{ "Event": { "analysis": "1", "date": "2026-04-21", "extends_uuid": "", "info": "[Threat Intel] Mach-O Man Malware: What CISOs Need to Know", "protected": false, "publish_timestamp": "1779544317", "published": true, "threat_level_id": "2", "timestamp": "1779544317", "uuid": "4fdded98-d7d1-4900-aee1-5c3ffb0659c5", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#60f452", "local": false, "name": "misp-galaxy:producer=\"ANY.RUN\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#95f9b9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Sudo and Sudo Caching - T1548.003\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#a320c3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unsecured Credentials - T1552\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive Collected Data - T1560\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Permissions Modification - T1222\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#6fe7f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#15723e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Launch Agent - T1543.001\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#1a8d0c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Time Discovery - T1124\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Lazarus Group\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#680082", "local": false, "name": "ms-caro-malware:malware-platform=\"MacOS\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776855617", "to_ids": false, "type": "link", "uuid": "38871040-9fb3-458c-ad1d-c37279407489", "value": "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776855617", "to_ids": false, "type": "text", "uuid": "34df7df7-eb68-4820-9377-a47a987ca0cd", "value": "Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called \"Mach-O Man\". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776855617", "to_ids": false, "type": "text", "uuid": "1df42e27-37c9-4388-926d-0302c2a25532", "value": "Name: Mach-O Man Malware: What CISOs Need to Know\nAuthor: AlienVault\nAdversary: Lazarus Group\nTags: [\"mach-o man\", \"browser stealing\", \"pylangghostrat\", \"social engineering\", \"macos\", \"mach-o binaries\", \"telegram exfiltration\", \"credential theft\", \"clickfix\", \"fintech targeting\"]\nTgtd countries: []\nMlwr families: [\"Mach-O Man\", \"PyLangGhostRAT\"]\nAttack_ids: [\"T1548.003\", \"T1082\", \"T1005\", \"T1140\", \"T1555\", \"T1567\", \"T1036\", \"T1552\", \"T1560\", \"T1222\", \"T1083\", \"T1497\", \"T1204\", \"T1057\", \"T1588.002\", \"T1566\", \"T1059.004\", \"T1543.001\", \"T1071.001\", \"T1124\"]\nIndustries: [\"Finance\", \"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776855617", "to_ids": false, "type": "threat-actor", "uuid": "80118855-94d7-44bf-b88e-c7e6fb9bd9cf", "value": "Lazarus Group" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214742", "to_ids": true, "type": "domain", "uuid": "96e107a2-c34c-42a2-8a01-5e0b86c31c17", "value": "livemicrosft.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544313", "to_ids": true, "type": "sha256", "uuid": "841269ff-6cd8-41b6-a302-343b1c71048e", "value": "cc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544315", "to_ids": true, "type": "sha256", "uuid": "f3230424-ed32-4928-8cd9-d8257202ae66", "value": "eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544317", "to_ids": true, "type": "sha256", "uuid": "d9d0adb5-309c-4c99-b2a4-0f0a229a705d", "value": "a73ce18952b40fd621789e43c56b2af08d1497ce3560b2481fa973d8265ce491", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214763", "to_ids": true, "type": "url", "uuid": "b44120a1-7376-40b4-bc64-f439e9ccdf79", "value": "http://172.86.113.102/localencode", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214784", "to_ids": true, "type": "url", "uuid": "8940e6a7-2c93-4ce9-be27-d8ef4832d7f0", "value": "http://livemicrosft.com/meet/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214805", "to_ids": true, "type": "url", "uuid": "a2decbb0-28ca-4ff4-8ac9-d589ba6c2b5f", "value": "http://update-teams.live/teams", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214826", "to_ids": true, "type": "domain", "uuid": "154bb658-d193-4366-87cc-773b1fd01adf", "value": "update-teams.live", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214847", "to_ids": true, "type": "ip-dst", "uuid": "ab18b3db-6761-44c4-87c1-824992d23bf9", "value": "172.86.113.102", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214868", "to_ids": true, "type": "ip-dst", "uuid": "5b6dd803-35de-459e-a75a-eb175648a554", "value": "144.172.114.220", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214889", "to_ids": true, "type": "url", "uuid": "1c32bd6b-3f5c-4ded-a382-cc0aa85c6809", "value": "http://172.86.113.102/Onedrive", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214911", "to_ids": true, "type": "url", "uuid": "7b980b4f-9b1d-43ea-aa63-154d397e0497", "value": "https://update-teams.live/teams", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777214931", "to_ids": true, "type": "url", "uuid": "c61a9b37-9a28-4dfd-9624-647cd0b9658e", "value": "livemicrosft.com/meet/89035563931?p=9jXK14VFM8fObdKxfkake8tD7rPhzs.1", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544291", "uuid": "07acd997-b20d-4b58-b0e9-c67970853a4f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544290", "to_ids": true, "type": "md5", "uuid": "c5447f4d-1a12-4f6d-9745-29390a698656", "value": "b1f2fb42ab2f4ad0adfb05288b094bd9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544290", "to_ids": true, "type": "sha1", "uuid": "0290cd65-eb36-4e2f-a83a-084d24ed1b96", "value": "8a9a52bf8b084bb220e1658dca828929afa12498", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544291", "to_ids": true, "type": "sha256", "uuid": "7735418f-8b2f-4f8e-8218-9e3c0da4c7b3", "value": "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212679", "to_ids": true, "type": "ssdeep", "uuid": "03fb2432-56d9-4536-9dd3-f2bce5cc2230", "value": "49152:zsvqA0ngA7jS0+dRK5a1HJNx909gJ0OBQ5y:zwlAMkI1pT909QL" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212679", "to_ids": false, "type": "size-in-bytes", "uuid": "018ceab5-cc4b-47a7-881f-62e0ac460823", "value": "4096160" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212679", "to_ids": true, "type": "vhash", "uuid": "6ed94af5-7919-4779-a8f2-9cfead018229", "value": "dea4e4fecfeb12c13d5e5a82b06ef3fa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212679", "to_ids": true, "type": "filename", "uuid": "7840c8d2-2cff-4fc3-b227-3e57749d666d", "value": "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90.macho" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212679", "to_ids": false, "type": "text", "uuid": "0f71bbfb-9512-4bf0-b051-25f61756b923", "value": "Type Description: Mach-O\nMicrosoft: Trojan:MacOS/Multiverze!rfn\nVT Total Detection:18/64\nFirst Submission:2026-04-22T08:45:59.000000+00:00\nLast Submission:2026-04-23T08:29:39.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544294", "uuid": "ddc0cf49-5d66-47ca-8cb4-a6a5e1149b19", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544293", "to_ids": true, "type": "md5", "uuid": "524d9ffd-2426-4f49-a78d-4e1d38f8462c", "value": "211571fe53a767e37428005a5db04e6f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544293", "to_ids": true, "type": "sha1", "uuid": "d3446dc9-9f50-4cee-82ec-7fbbddb3e273", "value": "b0c5cc36fa9132379186b1cccb55da67f78e8c53", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544294", "to_ids": true, "type": "sha256", "uuid": "793d7097-dd0a-4011-9fd7-85e4b45417bf", "value": "24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212701", "to_ids": true, "type": "ssdeep", "uuid": "a9157d7c-bec9-4182-a956-f8dbda7fadea", "value": "49152:tbAYD2r/uSozF48yTQMVLvF37kTPC4/RvfIg36o8Rpr2BIPwEXJvp:tFeuSDZZtLOPC4/RIyvsLp3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212701", "to_ids": false, "type": "size-in-bytes", "uuid": "397cca26-c162-467a-8224-a756b3313c70", "value": "2531772" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212701", "to_ids": true, "type": "vhash", "uuid": "d8977274-6e97-47c4-a3ea-58914004cca0", "value": "f2353d165a979c25515cfe626cf7d5f1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212701", "to_ids": true, "type": "filename", "uuid": "232ad0ff-4e51-4f43-bda0-a78e9ba750d6", "value": "24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9.zip" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212701", "to_ids": false, "type": "text", "uuid": "55f21282-df5e-4411-800c-e801fe5cf7b9", "value": "Type Description: ZIP\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:27/66\nFirst Submission:2026-04-08T17:42:10.000000+00:00\nLast Submission:2026-04-08T17:42:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544296", "uuid": "cb82eb72-8860-4ad4-a778-c3f7884e5df5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544296", "to_ids": true, "type": "md5", "uuid": "b7132477-9438-4eae-a01b-45340a5399b9", "value": "2724ac6399fb10c64f39999373894a9f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544296", "to_ids": true, "type": "sha1", "uuid": "2e8faf90-6ac4-4aab-81be-d5b8a20aa73a", "value": "bbf1cae7aea5561e4ea2775c8f369c23f4f00f57", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544296", "to_ids": true, "type": "sha256", "uuid": "e3368c63-1899-4e36-8f78-941d1dc20da3", "value": "4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212722", "to_ids": true, "type": "ssdeep", "uuid": "553f22c0-bcaf-49db-942e-c6d1ee652abf", "value": "1536:yjgynM0Vsv2IDlwSJr9jg6K8rVDVg0ZXATTX5:G0woxDVxZXATTp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212722", "to_ids": false, "type": "size-in-bytes", "uuid": "5c2631c0-7d6a-45ef-a7cb-eeb706f49d5e", "value": "140184" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212722", "to_ids": true, "type": "vhash", "uuid": "ca2c6c4c-4f94-4408-ae7c-6b8409f450f5", "value": "5a7515ad5b02f92fca4020f53d7cc3a9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212722", "to_ids": true, "type": "filename", "uuid": "7c118d4c-00f9-4947-ab09-cae33a8f4eb8", "value": "4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b.macho" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212722", "to_ids": false, "type": "text", "uuid": "ff302e10-e747-491d-af9d-e859183c4e89", "value": "Type Description: Mach-O\nMicrosoft: Trojan:MacOS/Multiverze!rfn\nVT Total Detection:26/62\nFirst Submission:2026-04-22T06:51:59.000000+00:00\nLast Submission:2026-04-23T06:05:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544299", "uuid": "2202a11c-38a1-43cb-956e-aa7c5ff3670b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544299", "to_ids": true, "type": "md5", "uuid": "b8f5c113-ce94-463f-8598-cee0425450f3", "value": "af2aeb81a5680c936b6211d4065ee39f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544299", "to_ids": true, "type": "sha1", "uuid": "b141c508-1908-4a38-a037-51521e6aff9b", "value": "8cd45ae9b53a2e9d3f24cfea654c6d6e9716d544", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544299", "to_ids": true, "type": "sha256", "uuid": "1593e69d-2453-407d-86a5-2b8cd2a147d7", "value": "85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212744", "to_ids": true, "type": "ssdeep", "uuid": "7eabe3ee-7818-449c-b2b9-be129eb25a76", "value": "98304:/FKiB7AFqPxy7HaHB+UhZfjGpHlwEHyTVExsfqn:/9B7AFaWWxZfIFJEVE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212744", "to_ids": false, "type": "size-in-bytes", "uuid": "5e087fdc-fcfc-4f59-acfa-4cec83eece6d", "value": "6522672" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212744", "to_ids": true, "type": "vhash", "uuid": "156e9cd9-e722-4e0b-b285-c260ee775256", "value": "6428dcfe0161801db73f50d972881cf6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212744", "to_ids": true, "type": "filename", "uuid": "e90e5ac4-d4a0-4a97-ab78-1fbdc81f6c05", "value": "85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c.macho" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212744", "to_ids": false, "type": "text", "uuid": "f66da934-7edf-4739-8346-c0aa9515c8bf", "value": "Type Description: Mach-O\nMicrosoft: Trojan:MacOS/Multiverze!rfn\nVT Total Detection:20/62\nFirst Submission:2026-04-21T18:09:31.000000+00:00\nLast Submission:2026-04-23T06:26:08.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544302", "uuid": "de5acd7c-0931-4064-a9f5-f04de73933ea", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544302", "to_ids": true, "type": "md5", "uuid": "45af56a0-e7ed-4f17-9c8e-b9d3e9e33fef", "value": "0a930f6974b234136c7de1401857f69f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544302", "to_ids": true, "type": "sha1", "uuid": "f53d9bc2-3818-48cd-ae90-0660c0bd3664", "value": "fb05b1eada241c663e70c5f43b98560f5d2c5e80", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544302", "to_ids": true, "type": "sha256", "uuid": "b2466108-8ae7-4d60-9445-93094e08f882", "value": "871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212769", "to_ids": true, "type": "ssdeep", "uuid": "a8ccb5e8-9d63-4728-915e-e4f578e8ebce", "value": "98304:hrZiSFS1M9BO+tPwV/fJ9JBG+1kK3UJOG9mVVQ3TOb:dZdMWzOQPwRfJl9EOVVQD6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212769", "to_ids": false, "type": "size-in-bytes", "uuid": "cd4bb55f-c56e-48d6-a0b1-7daa316e6e0c", "value": "5952368" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212769", "to_ids": true, "type": "vhash", "uuid": "7a506d7b-9019-41aa-bc2f-e9fabb53f397", "value": "3ed7bdfd2e79dccfd6150488cf0b494a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212769", "to_ids": true, "type": "filename", "uuid": "d877003d-c02b-4b23-8cd3-c7ab1d0f29a2", "value": "871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3.macho" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212769", "to_ids": false, "type": "text", "uuid": "6c6a7379-0c00-468f-9b90-517e9003733d", "value": "Type Description: Mach-O\nMicrosoft: Trojan:MacOS/Multiverze!rfn\nVT Total Detection:30/62\nFirst Submission:2026-04-07T14:19:39.000000+00:00\nLast Submission:2026-04-07T14:19:39.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544305", "uuid": "2ac305e7-6717-418e-a8dc-81c6e968d359", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544304", "to_ids": true, "type": "md5", "uuid": "c948229d-f538-484c-be96-aeea57fc8e5d", "value": "c62dffe79a634516543a32511ad3e0db", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544305", "to_ids": true, "type": "sha1", "uuid": "3f3e1b04-7f22-42af-8b80-4b94e149edf6", "value": "8800a6660a53dc1fc8ff4af5c31312a1e81ac6cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544305", "to_ids": true, "type": "sha256", "uuid": "74f661c2-6020-4af0-a10f-ee1a5475de31", "value": "89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212791", "to_ids": true, "type": "ssdeep", "uuid": "03c1fd4f-5316-43f5-9ea5-7cc7fd990fd5", "value": "49152:/QQnGaMHCjk9JnhoF9ew3wuNEe8+qxoPskmI9uH3ZIYtCbea7e398:/QQnGaMHM5P3wxe8+c+O3gaaa3i" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212791", "to_ids": false, "type": "size-in-bytes", "uuid": "24a03edb-488c-4699-a70c-8fda411e8bdf", "value": "3232031" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212791", "to_ids": true, "type": "vhash", "uuid": "2968d069-5b4f-402a-879f-b75212a7b45b", "value": "f47ddf0ca7bd2d6f581ab9f4667d0187" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212791", "to_ids": true, "type": "filename", "uuid": "fd614aa7-4e07-4819-b480-6aecfadcfe2e", "value": "89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938.zip" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212791", "to_ids": false, "type": "text", "uuid": "2e7c1d10-3e37-468e-9329-874d2dcb0b18", "value": "Type Description: ZIP\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:24/66\nFirst Submission:2026-04-22T08:45:57.000000+00:00\nLast Submission:2026-04-23T08:10:44.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544308", "uuid": "e4e6d864-743e-45d6-af58-4e70b3608f4e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544307", "to_ids": true, "type": "md5", "uuid": "ff29e5dd-1059-44f5-8294-114d285167db", "value": "53eff95b800422760c3e93606c966698", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544308", "to_ids": true, "type": "sha1", "uuid": "32fb9f12-84bb-4e95-b1db-6b438565a176", "value": "f50634f96e167b1ada616e62f59c58b1ddbcc958", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544308", "to_ids": true, "type": "sha256", "uuid": "72e73f07-11ff-4f35-9653-c39b95555450", "value": "a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212812", "to_ids": true, "type": "ssdeep", "uuid": "d68c98dd-870a-46c8-beea-3a522c179b4b", "value": "98304:1ND8vo2FNgyLOLfAB+GaUeQjoYuNnsoE1X/I:1Ngvo2FNgyOLfAUhRsBG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212812", "to_ids": false, "type": "size-in-bytes", "uuid": "e95636e9-cc4a-419d-945f-362ac78a1c6a", "value": "5170434" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212812", "to_ids": true, "type": "vhash", "uuid": "b1a1fa3e-3ffb-496f-92ec-ed73b2f0fa93", "value": "5ec1315c81eda7419ee2cdd7ac6193aa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212812", "to_ids": true, "type": "filename", "uuid": "e6bddfb2-02cb-4832-8bc3-5b4a66e0ee67", "value": "a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614.macho" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212812", "to_ids": false, "type": "text", "uuid": "1cd6156e-96bc-4f44-908f-7a2932c2d8c5", "value": "Type Description: Mach-O\nMicrosoft: None\nVT Total Detection:21/62\nFirst Submission:2026-04-07T13:50:27.000000+00:00\nLast Submission:2026-04-21T18:07:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544311", "uuid": "0ddbb160-acf7-4815-8401-06c332b6fd08", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544310", "to_ids": true, "type": "md5", "uuid": "0bc4e635-3465-4e94-ba3f-0fea597dc931", "value": "c2e5c4adad409d2bc85d8a10ed424786", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544311", "to_ids": true, "type": "sha1", "uuid": "7c5fab34-6631-42f7-9a40-156dce7d2b32", "value": "0d55ba7883b0732bf99cc0aa8d9e85fb5c56513a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544311", "to_ids": true, "type": "sha256", "uuid": "51a6c27e-0bdb-4e44-8c49-2181cc307a24", "value": "dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777212855", "to_ids": true, "type": "ssdeep", "uuid": "81922b16-4a8b-4063-a888-454619b51e96", "value": "49152:xzLptb3G987QsMvsI6i++7HQA2lHzqJLjjw44G5B44N:xzLptb3+sB+7Hj2pILjjwyBh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777212855", "to_ids": false, "type": "size-in-bytes", "uuid": "3b1514f9-9be0-4dfb-8b4f-5493fb152499", "value": "1931674" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777212855", "to_ids": true, "type": "vhash", "uuid": "53ed9212-1ec7-47b7-802a-939d999d3857", "value": "f2353d165a979c25515cfe626cf7d5f1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777212855", "to_ids": true, "type": "filename", "uuid": "d896c240-bc1f-4ae0-b6d9-dd85972ca05f", "value": "dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6.zip" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 26/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777212855", "to_ids": false, "type": "text", "uuid": "9fd0d357-b30c-4317-969e-3a907fadb6e6", "value": "Type Description: ZIP\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:27/66\nFirst Submission:2026-04-21T18:15:16.000000+00:00\nLast Submission:2026-04-23T08:10:56.000000+00:00" } ] } ] } }