{ "Event": { "analysis": "1", "date": "2026-04-21", "extends_uuid": "", "info": "[Threat Intel] New NGate variant hides in a trojanized NFC payment app", "protected": false, "publish_timestamp": "1779544343", "published": true, "threat_level_id": "3", "timestamp": "1779544343", "uuid": "4a18a9ed-49f3-47a3-bd58-f6515873ec2f", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8675c7", "local": false, "name": "misp-galaxy:producer=\"ESET\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#c94db5", "local": false, "name": "misp-galaxy:target-information=\"Brazil\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#170059", "local": false, "name": "rectifyq:topic=\"mobile-attack\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Cybercrime\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1646\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"GUI Input Capture - T1417.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776855621", "to_ids": false, "type": "link", "uuid": "64dbe45e-6b57-4182-b364-a517c3d2bded", "value": "https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776855621", "to_ids": false, "type": "text", "uuid": "9bc2f8fb-c156-4fb6-a79e-2fb7dc9c3af4", "value": "ESET researchers have identified a new NGate malware variant targeting Android users in Brazil since November 2025. The threat actors trojanized the legitimate HandyPay NFC payment application, likely using AI-generated code, to relay NFC data from victims' payment cards to attacker-controlled devices. The malware enables unauthorized ATM withdrawals and payments while also capturing and exfiltrating payment card PINs to command-and-control servers. Distribution occurs through two channels: a fake Rio de Pr\u00eamios lottery website where victims always win a rigged prize, and a fraudulent Google Play page offering a fake card protection app. Both distribution sites are hosted on the same domain. This campaign represents an evolution in NFC-based fraud, with attackers choosing to patch existing legitimate applications rather than using established malware-as-a-service offerings." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776855621", "to_ids": false, "type": "text", "uuid": "4f6df4ef-9ae7-439f-bf0b-8f2ef14f0cce", "value": "Name: New NGate variant hides in a trojanized NFC payment app\nAuthor: AlienVault\nAdversary: \nTags: [\"handypay trojanization\", \"brazil targeting\", \"ngate\", \"fake lottery\", \"nfc relay\", \"ai-generated code\", \"pin theft\", \"phantomcard\", \"payment card fraud\"]\nTgtd countries: [\"Brazil\"]\nMlwr families: [\"NGate\", \"PhantomCard\"]\nAttack_ids: [\"T1204.001\"]\nIndustries: [\"Finance\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777215124", "to_ids": true, "type": "domain", "uuid": "c154efbf-80b6-43e5-aa8e-ca8ed35bb810", "value": "raiffeisen-cz.eu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777215145", "to_ids": true, "type": "hostname", "uuid": "19d3d65c-afb8-492a-98d9-a91b611b79c4", "value": "app.mobil-csob-cz.eu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777215166", "to_ids": true, "type": "hostname", "uuid": "2b005c75-06a5-47aa-9ff0-ee8664c1eb62", "value": "nfc.cryptomaker.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544343", "to_ids": true, "type": "sha1", "uuid": "6e918cc3-6f24-4b2a-8c2a-74e41fe055f6", "value": "94af94ca818697e1d99123f69965b11ead9f010c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777215188", "to_ids": true, "type": "ip-dst", "uuid": "e313d7d0-d645-4326-af05-017804a08e96", "value": "108.165.230.223", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777215209", "to_ids": true, "type": "domain", "uuid": "cf9f3bdf-c98d-46c7-8d09-8fab4d988c05", "value": "protecaocartao.online", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777215230", "to_ids": true, "type": "hostname", "uuid": "4bba1601-ae37-4c36-9604-30d015847415", "value": "spy.ngate.cc", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777215251", "to_ids": true, "type": "ip-dst", "uuid": "1572016c-aaea-417c-bb97-7dede9c788d2", "value": "104.21.91.170", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544321", "uuid": "0036e6c8-81e0-4722-a0a7-69e97bf49f28", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544320", "to_ids": true, "type": "md5", "uuid": "1e9ff352-0961-4bfb-a499-c75f683108a0", "value": "633c3636b646bd08af271584c0e41ff9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544320", "to_ids": true, "type": "sha1", "uuid": "acb0fd7f-167f-42a0-bb8f-d108ffa79911", "value": "103d78a180eb973b9ffc289e9c53425d29a77229", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544321", "to_ids": true, "type": "sha256", "uuid": "8955373b-c485-491a-aaf8-8832ecab8f8b", "value": "95d906dca5a3be5cf066268662b3c953860e54e9cdcfcd427faf0aaa9cb62bad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212920", "to_ids": true, "type": "ssdeep", "uuid": "816be32d-0181-4e32-b0c1-ff012e8d662c", "value": "196608:vB9cGaEmcdz59CNiRKlHNMayg68qP8Bj4Mry39SnK:5KG7mcx5RwCgR9x4MeNSK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212920", "to_ids": false, "type": "size-in-bytes", "uuid": "5078d43d-744c-4194-bfa8-9a29cb03a36d", "value": "10892923" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212920", "to_ids": true, "type": "vhash", "uuid": "f410b313-1f31-4f77-b576-5dbdb3f43f55", "value": "18ae38326b8348902b38e66e9b493d30" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212920", "to_ids": true, "type": "filename", "uuid": "e01a5bd0-9e10-458b-8b6f-52eb45464b4d", "value": "95d906dca5a3be5cf066268662b3c953860e54e9cdcfcd427faf0aaa9cb62bad.apk" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212920", "to_ids": false, "type": "text", "uuid": "4e716c8f-b8a6-4d45-b547-ada057192712", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:30/68\nFirst Submission:2024-03-05T23:45:20.000000+00:00\nLast Submission:2026-01-17T11:54:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544324", "uuid": "a0096552-85bb-41e0-b2ec-b6ca465c28fa", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544323", "to_ids": true, "type": "md5", "uuid": "66e84e5b-bb4b-4ece-b955-e4aad677ca97", "value": "7cecbdfdf2e7a7ae7cc226ae26cd3797", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544323", "to_ids": true, "type": "sha1", "uuid": "df4904c9-cc68-41ec-9256-37c687673a4b", "value": "11be9715be9b41b1c8527c9256f0010e26534fdb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544324", "to_ids": true, "type": "sha256", "uuid": "4435452c-b3f4-45c3-8d47-f7bb83e9da25", "value": "17a16f08108e25af1c8b058adbaca2cada6a93c2d38c9854148f9e9caac76ac3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212941", "to_ids": true, "type": "ssdeep", "uuid": "e1e84b7e-4f2c-4b53-aa55-3ce975981f46", "value": "196608:vB9txaoHBD+mcdz59CNiWKlHNMayg68qP8dmsE0NF1W+DVw3JTCIB/DLbhx:5nxHHBD+mcx5RDCgR9dmsEiPVcm+x" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212941", "to_ids": false, "type": "size-in-bytes", "uuid": "5fc77f35-bede-48ca-9a51-6caacbea8482", "value": "11807434" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212941", "to_ids": true, "type": "vhash", "uuid": "71be3cfe-1af3-4844-b99f-945fe7c0aff4", "value": "0bd0e1f49b251fcff712a1573c3a3afa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212942", "to_ids": true, "type": "filename", "uuid": "bf12aa87-bad8-4b85-b79d-c30bf3d51228", "value": "7CECBDFDF2E7A7AE7CC226AE26CD3797.APK" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212942", "to_ids": false, "type": "text", "uuid": "e8a8203b-8009-4bb7-8256-c1f0287872b9", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:29/68\nFirst Submission:2024-04-03T13:10:38.000000+00:00\nLast Submission:2026-02-12T13:10:56.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544327", "uuid": "b50a9a54-1bce-469e-9085-357ad02e6bd8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544326", "to_ids": true, "type": "md5", "uuid": "85f315fb-3cdb-4603-9311-ff3e2ddd8701", "value": "84361aaf11cde2df075e65fc31082358", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544326", "to_ids": true, "type": "sha1", "uuid": "190eea8a-010c-4453-8ae3-5d39a2a17522", "value": "da84bc78ff2117ddbfdcba4e5c4e3666eea2013e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544327", "to_ids": true, "type": "sha256", "uuid": "10894d48-fe1d-486c-8c51-7355448f6167", "value": "162f8c6bafe0c343c37f173344c4f6880eaec0aea7b491565db874366b161784", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212963", "to_ids": true, "type": "ssdeep", "uuid": "1f5f5c05-5fad-43d1-82ed-64ce4751dc45", "value": "196608:vB9cGa7omcdz59CNi0SWl4M3v9ldVjKlHNMayg68qP8L:5KGaomcx5R24M3vT+CgR9L" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212963", "to_ids": false, "type": "size-in-bytes", "uuid": "ce212109-b670-4bc4-8620-5eab61b30fa4", "value": "8514557" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212963", "to_ids": true, "type": "vhash", "uuid": "6746e41f-5f48-42e7-b823-10bcf12c840b", "value": "18ae38326b8348902b38e66e9b493d30" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212963", "to_ids": true, "type": "filename", "uuid": "f8796ccd-0634-47ef-8b59-82b6b59f99a8", "value": "162f8c6bafe0c343c37f173344c4f6880eaec0aea7b491565db874366b161784.apk" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212963", "to_ids": false, "type": "text", "uuid": "676ee707-81f8-4509-b8d9-425d893e93a9", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:29/68\nFirst Submission:2024-03-12T09:48:47.000000+00:00\nLast Submission:2026-01-17T11:23:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544330", "uuid": "510dd97c-2414-4e41-a217-3fd77725c7df", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544329", "to_ids": true, "type": "md5", "uuid": "65a717b7-865f-4fb5-bda2-5fb40fe62aa2", "value": "ea6a6666616f6b02c7b679782a676eab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544329", "to_ids": true, "type": "sha1", "uuid": "eca78dc9-6446-4f19-9bbf-3413b1f1ab57", "value": "66de1e0a2e9a421dd16bd54b371558c93e59874f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544330", "to_ids": true, "type": "sha256", "uuid": "ef251568-1df7-488f-afea-d7a8b168ff20", "value": "ddd9e5cfa9e1ddd8d849baef2b487a1608d1695f44c70f246c101de1275887dd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212985", "to_ids": true, "type": "ssdeep", "uuid": "e47a1670-80cb-4532-84fd-fc3c7cd451d6", "value": "196608:vB92iarYBD+mcdz59CNiWKlHNMayg68qP8lrM60hkZDT9u5N/vLUR/myEiTdAflr:5kiIYBD+mcx5RDCgR9pM60hkhUvI9m3F" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212985", "to_ids": false, "type": "size-in-bytes", "uuid": "01240aff-7ea8-4103-ad13-c9ae5a23ad80", "value": "11882030" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212985", "to_ids": true, "type": "vhash", "uuid": "21acd72b-2626-4f20-aeec-ad793b6f628c", "value": "0bd0e1f49b251fcff712a1573c3a3afa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212985", "to_ids": true, "type": "filename", "uuid": "1273d619-21ae-47af-bbfd-eca8b0a31eda", "value": "ddd9e5cfa9e1ddd8d849baef2b487a1608d1695f44c70f246c101de1275887dd.apk" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212985", "to_ids": false, "type": "text", "uuid": "c0649435-8a47-4658-9a55-39d90c316436", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:29/67\nFirst Submission:2024-04-03T13:07:41.000000+00:00\nLast Submission:2026-01-17T12:11:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544332", "uuid": "fa778efc-a226-42db-9c1b-3d7449a06d4d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544332", "to_ids": true, "type": "md5", "uuid": "981448f8-b6bd-4097-b6d9-557503e2792a", "value": "3c7f107731634fcb7e3f07b693acd4ce", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544332", "to_ids": true, "type": "sha1", "uuid": "20d3709b-5d0e-48a4-8cd5-ecbc6860dd7f", "value": "7225ed2cba9cb6c038d8615a47423e45522a9ad1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544332", "to_ids": true, "type": "sha256", "uuid": "4c7893f3-fb9d-4a90-ab02-330d4fffb240", "value": "e19a7c8e4994ea4ed680136c9e3a6fff7b82c72f5743952821a446b6cb830f06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213007", "to_ids": true, "type": "ssdeep", "uuid": "27715ddb-fa5b-4fbe-a075-25ff95597a24", "value": "196608:vB9cGarmcdz59CNiRKlHNMayg68qP8iJ8VNOIa2P9Eg5ADhbbt:5KGwmcx5RwCgR9ioOIjDAD9t" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213007", "to_ids": false, "type": "size-in-bytes", "uuid": "936af325-1fe7-4d71-9c3d-c7757fed9dad", "value": "10969368" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213007", "to_ids": true, "type": "vhash", "uuid": "2ff3ed24-d124-4439-9538-549e88583f22", "value": "18ae38326b8348902b38e66e9b493d30" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213007", "to_ids": true, "type": "filename", "uuid": "28d5b309-31c6-4f05-a40e-4ee978fd7856", "value": "e19a7c8e4994ea4ed680136c9e3a6fff7b82c72f5743952821a446b6cb830f06.apk" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 23/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213007", "to_ids": false, "type": "text", "uuid": "4de9f269-11aa-4866-9c3c-9d9b0902ef6c", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:30/69\nFirst Submission:2024-03-12T12:35:48.000000+00:00\nLast Submission:2026-01-17T12:12:25.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544335", "uuid": "f493cdd6-c2fc-4877-9aec-408806786b5a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544335", "to_ids": true, "type": "md5", "uuid": "cd381a67-7a5e-4985-b390-60d196ca911d", "value": "8595855eaf9fe0398c8bff7fa06151bf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544335", "to_ids": true, "type": "sha1", "uuid": "2fae76fe-390b-4b63-a442-f4430076b0ef", "value": "e7ae59cd44204461edbddf292d36eeed38c83696", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544335", "to_ids": true, "type": "sha256", "uuid": "fb453969-eedb-469c-864a-14c106dd5974", "value": "1d126e5904dde3b46175a4aae89eec1fb8a6b80e35b1f473878e5dd288f8aae6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213028", "to_ids": true, "type": "ssdeep", "uuid": "dae9502e-3043-4652-8c1f-0dec148fcb92", "value": "196608:vB9txaGGBD+mcdz59CNiWKlHNMayg68qP8hjlpIfmqTOrz+QjPk147gy08BXmLZL:5nxhGBD+mcx5RDCgR99/Ifm6OlkMgy0n" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213028", "to_ids": false, "type": "size-in-bytes", "uuid": "61aacf4b-46f1-4501-abd1-a39698387759", "value": "11807451" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213028", "to_ids": true, "type": "vhash", "uuid": "077f7982-7d09-484d-9851-42842b6db6b2", "value": "0bd0e1f49b251fcff712a1573c3a3afa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213028", "to_ids": true, "type": "filename", "uuid": "c2dba4cf-3490-4976-b038-d41929de968b", "value": "8595855EAF9FE0398C8BFF7FA06151BF.APK" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 25/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213028", "to_ids": false, "type": "text", "uuid": "153a4ec7-6852-4219-a6cc-b8c0851ae43b", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:29/68\nFirst Submission:2024-04-03T07:59:25.000000+00:00\nLast Submission:2026-02-13T11:41:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544338", "uuid": "c9bea035-971f-4733-896c-43d3c92656ba", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544337", "to_ids": true, "type": "md5", "uuid": "75ba6c08-e3a6-48e5-9a93-ed207b76e5d8", "value": "d142bb04f32a50db476b63bbe1ac2ee7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544338", "to_ids": true, "type": "sha1", "uuid": "a412ba8f-edc0-4a3e-bfca-f517f0770528", "value": "48a0de6a43fc6e49318ad6873ea63fe325200dbc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544338", "to_ids": true, "type": "sha256", "uuid": "039bd5be-53ea-4647-bd32-3d17749d6539", "value": "6e3eea7fb31b8e81026021307247f6eecc5b7f97f35e900796f4786746cde3b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213050", "to_ids": true, "type": "ssdeep", "uuid": "ddb58276-956a-4f01-84b7-936705211cd0", "value": "49152:3l5/B40ynpOptLqG8tVDY0dcLohDikF9dS6s9dS6UKFJp47SM+5oLN:3l5/B40ynmtLq9b9d+ohDrooZSM+5oh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213050", "to_ids": false, "type": "size-in-bytes", "uuid": "c5695aa4-50c3-4ea8-aece-dac3177461d7", "value": "2945352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213050", "to_ids": true, "type": "vhash", "uuid": "b8cb784c-9b2d-43d0-9f09-1411169b41b4", "value": "0b31c237c9f0dff422fc99c1de05a7e4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213050", "to_ids": true, "type": "filename", "uuid": "0462f72d-5a88-439b-a51d-6a831b7c1f62", "value": "PROTECAO_CARTAO.apk" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213050", "to_ids": false, "type": "text", "uuid": "38be8504-86f2-457f-a878-9a93fabf2c8e", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:16/66\nFirst Submission:2025-11-09T03:16:04.000000+00:00\nLast Submission:2026-04-24T14:39:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544341", "uuid": "aaff549d-76a1-4d4c-84c7-acf059a93029", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544340", "to_ids": true, "type": "md5", "uuid": "8383665a-f68e-465e-9550-36f34f3d8722", "value": "29809efa7370aa8679d3c60b9a8c7d49", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544341", "to_ids": true, "type": "sha1", "uuid": "56a44fdc-fa90-4eb5-a339-e6919e5185a3", "value": "a4f793539480677241ef312150e9c02e324c0aa2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544341", "to_ids": true, "type": "sha256", "uuid": "8aa6a915-13de-450f-96e5-d6260be02346", "value": "8c93845d33f36a96a72deb5d0a07a9be93589461dd3bce8c87293d82d18459af", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213093", "to_ids": true, "type": "ssdeep", "uuid": "13a65857-6cb6-4c3f-a1bc-433f8dbafea0", "value": "49152:C9uBQLYXThy8XtnZ3r3hh5/6In+tlSbXlQM9dS629dS6OcFJp4jSM+IEz:CUqu5tZrhX/1nHbXHqafSM+IW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213093", "to_ids": false, "type": "size-in-bytes", "uuid": "12d008d7-66df-4bdc-a0f3-5d5ffaecdf6d", "value": "2945352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213093", "to_ids": true, "type": "vhash", "uuid": "df58eef1-925f-4aa4-b9e3-b7e0236805c3", "value": "0b31c237c9f0dff422fc99c1de05a7e4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213093", "to_ids": true, "type": "filename", "uuid": "21e2319a-df0c-462f-9adb-5089b447c6b7", "value": "8c93845d33f36a96a72deb5d0a07a9be93589461dd3bce8c87293d82d18459af.apk" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 25/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213093", "to_ids": false, "type": "text", "uuid": "ddc4fb96-31b5-45ad-aadc-3b54846fda10", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:19/66\nFirst Submission:2026-01-07T10:16:12.000000+00:00\nLast Submission:2026-04-24T14:39:54.000000+00:00" } ] } ] } }