812e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774233225", "to_ids": true, "type": "ssdeep", "uuid": "158c1b85-ac2b-4dbb-be31-1499f5112d75", "value": "49152:BwZ3LZGloj/weZ+26q7XeC5282qA8tRmLrWHmy1bYwWSJGOVCaQV7cMFuKcA5wUx:2Z3LZGlQweZ+2e82imkhWSJGta6c3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774233225", "to_ids": false, "type": "size-in-bytes", "uuid": "c186e196-5394-4e77-9f9b-edf613eab96a", "value": "3657728" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774233225", "to_ids": true, "type": "vhash", "uuid": "46178ab3-427e-4ec7-a8b3-72abb44573bd", "value": "036046655d656182z110e00e37za083z1040600624z287z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774233225", "to_ids": true, "type": "filename", "uuid": "e064e259-389c-4e08-94fc-ee5e65791c78", "value": "2025-12-17_7dfca0187d003c53201173b8dcbc664b_amadey_darkgate_elex_glassworm_luca-stealer_lynx_njrat" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774233225", "to_ids": false, "type": "text", "uuid": "a13c2bb9-2659-4723-8b70-b02049ec28a4", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:45/71\nFirst Submission:2025-12-15T19:05:29.000000+00:00\nLast Submission:2025-12-17T05:53:43.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774240281", "uuid": "8ea9cb1c-b765-4564-8ea3-fbabac430663", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774240281", "to_ids": true, "type": "md5", "uuid": "c523b363-8f6d-4be7-a18f-02aa903b0b82", "value": "d64b37beca58532faeb6a368d079a266", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774235067", "to_ids": true, "type": "sha1", "uuid": "5df09342-2e17-4406-bd97-30e20b5074d8", "value": "48946daf21cfb66f1545078d5eb8e6de64d2e166", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774235067", "to_ids": true, "type": "sha256", "uuid": "3579da6b-fa74-4c1d-8911-1d75f609d844", "value": "64a2609d6707a2ebfe5b40f5227d0f9b85911b752cd04f830d1bbc8aa6bec2c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774233270", "to_ids": true, "type": "ssdeep", "uuid": "3d269f90-02b2-48a4-b3d4-d1b9ed115795", "value": "49152:H3t+vcTm0A9brVSUxsCuo65lB3QCO+P0eBN7mmQpojSLUKh1y9QXX8sKVCaQV75G:9+vcTm0SJSHoY3yeRjWUKh1jX86a6k" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774233270", "to_ids": false, "type": "size-in-bytes", "uuid": "66d1c531-3800-4e0a-af42-483fbce10f16", "value": "3633152" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774233270", "to_ids": true, "type": "vhash", "uuid": "f9778b69-6073-4f4e-a2f6-a256b5cc3e87", "value": "036056655d656d1182z110e00e37za083z1040600624z287z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774233270", "to_ids": true, "type": "filename", "uuid": "7af1e50d-3b34-4c28-b900-b12762e47575", "value": "gops8gsht.exe" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774233270", "to_ids": false, "type": "text", "uuid": "6eecba35-e10c-493b-ac6d-e409c425fc82", "value": "Type Description: Win32 EXE\nMicrosoft: TrojanDownloader:Win64/Penguish!rfn\nVT Total Detection:49/71\nFirst Submission:2025-11-26T06:05:39.000000+00:00\nLast Submission:2025-11-26T13:31:25.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774240303", "uuid": "a8de9f0a-d4fa-41a4-bae7-e604f0758c51", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774240303", "to_ids": true, "type": "md5", "uuid": "80f35d7c-d6b7-4a41-a571-4266590006b0", "value": "4316225ec137640d2f3e2f056031fb92", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774235069", "to_ids": true, "type": "sha1", "uuid": "7070e4d9-bfaf-4800-a3cd-8cc8a2b941e3", "value": "4ef6c98475939ee057057813b4d49d04e95ea2de", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774235070", "to_ids": true, "type": "sha256", "uuid": "00e80f9c-9080-4a2c-bc0f-3c1f3831eb4c", "value": "6e360fca0b1e3021908f8de271d80620d634600955fefc9fd0af40557cd517d7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774233294", "to_ids": true, "type": "ssdeep", "uuid": "ba08891e-63d3-4f9e-9159-4bda64a3f687", "value": "49152:9cfTxyq4tYu7IrWOaQ5qk+l+zqaEHy3nzJepy/f4XM3mPQVCaQV70UdE6F:afTxHAYimaO+UEHyX34XM3Mba6b" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774233294", "to_ids": false, "type": "size-in-bytes", "uuid": "c70687a2-c2e0-482d-8be7-05813be844e9", "value": "3614720" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774233294", "to_ids": true, "type": "vhash", "uuid": "ecae8bed-0eb0-4c70-92cd-09db19830233", "value": "0360566d5d656d5182z110e00e37za083z1040600624z287z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774233294", "to_ids": true, "type": "filename", "uuid": "72b3c05f-9a0d-4e2c-9d67-fc3f2083ba82", "value": "b8odsj.exe" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774233294", "to_ids": false, "type": "text", "uuid": "b45b20a3-d6a5-462e-b268-95a72523b50f", "value": "Type Description: Win32 EXE\nMicrosoft: TrojanDownloader:Win64/Penguish.PO!MTB\nVT Total Detection:49/71\nFirst Submission:2025-12-04T08:12:49.000000+00:00\nLast Submission:2025-12-04T08:12:49.000000+00:00" } ] } ] } }