{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect", "protected": false, "publish_timestamp": "1775231575", "published": true, "threat_level_id": "3", "timestamp": "1775231575", "uuid": "43d90fbe-d9df-4347-93bf-3cfe234a0eb0", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#5f1b93", "local": false, "name": "misp-galaxy:producer=\"Elastic\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#d74cce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#c8f8ef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Binary Proxy Execution - T1218\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773975614", "to_ids": false, "type": "link", "uuid": "7fe81815-26ab-4ea3-988b-8399dea1e8db", "value": "https://www.elastic.co/security-labs/silentconnect-delivers-screenconnect" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773975614", "to_ids": false, "type": "text", "uuid": "609b5fb9-448b-422a-9b59-a8b74c777d95", "value": "A newly discovered loader called SILENTCONNECT is being used in active campaigns to silently install ScreenConnect, a remote monitoring and management tool, on victim machines. The infection chain begins with users being redirected to a Cloudflare Turnstile CAPTCHA page disguised as a digital invitation. Upon clicking, a VBScript file is downloaded, which retrieves and executes C# source code in memory using PowerShell. SILENTCONNECT employs various evasion techniques, including PEB masquerading and UAC bypass. The campaigns leverage trusted hosting providers like Google Drive and Cloudflare, and abuse living-off-the-land binaries. The loader has been active since March 2025 and poses a significant threat due to its stealthy nature and effectiveness." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773975614", "to_ids": false, "type": "text", "uuid": "7006767c-322f-40de-9530-f0b0f2dfa5c9", "value": "Name: From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect\nAuthor: AlienVault\nAdversary: \nTags: [\"silentconnect\", \"phishing\", \"rmm\", \"loader\", \"uac bypass\", \"evasion\", \"screenconnect\", \"peb masquerading\"]\nTgtd countries: []\nMlwr families: [\"SILENTCONNECT\", \"ScreenConnect\"]\nAttack_ids: [\"T1548.002\", \"T1219\", \"T1218\", \"T1102\", \"T1059.001\", \"T1562.001\", \"T1027\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "ScreenConnect C2 Server", "deleted": false, "disable_correlation": false, "timestamp": "1775230238", "to_ids": true, "type": "ip-dst", "uuid": "1325ccbd-477e-4cf1-b40c-f12d9a66b668", "value": "86.38.225.59", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230260", "to_ids": true, "type": "url", "uuid": "c2addc29-a803-4d91-b027-f8e0b0d601a7", "value": "http://imansport.ir/download_invitee.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230281", "to_ids": true, "type": "url", "uuid": "89083eb7-55cb-43a4-9a24-85f879b5ed5d", "value": "http://solpru.com/process/docusign.html", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230302", "to_ids": true, "type": "url", "uuid": "d59422e2-3e9c-473e-af66-3dd9496aa1d4", "value": "https://bumptobabeco.top/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest'", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227075", "to_ids": true, "type": "sha1", "uuid": "50ea56ad-15da-4340-8df5-95252cf1f76b", "value": "1b576ebba5b7bbd023eea1b15dac1ed3fb76a211", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ScreenConnect C2 Server", "deleted": false, "disable_correlation": false, "timestamp": "1775230324", "to_ids": true, "type": "domain", "uuid": "ae87fc08-3309-415f-859f-097ff0e6d411", "value": "bumptobabeco.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230345", "to_ids": true, "type": "domain", "uuid": "2caee86b-22ea-44c2-8878-932dfda46874", "value": "imansport.ir", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230366", "to_ids": true, "type": "domain", "uuid": "c8c3380e-9a6b-41b9-bae1-7e8cf84e701b", "value": "solpru.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230387", "to_ids": true, "type": "domain", "uuid": "4ca0e9c0-c653-4910-a69a-35f8b04fffd7", "value": "checkfirst.net.au", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ScreenConnect C2 Server", "deleted": false, "disable_correlation": false, "timestamp": "1775230409", "to_ids": true, "type": "hostname", "uuid": "4a0b2566-0732-4f2c-9805-eb70779d116d", "value": "instance-lh1907-relay.screenconnect.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1775225370", "uuid": "5a35e838-6a81-4e57-a9be-ad4950a96d7f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1775225370", "to_ids": false, "type": "text", "uuid": "cbb87d86-0d34-4ef6-b70c-a4819db27315", "value": "Windows_Trojan_SilentConnect_cdc03e84" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1775225370", "to_ids": false, "type": "comment", "uuid": "cc8bf007-6c76-4c55-94c7-0e79c63c35ea", "value": "Windows_Trojan_SilentConnect_cdc03e84" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1775225370", "to_ids": true, "type": "yara", "uuid": "33becd30-dac7-4339-bec7-dfef176b9559", "value": "rule Windows_Trojan_SilentConnect_cdc03e84 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2026-03-04\"\r\n last_modified = \"2026-03-04\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n threat_name = \"Windows.Trojan.SilentConnect\"\r\n reference_sample = \"8bab731ac2f7d015b81c2002f518fff06ea751a34a711907e80e98cf70b557db\"\r\n license = \"Elastic License v2\"\r\n strings:\r\n $peb_evade = \"winhlp32.exe\" wide fullword\r\n $rev_elevation = \"wen!rotartsinimdA:noitavelE\" wide fullword\r\n $masquerade_peb_str = \"MasqueradePEB\" ascii fullword\r\n $guid = \"3E5FC7F9-9A51-4367-9063-A120244FBEC7\" wide fullword\r\n $unique_str = \"PebFucker\" ascii fullword\r\n $peb_shellcode = { 53 48 31 DB 48 31 C0 65 48 8B 1C 25 60 00 00 00 }\r\n $rev_screenconnect = \"tcennoCneercS\" ascii wide\r\n condition:\r\n 5 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230430", "uuid": "13cd9b69-2b47-4b02-8fa9-c85b13ed1466", "Attribute": [ { "category": "Payload delivery", "comment": "VBScript", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230430", "to_ids": true, "type": "md5", "uuid": "ca5702bb-ad01-4656-9dcf-e13d21dbc0de", "value": "cf846e3ce4db94168669eb8dcfe4d956", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VBScript", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227068", "to_ids": true, "type": "sha1", "uuid": "58e6718a-e845-44e1-82de-da05f43857d9", "value": "3d99898c8e746bfb46d2333954867acb3d91714c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VBScript", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227068", "to_ids": true, "type": "sha256", "uuid": "6d03f41d-47b4-4ddc-8635-f9e2282d6faf", "value": "281226ca0203537fa422b17102047dac314bc0c466ec71b2e6350d75f968f2a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226318", "to_ids": true, "type": "ssdeep", "uuid": "acab48ad-fade-47f0-bbf7-b8a35634df9f", "value": "192:pom1At1rxGDnlNl/vHO6YYeLnGvWYYhb3chDvUs0prhLUcX:2mG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226318", "to_ids": false, "type": "size-in-bytes", "uuid": "d79781fa-0fa5-4024-b701-638aa34b2ebd", "value": "14767" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226318", "to_ids": true, "type": "vhash", "uuid": "ce9b5acf-8ce3-41a1-b3aa-bb8553dccf04", "value": "66f0b2a24ab21c090efdc4e4698d9a0f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226318", "to_ids": true, "type": "filename", "uuid": "07d8114e-3871-409c-a072-727043503641", "value": "E-INVITE.vbs" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226318", "to_ids": false, "type": "text", "uuid": "ed3b19b1-f988-4695-874e-159855db68fd", "value": "VBScript\r\nType Description: VBA\nMicrosoft: Trojan:VBS/Obfuse.PAD!MTB\nVT Total Detection:26/61\nFirst Submission:2026-03-10T18:46:35.000000+00:00\nLast Submission:2026-03-10T18:46:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230451", "uuid": "b9a12242-a7b9-4eaf-8022-deafd10c702d", "Attribute": [ { "category": "Payload delivery", "comment": "Syncro Installer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230451", "to_ids": true, "type": "md5", "uuid": "11c1828b-0a19-44dc-82d5-a465a87577d0", "value": "55c81017eee2ba0db983521b9b769f00", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Syncro Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227069", "to_ids": true, "type": "sha1", "uuid": "b9d6643a-ba2a-4609-b529-7d9164276e11", "value": "d24be8e27e1bd58508c662a74c1358e928d37509", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Syncro Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227069", "to_ids": true, "type": "sha256", "uuid": "6d398eed-1361-4eb8-a2c5-d586da8c3b3a", "value": "349e78de0fe66d1616890e835ede0d18580abe8830c549973d7df8a2a7ffdcec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226339", "to_ids": true, "type": "ssdeep", "uuid": "30e161be-cd4d-4e50-915b-8d3a8e9039b9", "value": "98304:nh/evJLeTmDDi9UeK7kqXf0FGxLCbD3ha5Uc6v6O3xUM3/L9LI/cbt7/Cp/z2OIn:nh/ev5eTeW90kSIbDoUcfOhzT9cEt720" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226339", "to_ids": false, "type": "size-in-bytes", "uuid": "00f5af45-99b5-4119-8951-21100658a40b", "value": "5858856" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226339", "to_ids": true, "type": "vhash", "uuid": "398abbb2-c461-42a7-9413-e25a5becb7b3", "value": "25603675651a122a49f7a4711cd9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226339", "to_ids": true, "type": "filename", "uuid": "3097aca9-12d9-4715-b85a-4153812ae434", "value": "Installer.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226339", "to_ids": false, "type": "text", "uuid": "c0ba0b10-000b-4bfb-91a7-d883aab2dccc", "value": "Syncro Installer\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Supma.A\nVT Total Detection:26/71\nFirst Submission:2026-03-10T20:52:43.000000+00:00\nLast Submission:2026-03-12T12:27:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230472", "uuid": "c9f6ea55-9974-4bbb-bacc-60e8d19022e8", "Attribute": [ { "category": "Payload delivery", "comment": "C#", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230472", "to_ids": true, "type": "md5", "uuid": "012a36e1-e2f4-4b74-baa4-4e81da1fd7e9", "value": "8cc8e4835de092468989d8a2ffcb730a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "C#", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227070", "to_ids": true, "type": "sha1", "uuid": "1d5359fb-5b74-4d27-8c8e-e14796fae0fc", "value": "7a5fbbdb2aa7e2c4ddc82c3620d733810d587c27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "C#", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227070", "to_ids": true, "type": "sha256", "uuid": "18228f15-915a-4914-b1c5-8a64cb16c9eb", "value": "81956d08c8efd2f0e29fd3962bcf9559c73b1591081f14a6297e226958c30d03", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226361", "to_ids": true, "type": "ssdeep", "uuid": "d728a2c3-a6c5-4fe1-838b-ecc465952ec8", "value": "1536:UG1KNHpX/3mbmtNYNYzRgxtkg3lIzhBzE4V4Ep7YdEn4hDIx4mxhLnhVGNTsV/lY:3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226361", "to_ids": false, "type": "size-in-bytes", "uuid": "21aef5f4-eeec-41db-8c1a-5bacb8dfcb60", "value": "681254" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226361", "to_ids": true, "type": "filename", "uuid": "23e70485-7cb1-458f-b380-3f100d255b11", "value": "filer.txt" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 31/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226361", "to_ids": false, "type": "text", "uuid": "271693d7-16ce-4b0f-85b9-e8665177dd8c", "value": "C#\r\nType Description: Text\nMicrosoft: None\nVT Total Detection:5/61\nFirst Submission:2026-03-10T18:49:12.000000+00:00\nLast Submission:2026-03-10T18:49:12.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230493", "uuid": "71e2a151-1eb8-4f35-9d5e-2ca128682a69", "Attribute": [ { "category": "Payload delivery", "comment": "SILENTCONNECT", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230493", "to_ids": true, "type": "md5", "uuid": "bf450e3b-7e03-4beb-9537-c92e5f6a1743", "value": "53b705a1ff29b71c0872ee7e969bfaf4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SILENTCONNECT", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227071", "to_ids": true, "type": "sha1", "uuid": "abdac0ba-0426-4e16-9c3d-2db392997811", "value": "d3d5cad0562d3ffd0778e924e45c9a5fd368267b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SILENTCONNECT", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227071", "to_ids": true, "type": "sha256", "uuid": "5abc6cb2-dfc7-45d1-a849-1766148b2ded", "value": "8bab731ac2f7d015b81c2002f518fff06ea751a34a711907e80e98cf70b557db", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226384", "to_ids": true, "type": "ssdeep", "uuid": "6d51b70b-0a54-4fa2-9f38-40f1786967de", "value": "768:jKdq0DigwUWcpa8SZw8yJix9+WCsW+yEKn4iAbQXP0w+I:jXupaFcP8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226384", "to_ids": false, "type": "size-in-bytes", "uuid": "9d0928fc-9ab7-4dd4-9ee0-b0cf9fa5bd3d", "value": "27648" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226384", "to_ids": true, "type": "vhash", "uuid": "07b41cbb-371f-4b38-ab08-669521b2ad11", "value": "02402665|z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226384", "to_ids": true, "type": "filename", "uuid": "58653780-e438-4eb0-b9f3-9fd22bd07358", "value": "8bab731ac2f7d015b81c2002f518fff06ea751a34a711907e80e98cf70b557db.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 30/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226384", "to_ids": false, "type": "text", "uuid": "c82d3897-13ca-4725-83fb-092216e805b2", "value": "SILENTCONNECT\r\nType Description: Win32 EXE\nMicrosoft: Trojan:MSIL/Injector.KKA!MTB\nVT Total Detection:47/71\nFirst Submission:2026-03-10T18:48:19.000000+00:00\nLast Submission:2026-03-20T12:26:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230515", "uuid": "6327bd15-94b0-451c-b4a0-6a457889db14", "Attribute": [ { "category": "Payload delivery", "comment": "VBScript", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230515", "to_ids": true, "type": "md5", "uuid": "08d9b52d-a614-4251-8927-2f10e77d56da", "value": "fa251523d7da027f49aad93d6049d40e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VBScript", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227072", "to_ids": true, "type": "sha1", "uuid": "38ea9f00-9c59-4bec-8bea-e9f2a463482b", "value": "f4f9cfda5bea62a13734c844609d6a8112b6c886", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VBScript", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227072", "to_ids": true, "type": "sha256", "uuid": "acdaaa4b-5ed0-443f-8074-9bfc19c50c8f", "value": "adc1cf894cd35a7d7176ac5dab005bea55516bc9998d0c96223b6c0004723c37", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226405", "to_ids": true, "type": "ssdeep", "uuid": "8ca77bff-e21f-47b6-9358-f3139537ca39", "value": "192:zomDAt1rxGDnlNl/vHOxrYUYkLnGvWYYhb3chDvUs0prhLUcX:cmQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226405", "to_ids": false, "type": "size-in-bytes", "uuid": "8ded67d1-a893-4e8f-982c-b95c131e352e", "value": "15040" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226405", "to_ids": true, "type": "vhash", "uuid": "9f221a8a-bcd4-44cd-83ab-a7e7a93a947c", "value": "66f0b2a24ab21c090efdc4e4698d9a0f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226405", "to_ids": true, "type": "filename", "uuid": "4fe59a33-0821-4ce1-a7f8-098a8f5f5e43", "value": "2025Trans.vbs" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226405", "to_ids": false, "type": "text", "uuid": "9095e9fc-253c-41cd-b5e7-07f2af883c3b", "value": "VBScript\r\nType Description: VBA\nMicrosoft: Trojan:VBS/Obfuse.PAD!MTB\nVT Total Detection:26/61\nFirst Submission:2026-03-06T00:38:22.000000+00:00\nLast Submission:2026-03-06T00:38:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230536", "uuid": "66d7f512-e1be-4c82-aeae-b21b50c43593", "Attribute": [ { "category": "Payload delivery", "comment": "SCREENCONNECT Installer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230536", "to_ids": true, "type": "md5", "uuid": "f641f98c-f269-451e-88f5-56af1b683558", "value": "658186a75f2a6caba5b7e4af2d4651ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SCREENCONNECT Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227073", "to_ids": true, "type": "sha1", "uuid": "062535b1-ac95-424f-bdd1-2f364158ecd8", "value": "0c950ea3559e7df8118bc8249afb75dd4013ef56", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SCREENCONNECT Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227073", "to_ids": true, "type": "sha256", "uuid": "c5276fa5-3ca4-44a7-8f6c-618384c646bb", "value": "c3d4361939d3f6cf2fe798fef68d4713141c48dce7dd29d3838a5d0c66aa29c7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226427", "to_ids": true, "type": "ssdeep", "uuid": "b0ae52e7-89a2-40da-98ed-45bdc9e75e9b", "value": "196608:prnLYG3zDhukOjrnLYG3zmrnLYG3zcrnLYG3zKrnLYG3zHrnLYG3zyrnLYG3zL:pbDDDgvjbDDmbDDcbDDKbDDHbDDybDDL" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226427", "to_ids": false, "type": "size-in-bytes", "uuid": "050b8a33-9b78-436f-b807-f4e9f935adfa", "value": "13467648" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226427", "to_ids": true, "type": "vhash", "uuid": "1e5a945f-8926-4c4f-a799-bd0768770b19", "value": "45155b83172cd3ff230fec9025027227" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226427", "to_ids": true, "type": "filename", "uuid": "5d258992-570c-46a8-8955-5128aadc9956", "value": "ScreenConnect.ClientSetup.msi" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 30/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226427", "to_ids": false, "type": "text", "uuid": "5edaa269-91bd-416e-b22f-081470f75aaa", "value": "SCREENCONNECT Installer\r\nType Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:24/62\nFirst Submission:2026-03-02T08:14:05.000000+00:00\nLast Submission:2026-03-02T08:14:05.000000+00:00" } ] } ] } }