{ "Event": { "analysis": "1", "date": "2026-05-05", "extends_uuid": "", "info": "[Threat Intel] CloudZ RAT potentially steals OTP messages using Pheno plugin", "protected": false, "publish_timestamp": "1779546493", "published": true, "threat_level_id": "3", "timestamp": "1779546492", "uuid": "552c3029-2b75-4490-beb5-ef279efdd44e", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#7c6ad9", "local": false, "name": "misp-galaxy:producer=\"Cisco Talos Intelligence Group\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#f4b62b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Time Based Checks - T1497.003\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#dc4ad5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Regsvcs/Regasm - T1218.009\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778036416", "to_ids": false, "type": "link", "uuid": "2c27f829-5f1c-4601-90c6-5d857e325dd8", "value": "https://blog.talosintelligence.com/cloudz-pheno-infostealer/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778036416", "to_ids": false, "type": "text", "uuid": "c56ff007-ce7d-487e-9ecd-a3df2ba0d218", "value": "Cisco Talos uncovered an intrusion active since January 2026 where attackers deployed CloudZ remote access tool and an undocumented plugin called Pheno to steal credentials and one-time passwords. The attack exploits Microsoft Phone Link application by intercepting synchronized mobile data including SMS and OTPs without requiring phone-level infection. CloudZ evades detection through dynamic memory execution and anti-analysis checks. The infection chain begins with a fake ScreenConnect update executable, leading to a Rust-compiled dropper that deploys a .NET loader, ultimately establishing the modular CloudZ RAT. The Pheno plugin monitors Phone Link processes and intercepts SQLite database files containing synchronized phone data. CloudZ employs ConfuserEx obfuscation, multiple configuration layers, and facilitates various commands including browser data exfiltration, shell execution, and plugin management while maintaining persistence through scheduled tasks." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778036416", "to_ids": false, "type": "text", "uuid": "57de5637-64b6-44d5-b133-90816b4d7f5f", "value": "Name: CloudZ RAT potentially steals OTP messages using Pheno plugin\nAuthor: AlienVault\nAdversary: \nTags: [\"cloudz\", \"pheno\"]\nTgtd countries: []\nMlwr families: [\"CloudZ\", \"Pheno\"]\nAttack_ids: [\"T1053.005\", \"T1113\", \"T1033\", \"T1497.001\", \"T1082\", \"T1005\", \"T1140\", \"T1036\", \"T1055\", \"T1497.003\", \"T1555.003\", \"T1083\", \"T1041\", \"T1059.001\", \"T1027\", \"T1573\", \"T1218.009\", \"T1059.003\", \"T1071.001\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627538", "to_ids": true, "type": "ip-dst", "uuid": "1ba15298-7f31-4de7-a296-b0a84bdf027a", "value": "185.196.10.136", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627559", "to_ids": true, "type": "url", "uuid": "a68ad316-52d1-4cd6-a544-13f489fc9268", "value": "https://calm-wildflower-1349.hellohiall.workers.dev/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627580", "to_ids": true, "type": "url", "uuid": "eb329024-8b0d-4461-9de9-45f7b1051926", "value": "https://orange-cell-1353.hellohiall.workers.dev/pheno.exe", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627601", "to_ids": true, "type": "url", "uuid": "7d7443db-5301-4206-ba8f-7d2207de1041", "value": "https://round-cherry-4418.hellohiall.workers.dev/?t=1769729309", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627623", "to_ids": true, "type": "url", "uuid": "5c5c58e8-10ec-4576-b0b1-f22d036259e1", "value": "https://pastebin.com/raw/8pYAgF0Z?t=1771833517", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627644", "to_ids": true, "type": "url", "uuid": "c5b7b114-93bd-48c7-a75f-e02f50be19c9", "value": "https://pastebin.com/EBrpRiFi", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627665", "to_ids": true, "type": "url", "uuid": "39cce98b-1053-44d8-b32f-81cd06be65e7", "value": "https://pastebin.com/ikjGHALD", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627686", "to_ids": true, "type": "url", "uuid": "590a296c-8d57-48a2-bfc7-23b27f328b6c", "value": "https://pastebin.com/3jKbe7rN", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627707", "to_ids": true, "type": "url", "uuid": "0205962c-5bcb-49a7-82a5-c76218f0e1e8", "value": "https://pastebin.com/NUrZTmDn", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627728", "to_ids": true, "type": "url", "uuid": "3b232d1d-78e1-499a-b0a8-a68bb425d7bb", "value": "https://pastebin.com/RKJcXMAm", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627749", "to_ids": true, "type": "url", "uuid": "310f05db-2a7b-43d7-b3f3-d3b997287120", "value": "https://pastebin.com/yUkbaBH3", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627771", "to_ids": true, "type": "hostname", "uuid": "18dec870-cc5d-4eec-95c5-d4a8bde10131", "value": "calm-wildflower-1349.hellohiall.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627793", "to_ids": true, "type": "hostname", "uuid": "c59689aa-0fef-424e-8387-52772f17a7fe", "value": "orange-cell-1353.hellohiall.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778627814", "to_ids": true, "type": "hostname", "uuid": "b1887581-ef8b-4d92-8fce-0a0ac7c9642b", "value": "round-cherry-4418.hellohiall.workers.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546482", "uuid": "f0d8c23f-727a-49fd-8074-b3a846ff7deb", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546480", "to_ids": true, "type": "md5", "uuid": "99786841-1fa9-40d5-8c47-57f7ebb35309", "value": "a39299719bb4151c373a0e9b92b2bd05", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546481", "to_ids": true, "type": "sha1", "uuid": "b01434da-4d18-41f9-9845-890cab06fb7c", "value": "e3ef02456a4df8236da5ee2082a5df36e746b463", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546482", "to_ids": true, "type": "sha256", "uuid": "556330bb-a3f8-49f7-9eee-318250bb374e", "value": "5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778622949", "to_ids": true, "type": "ssdeep", "uuid": "eae0d380-2986-4f22-aaa6-2a6a628bc0bb", "value": "12288:2+hxVsqmTMFRWmRMV8tRy1mbkBlC68ypn8cyEbxY:2csqmT4s8cyE2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778622949", "to_ids": false, "type": "size-in-bytes", "uuid": "c583a24b-d16c-49d7-8a05-ae90dfbb1039", "value": "491272" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778622949", "to_ids": true, "type": "vhash", "uuid": "0e3005de-97a1-445e-9d92-dfb2b9963e30", "value": "24503655651380293f111091" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778622949", "to_ids": true, "type": "filename", "uuid": "07502f2f-14d4-45e2-b976-52837e319a9d", "value": "Updater_OAiA.exe" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 12/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778622949", "to_ids": false, "type": "text", "uuid": "8ce578f1-7532-4dc7-9b72-81c3ce0ec5c3", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:31/71\nFirst Submission:2026-02-02T05:08:58.000000+00:00\nLast Submission:2026-05-11T18:09:07.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546485", "uuid": "f0eb6924-b746-4425-bcce-6d3e2c8a876c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546484", "to_ids": true, "type": "md5", "uuid": "fe3600c0-9496-4e6b-a424-6717187a9bff", "value": "719fead8f2408fa00998f245a0bb11c3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546484", "to_ids": true, "type": "sha1", "uuid": "075f162e-99ef-45fa-af95-210d544914d2", "value": "be543469fff6ad13a1dcccca4dcb7b987120bedf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546485", "to_ids": true, "type": "sha256", "uuid": "7242401d-71a7-4676-a299-52cca0ebefca", "value": "24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778622971", "to_ids": true, "type": "ssdeep", "uuid": "6536b2b9-3c65-4d07-a5fe-3fca4afd3310", "value": "3072:xHvL9Y1wDuZCZcdz2lVx2Fi6ABChDUblBbQLMaS4Z2Ooyu999nbDPWh5zIcneSXM:I1vk12IBkwbD0AaSo+bz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778622971", "to_ids": false, "type": "size-in-bytes", "uuid": "0ec93d36-93d4-4870-81be-2d572da3e6ec", "value": "1486848" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778622971", "to_ids": true, "type": "vhash", "uuid": "29aba89e-e61d-4a16-8df4-10f1cfeec200", "value": "316036151512f0152da0091" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778622971", "to_ids": true, "type": "filename", "uuid": "5d309f3e-6862-4393-8b82-e5baaea9b15a", "value": "msupdate.txt" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 11/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778622971", "to_ids": false, "type": "text", "uuid": "ad739e50-7f95-4f6e-9fe8-f0fa8f0e7e7b", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:MSIL/CloudZRAT.DC!MTB\nVT Total Detection:38/71\nFirst Submission:2026-01-21T03:45:05.000000+00:00\nLast Submission:2026-01-21T03:45:05.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546487", "uuid": "68de8817-e383-493b-ae4a-8ab0223f34d4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546487", "to_ids": true, "type": "md5", "uuid": "2ce843dc-23db-47aa-8fdd-c4777c49975a", "value": "02545a4560e0cd6662d1061973244f18", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546487", "to_ids": true, "type": "sha1", "uuid": "2583f957-666d-4083-ae31-c033d3c0fd5a", "value": "706d490a7e0d745c60906ff80ada9447d57234fa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546487", "to_ids": true, "type": "sha256", "uuid": "8057e004-6b68-4841-b127-d71a29c3c729", "value": "33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778622993", "to_ids": true, "type": "ssdeep", "uuid": "2ff85091-57fa-4e51-9c74-e6deb399616f", "value": "192:JwuTTLnaGiC1wf2vITfVW2D/RIW1jnhLnvFyfU9QJu:JDtAxW6/XnhLvYfcG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778622993", "to_ids": false, "type": "size-in-bytes", "uuid": "f3f14e5e-6b04-49b3-ba80-05a60c930635", "value": "9216" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778622993", "to_ids": true, "type": "vhash", "uuid": "633bfe34-ef68-45b6-b49d-d346af10a38d", "value": "293036551519001a1z20" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778622993", "to_ids": true, "type": "filename", "uuid": "f61abefc-c30e-4027-ab2e-5574172c78d8", "value": "pheno.exe" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 12/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778622993", "to_ids": false, "type": "text", "uuid": "93bffccf-bbaf-49f7-9215-4208e6cd57ba", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:38/71\nFirst Submission:2026-02-13T17:54:39.000000+00:00\nLast Submission:2026-05-11T18:50:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546490", "uuid": "83995c27-71d1-4258-8390-f001dbb0cb79", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546489", "to_ids": true, "type": "md5", "uuid": "b1eee41d-64da-4ffa-817d-41f7f72ddc3e", "value": "cdc678b4ad968121fbaaf8e04511cef3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546490", "to_ids": true, "type": "sha1", "uuid": "5d1f64d1-3270-4889-a3dd-0e3334cc4353", "value": "2f22b98ef31e5f31d9e3c8f27a5f1f22be89612d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546490", "to_ids": true, "type": "sha256", "uuid": "55e299a0-cf64-4334-960a-bc589df16cc8", "value": "65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778623015", "to_ids": true, "type": "ssdeep", "uuid": "0138b01c-c83b-4ffd-9b93-f4b314512fa2", "value": "6144:PYO6WpeetMkbCknxKh7Dp3Jr6THlPT7eWayynBnZt1FdHPjbpuOoXh:gUeeSDpxgFT74Tva" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778623015", "to_ids": false, "type": "size-in-bytes", "uuid": "766dbbe7-9f9b-4116-bc72-549ae5e86c84", "value": "2453504" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778623015", "to_ids": true, "type": "vhash", "uuid": "539219f1-fa66-4f2e-aa05-b0e1fb1401bd", "value": "026056651d15551az463z5@z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778623015", "to_ids": true, "type": "filename", "uuid": "1f25ceda-365b-40aa-a0ee-fc3afc963227", "value": "7lufl1.exe" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 12/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778623015", "to_ids": false, "type": "text", "uuid": "98feb754-ebe2-4696-a078-2d5484e8257a", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/CloudZRAT.DA!MTB\nVT Total Detection:45/71\nFirst Submission:2026-02-03T22:37:32.000000+00:00\nLast Submission:2026-02-03T22:37:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546492", "uuid": "104f7fd5-9115-4a84-872d-339162184634", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546492", "to_ids": true, "type": "md5", "uuid": "62e1e003-21d8-45a6-907f-3aaac4fa0bd0", "value": "d6e5f9733d4c0313125d1700dc0e3746", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546492", "to_ids": true, "type": "sha1", "uuid": "97dc6d6a-6fea-4f2b-81f5-5789e3e91cf8", "value": "626f47a22a7edc79eb4e3f936189958e0ce7a91d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546492", "to_ids": true, "type": "sha256", "uuid": "93eba381-4daf-4a9e-aa82-2e8fa129b7a8", "value": "ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778623036", "to_ids": true, "type": "ssdeep", "uuid": "74227cd4-93ff-4df2-a830-6fbe288f6918", "value": "3072:KjhKmKm57jZFXB45Ej4Zu5HevSTCbBnZt1oudH9RjbXRb:KT7eWayynBnZt1FdHPjb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778623036", "to_ids": false, "type": "size-in-bytes", "uuid": "3fec22f8-e3f0-4d97-a5a0-348dbc758196", "value": "2210304" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778623036", "to_ids": true, "type": "vhash", "uuid": "3c59f2c1-8029-40a7-a314-f9b873c88b24", "value": "32603615151a001a40021" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778623036", "to_ids": true, "type": "filename", "uuid": "0dd6b67b-1ee5-4738-b780-26f60156eaa1", "value": "update.txt" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 12/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778623036", "to_ids": false, "type": "text", "uuid": "fb38f1a9-a102-41f7-b94f-f17aa39399fb", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:MSIL/CloudZRAT.DA!MTB\nVT Total Detection:39/71\nFirst Submission:2026-02-03T22:55:02.000000+00:00\nLast Submission:2026-02-03T22:55:02.000000+00:00" } ] } ] } }