{ "Event": { "analysis": "1", "date": "2026-04-25", "extends_uuid": "", "info": "[Threat Intel] Rebex-based Telegram RAT Targeting Vietnam", "protected": false, "publish_timestamp": "1779545757", "published": true, "threat_level_id": "3", "timestamp": "1779545757", "uuid": "41f80b54-984e-4d1d-9e3f-bba07f9d660d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#51b040", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"InstallUtil - T1218.004\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#256f6a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL - T1574.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#4a5d84", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Services - T1583.006\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compiled HTML File - T1218.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"b0c71d51-34fd-47b5-9eb4-dd406ffc607f\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Vietnam\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460416", "to_ids": false, "type": "link", "uuid": "7d9f8e42-2776-47eb-9607-9d244decfd88", "value": "https://dmpdump.github.io/posts/TelegramRat/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777460416", "to_ids": false, "type": "text", "uuid": "f7f8e651-6bc0-42ab-a6e1-cd5d654f2dee", "value": "A sophisticated CHM-based malware campaign has been identified targeting Vietnamese victims through a trojanized CV document. The infection chain utilizes a compiled HTML file that deploys a multi-stage payload delivery mechanism involving Python interpreters, C++ DLLs, and layered XOR encryption. The malware establishes persistence through Shell hijacking and scheduled tasks, ultimately delivering a weaponized version of Rebex.Common.dll functioning as a Telegram-based remote access trojan. The RAT communicates via Telegram bot API, supporting commands for file download, token swapping, and arbitrary command execution. The infection demonstrates characteristics typical of targeted state-sponsored activity rather than opportunistic cybercrime, employing techniques historically associated with advanced threat actors operating in the Southeast Asian region." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777460416", "to_ids": false, "type": "text", "uuid": "a428b153-edb9-4068-a07f-5d1f669f43f7", "value": "Name: Rebex-based Telegram RAT Targeting Vietnam\nAuthor: AlienVault\nAdversary: \nTags: [\"multi-stage payload\", \"telegram rat\", \"chm infection\", \"xor encryption\", \"shell hijacking\", \"rebex library\", \"python loader\", \"vietnam targeting\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1053.005\", \"T1036.005\", \"T1204.002\", \"T1497.001\", \"T1218.004\", \"T1566.001\", \"T1574.001\", \"T1082\", \"T1140\", \"T1112\", \"T1583.006\", \"T1059.001\", \"T1547.001\", \"T1218.001\", \"T1027\", \"T1059.003\", \"T1071.001\", \"T1105\"]\nIndustries: []" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545746", "uuid": "3f5b5623-6d55-420c-90f9-7f60e47c6599", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545746", "to_ids": true, "type": "md5", "uuid": "ef028aab-c85f-4a3b-a8e7-64dd1bd7fe94", "value": "4e9e70c2a8002ce4a70ab43ae80c2a25", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545746", "to_ids": true, "type": "sha1", "uuid": "2657a2d5-3d24-45c0-8ff3-583e85c79649", "value": "0582822ea03854a3f465a28559be18a14c59f9a9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545746", "to_ids": true, "type": "sha256", "uuid": "f0bab1e2-9dfb-4621-8650-b3f776047894", "value": "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687156", "to_ids": true, "type": "ssdeep", "uuid": "8f174c15-4eae-4580-9b20-c479674f88a5", "value": "98304:1OdjoLiSbiZOv+fUjRWmOPrbQPCCR9hUIa2amVZDqXKXvISh4E7HRKmagplOoMAL:NiZ6BW7z11HGZeXKXvI64ELUmaKBetu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687156", "to_ids": false, "type": "size-in-bytes", "uuid": "5659e1db-838a-4a17-8d11-d80ddad14a62", "value": "16275456" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687156", "to_ids": true, "type": "vhash", "uuid": "4845e184-703e-4154-af1d-6641ac86d5b5", "value": "152bed7b5e0505a941bf8ba934b104ca" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687156", "to_ids": true, "type": "filename", "uuid": "cff38e9f-47ea-4c81-a24d-9cd2df546ab3", "value": "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5.iso" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687156", "to_ids": false, "type": "text", "uuid": "0cda5b87-346c-4c1c-befc-afe34c61bced", "value": "Type Description: ISO image\nMicrosoft: None\nVT Total Detection:29/62\nFirst Submission:2025-05-20T06:32:09.000000+00:00\nLast Submission:2025-06-11T13:33:44.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545749", "uuid": "102e0c90-d9e5-4a95-8a89-0ce3dd6be338", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545748", "to_ids": true, "type": "md5", "uuid": "d496d99e-e864-464a-a2df-a555de3d87bf", "value": "b3bf26bfbf7aec43379523bd18b1ec16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545749", "to_ids": true, "type": "sha1", "uuid": "821001ba-2af4-4309-b3cd-350faf9fe756", "value": "687cee4e972323e6991acfa59f608a7d1a6e170b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545749", "to_ids": true, "type": "sha256", "uuid": "60c15f59-2072-416b-8ffd-a8b814c30256", "value": "a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687178", "to_ids": true, "type": "ssdeep", "uuid": "3538fa3c-4156-4efd-a3b5-8795a4812af6", "value": "196608:qpLr1+t6XYMqZepbJHzJhcp3ikU4yGxcCZcR:Mf1+t6XsZepbJdutihGxcCZcR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687178", "to_ids": false, "type": "size-in-bytes", "uuid": "ea419f66-bede-49b4-a1ef-84e157a762ba", "value": "7512874" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687178", "to_ids": true, "type": "filename", "uuid": "60c15b36-4eeb-428f-a2c1-00351b7a737a", "value": "Word Document - CV - Vu PLPC KT nam 2026.chm" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 29/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687178", "to_ids": false, "type": "text", "uuid": "e0a1cec7-a4c9-4a83-acdb-e3d17e725035", "value": "Type Description: Compiled HTML Help\nMicrosoft: None\nVT Total Detection:32/61\nFirst Submission:2026-04-01T09:16:59.000000+00:00\nLast Submission:2026-04-27T08:28:08.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545752", "uuid": "db90c5a2-f817-47b5-b5d5-56d4e0b33d9b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545751", "to_ids": true, "type": "md5", "uuid": "f79e7e25-9e96-473d-b0c5-7e0822429c1c", "value": "ca3401817dd1e29ca3f3212e38ad39cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545751", "to_ids": true, "type": "sha1", "uuid": "5d486e4b-1684-4297-a031-8fd0d7e360b3", "value": "2acfaf21024e8f018fac3b38126036c594acf7dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545752", "to_ids": true, "type": "sha256", "uuid": "1b1f61ef-beb8-4fef-8e50-f404fa801270", "value": "1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687199", "to_ids": true, "type": "ssdeep", "uuid": "92972dde-1fc2-4718-9222-fc86c2535946", "value": "49152:VuA+xjFu36cgDFrKJRlhfzPVcBeE5fVCPPZPkjoezYS3J519IzJw0/ocLC8b17k6:8FrG2l5Upn9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687199", "to_ids": false, "type": "size-in-bytes", "uuid": "68d3c5aa-6909-49d3-8efd-a26652a29e76", "value": "3984896" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687199", "to_ids": true, "type": "vhash", "uuid": "768bd79c-05b9-4265-8769-9bdf2dc4c55b", "value": "33603655151bb01c77ffff14135eff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687199", "to_ids": true, "type": "filename", "uuid": "b51b8c7a-6e41-4795-b7a6-0de8d3d229af", "value": "Rebex.Common.dll" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687199", "to_ids": false, "type": "text", "uuid": "30cb6d1f-df39-4e12-9a9b-40bd85b0e2f7", "value": "Type Description: Win32 DLL\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2026-04-01T09:27:37.000000+00:00\nLast Submission:2026-04-01T09:27:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545754", "uuid": "2f89b5e6-0be3-4d10-a0e3-e4cd7e2e3765", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545754", "to_ids": true, "type": "md5", "uuid": "771f3788-e6a8-4c06-becf-e4250bc01fae", "value": "783698157743014acd2df3e721c1ae4e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545754", "to_ids": true, "type": "sha1", "uuid": "51e08f9a-7bb3-4922-a03f-e3380ba545cb", "value": "040f07163335f89085b380a6c22841c1bc1ef798", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545754", "to_ids": true, "type": "sha256", "uuid": "77e6b040-bac1-4c48-8957-2c4e52108f8e", "value": "67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687221", "to_ids": true, "type": "ssdeep", "uuid": "79d334ba-e7ef-43db-a4e5-24d2fdb589e3", "value": "24576:4BlSyMHZO2YKS2BuB75ofKOsXsyOxpgyhDWmHplTKt/3V8vfhIWRSxqDcxdI6msq:We09Os4JlE+edld+yE0e" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687221", "to_ids": false, "type": "size-in-bytes", "uuid": "ebccaee7-432b-449d-a60d-507945e2ab26", "value": "3820544" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687221", "to_ids": true, "type": "vhash", "uuid": "2396c4ad-6814-432f-b47d-350af33cfa09", "value": "3360361515171z41z20" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687221", "to_ids": true, "type": "filename", "uuid": "f5936644-fe65-4b93-952d-76bd26c6996b", "value": "BJKJilaYQUrcTYiKh.dll" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687221", "to_ids": false, "type": "text", "uuid": "05a0d9b2-84dc-4061-ad9f-a50314d33ee7", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:35/71\nFirst Submission:2026-04-01T09:27:33.000000+00:00\nLast Submission:2026-04-30T15:00:39.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545757", "uuid": "cc7b84aa-58b0-4b29-8a01-b0bf92e4242c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545756", "to_ids": true, "type": "md5", "uuid": "25ceebb7-8cc9-469f-8eb9-54cf7caf4838", "value": "b30cfa26e5dbee1665944a7a94b1a07d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545757", "to_ids": true, "type": "sha1", "uuid": "70b25bf6-bf03-4242-9580-62686eb07f61", "value": "e468080f1f509c9cb704620a6344831bc7e40ee2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545757", "to_ids": true, "type": "sha256", "uuid": "71aab037-0aac-4d76-90bf-b87fc9f76255", "value": "6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687243", "to_ids": true, "type": "ssdeep", "uuid": "d0998ca8-65a6-48e1-bf50-9d014ed05819", "value": "196608:ZhjtBujsFKUu3in5LBV19mu5I9r0S6QQoOZ+yJ:L5BujsFc3in5L9suO9r4QQoOZ+yJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687243", "to_ids": false, "type": "size-in-bytes", "uuid": "ce5de279-85c4-4573-9073-8c96cff5e0ff", "value": "7476910" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687243", "to_ids": true, "type": "vhash", "uuid": "09f1a061-1b4a-42ca-96d5-a89b61459110", "value": "37bc32ffa8653738a70c0ca51cd44fec" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687243", "to_ids": true, "type": "filename", "uuid": "ae287c23-1315-4990-b904-16c818a6b1e2", "value": "CV - Vu PLPC So2156516.zip" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687243", "to_ids": false, "type": "text", "uuid": "567d9745-422d-44e3-a118-117992bd9ac7", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:33/65\nFirst Submission:2026-04-01T08:06:27.000000+00:00\nLast Submission:2026-04-01T08:06:27.000000+00:00" } ] } ] } }