{ "Event": { "analysis": "1", "date": "2026-04-28", "extends_uuid": "", "info": "[Threat Intel] GachiLoader adopts AI skill lure", "protected": false, "publish_timestamp": "1779545843", "published": true, "threat_level_id": "3", "timestamp": "1779545842", "uuid": "4252c034-0452-4f38-bd85-f978c0073121", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#d74cce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#8d021b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dead Drop Resolver - T1102.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Rhadamanthys\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460432", "to_ids": false, "type": "link", "uuid": "d15efc22-8222-4d8e-8fbf-2e1770197a8c", "value": "https://www.threatdown.com/blog/gachiloader-adopts-ai-skill-lure-from-fake-openclaw-readme-to-rhadamanthys-infostealer/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777460432", "to_ids": false, "type": "text", "uuid": "4d58f5ef-ea5c-401f-8787-0bf211c25b6a", "value": "Threat actors are exploiting AI agent skill formats as a novel attack vector, using convincingly packaged OpenClaw skills to distribute malicious payloads. The latest campaign employs pure social engineering, with skills containing no malicious code themselves but instead tricking users into downloading Windows binaries. The attack leverages a fake GitHub infrastructure hosting GachiLoader, which delivers Rhadamanthys infostealer through fileless injection. The operation uses two delivery mechanisms: Node.js Single Executable Applications and an Electron dropper, both converging on the same payload. GachiLoader employs sophisticated evasion techniques including anti-VM checks, sandbox detection, and privilege escalation, while using a Polygon blockchain smart contract as its C2 resolver for enhanced persistence and obfuscation." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777460432", "to_ids": false, "type": "text", "uuid": "375a949d-5ec9-4e16-bd2a-6f115df6806f", "value": "Name: GachiLoader adopts AI skill lure\nAuthor: AlienVault\nAdversary: \nTags: [\"infostealer\", \"rhadamanthys\", \"node.js sea\", \"electron dropper\", \"blockchain c2\", \"openclaw\", \"ai agent skills\", \"social engineering\", \"fileless injection\", \"gachiloader\"]\nTgtd countries: []\nMlwr families: [\"GachiLoader\", \"Rhadamanthys\"]\nAttack_ids: [\"T1113\", \"T1056.001\", \"T1539\", \"T1548.002\", \"T1497.001\", \"T1082\", \"T1005\", \"T1140\", \"T1555\", \"T1055\", \"T1204\", \"T1059.001\", \"T1566\", \"T1562.001\", \"T1027\", \"T1573\", \"T1071.001\", \"T1105\", \"T1102.001\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545839", "to_ids": true, "type": "sha256", "uuid": "83743db1-c2fd-4d59-a42d-24cb08f4a078", "value": "1753d2f90bd4ac6c0c91e76322ae1d0cc8034842a61dc175c7aba3e1aa944c90", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545841", "to_ids": true, "type": "sha256", "uuid": "5f21f5be-4cda-4706-8f8a-1a3632a0f4f1", "value": "1831db8fe19efbd12997f63bc76da79858f87995b9ebd8a05757670e5e52c1f2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545842", "to_ids": true, "type": "sha256", "uuid": "fa363c51-4abf-48f4-a9e5-06f72c466150", "value": "1f24e75c1e6d6777e970f64ebf18e8bf1dd1dcaab692adf4062c8fad6a6df42c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689318", "to_ids": true, "type": "domain", "uuid": "99ca5475-4348-4441-9ca0-dae1faa72792", "value": "onfinality.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777689339", "to_ids": true, "type": "url", "uuid": "a3a2f14d-efe2-4f7e-9632-b3472220bea0", "value": "https://github.com/blueberywoodsym/openclawlibs", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545824", "uuid": "915f0f52-d650-4d5d-a443-9842e72b073f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545823", "to_ids": true, "type": "md5", "uuid": "ebcd2bee-fcff-4b2c-b2fb-d9ee4454292e", "value": "6bad5dc5a9d28ce5d8335fa1d21ab973", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545824", "to_ids": true, "type": "sha1", "uuid": "d08da045-0386-48d2-81a3-f555ecf7daa3", "value": "daa802bb0e8698bfab49b23a7f3b11ba85395728", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545824", "to_ids": true, "type": "sha256", "uuid": "0ca7c7ff-b3e0-4b79-bfbb-8c0f28bb8467", "value": "076ba40e7fbf2910dff87f0c25862a70001d8ad81d23d8beae9fb9b29b603829", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687725", "to_ids": true, "type": "ssdeep", "uuid": "c4f45dd6-912e-4d29-9194-8a64f41335a2", "value": "6144:c+G384EYsBBtK4Uz9Nk/HlcwZerzk9h3j4FFSzrmpV5D:cZ384EYgBtK4UpNsFkoL3jiFSzeV5D" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687725", "to_ids": false, "type": "size-in-bytes", "uuid": "083dd593-2e79-435b-a308-fc8192c0e1ab", "value": "291355" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687725", "to_ids": true, "type": "vhash", "uuid": "1ae93416-c7af-432b-93c7-37c23a0f4099", "value": "db252a4dca35eea867d9c91723ff02a0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687725", "to_ids": true, "type": "filename", "uuid": "18ed1f66-37bb-455e-95d2-952224fbfac9", "value": "skill.zip" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687725", "to_ids": false, "type": "text", "uuid": "12520a9c-8e3d-4042-8426-ffeddf314db1", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:2/66\nFirst Submission:2026-04-05T07:18:40.000000+00:00\nLast Submission:2026-04-05T07:18:40.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545827", "uuid": "a7d66af3-c078-47f3-8e2d-8019dc080250", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545826", "to_ids": true, "type": "md5", "uuid": "432bbfd1-00cd-44db-97d3-ebe58b1a0736", "value": "fd3c3819358b018c50059c31a945ed10", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545826", "to_ids": true, "type": "sha1", "uuid": "57d962cc-608f-482a-a800-809a903ed319", "value": "585017d6baad4f3aad4bbb0b59e7c718813ce9a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545827", "to_ids": true, "type": "sha256", "uuid": "70ee04d8-76ca-468f-89df-36daf5d74e26", "value": "539ac28b816ed0ab17879712a460396bd812221b93540590eccdb89c8196db96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687810", "to_ids": true, "type": "ssdeep", "uuid": "e42f38cd-db7f-4f0c-9010-9f2e37dfecdb", "value": "6144:0M18/aZt3o96Z4BV0wNB8Ka/B6+5xxtj2:D18/S3NZ4z84mxtS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687810", "to_ids": false, "type": "size-in-bytes", "uuid": "48335b10-6a48-44ac-8bf4-88070d54512a", "value": "269824" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687810", "to_ids": true, "type": "vhash", "uuid": "a29b0a67-3a6e-450e-ae76-e020021a53a6", "value": "125066655d1555755az4d2z11yz2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687810", "to_ids": true, "type": "filename", "uuid": "5c59d0fa-de42-46f6-adbc-3d40d5728d06", "value": "acapi275.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687810", "to_ids": false, "type": "text", "uuid": "7c8db5c0-4a2c-493d-94ff-d732d427c140", "value": "Type Description: Win32 DLL\nMicrosoft: None\nVT Total Detection:26/71\nFirst Submission:2026-02-24T04:39:25.000000+00:00\nLast Submission:2026-02-24T04:39:25.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545829", "uuid": "21773dc3-81b0-4639-af3c-ca9b3028808f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545828", "to_ids": true, "type": "md5", "uuid": "96feff2d-5154-4d2f-89e8-2f33f5c18b19", "value": "d4f65778394642a569e19342b792dee1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545829", "to_ids": true, "type": "sha1", "uuid": "a7e324c5-774d-47ec-ad35-f42a0f3f041f", "value": "9c10cb614ab2f6243c928420be697146e532c12f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545829", "to_ids": true, "type": "sha256", "uuid": "56213bd5-7d83-4c0e-bd2c-f3cf3442ac41", "value": "8abec84db36ee18b3299b5fd9406f8d99a5be7dd0a4e93536e39bb406fce97a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687832", "to_ids": true, "type": "ssdeep", "uuid": "b9e18f1a-24fc-4f38-9dee-9045da9e3c74", "value": "393216:ZgisFuo+Yr87To2svO4HTOW4iWaSEK133axerL0Qu58EISEhoIaE2FShQ1Pz7mZP:ZgDU2pHQxhETnDNMo4GvxOOx4" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687832", "to_ids": false, "type": "size-in-bytes", "uuid": "d3538e42-eddf-409c-9bc0-f64aded7be22", "value": "71100416" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687832", "to_ids": true, "type": "vhash", "uuid": "f37237a6-4012-41e3-b026-f035d6bc6f5f", "value": "077076656d156515556243z72zff7z11z23z13z93z12c4z11z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687832", "to_ids": true, "type": "filename", "uuid": "cfff1596-568e-4530-acd9-4e79d3824dd2", "value": "ms3200.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687832", "to_ids": false, "type": "text", "uuid": "0b1a1c8a-5207-42c9-94ca-fe2edb216b16", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:20/70\nFirst Submission:2026-02-24T04:34:51.000000+00:00\nLast Submission:2026-02-24T04:34:51.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545832", "uuid": "c607a155-491b-4849-802e-827afb7037ab", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545831", "to_ids": true, "type": "md5", "uuid": "1123e51f-6570-4290-bc35-53ae43b29bd9", "value": "480bbe26630e08ecfcbcceb0761fd15d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545831", "to_ids": true, "type": "sha1", "uuid": "b3018378-26b3-405f-9972-8001337d07ce", "value": "14117361f0872ec99b1c849ec1116f71dc3f0dad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545832", "to_ids": true, "type": "sha256", "uuid": "53777616-c728-49ae-93f4-c749152655db", "value": "9fb2ea25254ae53f93e0e13abb59a76a6c1ed512cdf1c1deafafa4d2758117f6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687854", "to_ids": true, "type": "ssdeep", "uuid": "b749b584-be09-4330-ac37-f65896bf3dba", "value": "6144:vVX6t4JL4+kQhPe71JaYG5VwYNc/fCfpDkS1TMlQYioP0Rj:vVXDc+ksPe7rQ3wYXpTvWPi" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687854", "to_ids": false, "type": "size-in-bytes", "uuid": "4327d0e9-1456-4ac8-ab9b-e1ba5b1f075a", "value": "347136" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687854", "to_ids": true, "type": "vhash", "uuid": "f11f610e-0663-4641-a611-db0c14abc959", "value": "135066655d1555755az5f2z111z17z1kz2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687854", "to_ids": true, "type": "filename", "uuid": "fc46e58e-a83d-42e4-b4f5-cb49ad628484", "value": "GCC.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 29/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687854", "to_ids": false, "type": "text", "uuid": "a9d6889d-77ad-4d65-a32b-d0746930e7e6", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:40/71\nFirst Submission:2026-04-09T17:56:49.000000+00:00\nLast Submission:2026-04-09T17:56:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545834", "uuid": "77ca6b4e-157e-479a-ab6b-df00523e4fa4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545834", "to_ids": true, "type": "md5", "uuid": "e38ca909-d7b3-4385-9d94-bc2813eab605", "value": "78a53aa7535172e9c370f4a9b3fefd7b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545834", "to_ids": true, "type": "sha1", "uuid": "536e1760-ce13-45c1-83b1-2d702edfe229", "value": "909c02ca786e2d10d6caa07c044520e5f76459ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545834", "to_ids": true, "type": "sha256", "uuid": "3d766d40-91e9-470c-bbfc-436bf220f3f4", "value": "a981ace958944914e9ea697aff6066d6152820aeea5a6a14a9a7fa6aa31c38a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687875", "to_ids": true, "type": "ssdeep", "uuid": "f4fd7b4f-d2c9-4cfb-bfc6-8eb6018e0ea7", "value": "1572864:JH0f0gqxb0WBFh/LVO9dyKcRmAswCXj5EtV4ga5h0q2ZOADpAyK5/Y3P8kbVr+qI:+sok+hK7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687875", "to_ids": false, "type": "size-in-bytes", "uuid": "63c0738e-3dfc-42d5-a084-2a67d6f52aea", "value": "188784128" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687875", "to_ids": true, "type": "vhash", "uuid": "bd8fc248-069e-4946-b084-f6661fe1a64f", "value": "0180f6656d556550161d14z1c2zff3z52z143z77z3001f324zc68" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687875", "to_ids": true, "type": "filename", "uuid": "e6d7b588-ad2f-4278-ac65-1edc58bc017f", "value": "SoftwareSetup" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687875", "to_ids": false, "type": "text", "uuid": "8d5f21fb-b56a-4fa6-ba12-270b2b30d33b", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:3/70\nFirst Submission:2026-04-08T14:17:32.000000+00:00\nLast Submission:2026-04-08T14:17:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545837", "uuid": "54e9d13b-8821-4b2e-b656-5ab79883ce68", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545836", "to_ids": true, "type": "md5", "uuid": "c9f63a9e-58b3-4657-ac5c-8bfcd31ff170", "value": "265fa818dba9f6c58b8f8f321203601b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545837", "to_ids": true, "type": "sha1", "uuid": "30c50463-ebe9-413a-b457-fa8f52c91029", "value": "3b851a7200de94f760f687269f6842683f22047d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545837", "to_ids": true, "type": "sha256", "uuid": "d918cef0-1f2a-44fc-bb8f-455821308da6", "value": "f583f8307468dc5eacc7be7137dc5c7dbab5fc30ca89b03cf6c67b4de030b05d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687897", "to_ids": true, "type": "ssdeep", "uuid": "fc7fc7d2-e1ba-42c9-8c04-3cfdabae8751", "value": "1572864:Nt9IKPh7cQRWYlekfXFYQWwUrFJ7M05Etl/5r+v9r67:NUKZZRWfktYQWwUx+4shrct67" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687897", "to_ids": false, "type": "size-in-bytes", "uuid": "259840a2-0f3b-4b54-9edf-33b61a30b18c", "value": "76902566" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687897", "to_ids": true, "type": "vhash", "uuid": "34dab8c3-eb01-4a0a-aeba-c496d6d7a48d", "value": "077056655d1c0510d043z800417z47z62z41fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687897", "to_ids": true, "type": "filename", "uuid": "11035940-428f-4489-88c4-2bf3ef0b2282", "value": "OpenClaw Polymarket.exe" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687897", "to_ids": false, "type": "text", "uuid": "31050e26-4c7e-4dbc-ac74-874804709f12", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:14/69\nFirst Submission:2026-04-08T14:13:32.000000+00:00\nLast Submission:2026-04-16T21:18:25.000000+00:00" } ] } ] } }