{ "Event": { "analysis": "1", "date": "2026-04-22", "extends_uuid": "", "info": "[Threat Intel] Malicious Artifacts Found in Official KICS Docker Repository and Code Extensions", "protected": false, "publish_timestamp": "1779545350", "published": true, "threat_level_id": "2", "timestamp": "1779545349", "uuid": "629677a6-b704-4eb6-b0fd-e5ace9470857", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#201172", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Dependencies and Development Tools - T1195.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Account - T1087.001\"", "relationship_type": "" }, { "colour": "#750f7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Office Application Startup - T1137\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Code Repository - T1567.001\"", "relationship_type": "" }, { "colour": "#7ffc24", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Additional Cloud Credentials - T1098.001\"", "relationship_type": "" }, { "colour": "#12d28f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Account - T1087.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Host Software Binary - T1554\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#83203e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Account - T1136.003\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#37c019", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Accounts - T1078.004\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#1b0068", "local": false, "name": "rectifyq:topic=\"cloud\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942020", "to_ids": false, "type": "link", "uuid": "29e00fa5-2c09-41fa-a192-4194fec90c09", "value": "https://socket.dev/blog/checkmarx-supply-chain-compromise", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776942020", "to_ids": false, "type": "text", "uuid": "8ddc2bb8-07c9-4b64-8213-b84fdf520a59", "value": "Docker and Socket uncovered a supply chain compromise affecting Checkmarx KICS distribution channels. Attackers poisoned official Docker Hub images (tags v2.1.20, v2.1.21, alpine) and VS Code extensions (versions 1.17.0, 1.19.0), introducing unauthorized data exfiltration capabilities. The trojanized KICS binary collects and encrypts scan reports containing credentials from infrastructure-as-code files, transmitting them to external endpoints. Compromised VS Code extensions download mcpAddon.js via Bun runtime, harvesting GitHub tokens, AWS credentials, Azure tokens, npm configurations, and SSH keys. The malware creates public GitHub repositories for staging stolen data, injects malicious GitHub Actions workflows to capture repository secrets, and uses stolen npm credentials to identify writable packages for propagation. TeamPCP appears to claim responsibility for this multi-stage attack designed to steal developer credentials and propagate through CI/CD pipelines." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776942020", "to_ids": false, "type": "text", "uuid": "3b9ac490-8243-4a38-9ef0-040b203c5d61", "value": "Name: Malicious Artifacts Found in Official KICS Docker Repository and Code Extensions\nAuthor: AlienVault\nAdversary: TeamPCP\nTags: [\"docker hub poisoning\", \"github actions\", \"mcpaddon.js\", \"credential theft\", \"npm propagation\", \"ci/cd compromise\", \"canister worm\", \"checkmarx kics\", \"vs code extension\", \"supply chain compromise\"]\nTgtd countries: []\nMlwr families: [\"mcpAddon.js\", \"Canister Worm\"]\nAttack_ids: [\"T1195.001\", \"T1087.001\", \"T1137\", \"T1119\", \"T1005\", \"T1555.003\", \"T1552.001\", \"T1567.001\", \"T1098.001\", \"T1087.004\", \"T1554\", \"T1059.001\", \"T1136.003\", \"T1195.002\", \"T1567.002\", \"T1059.006\", \"T1059.003\", \"T1027.002\", \"T1078.004\"]\nIndustries: [\"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776942020", "to_ids": false, "type": "threat-actor", "uuid": "b1be91bc-38cd-4e8c-8ea7-b9f252c0b748", "value": "TeamPCP" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321444", "to_ids": true, "type": "ip-dst", "uuid": "acabebfa-f886-468c-965a-6bd2a1d857ae", "value": "94.154.172.43", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545331", "to_ids": true, "type": "sha1", "uuid": "b8156ffa-05dc-47b3-929d-85773f283061", "value": "bbbca2ddaa5d8feaa63e36b76fdaad77386f024f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545333", "to_ids": true, "type": "sha1", "uuid": "1896484c-8dac-417f-91f6-61a5cafb8e7f", "value": "de0fac2e4500dabe0009e67214ff5f5447ce83dd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545335", "to_ids": true, "type": "sha256", "uuid": "4a691de9-c0a4-4872-a23d-11a7b17ef3fa", "value": "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545337", "to_ids": true, "type": "sha256", "uuid": "0b84b98b-a6d1-4e26-8d07-4c41b359dd10", "value": "2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545338", "to_ids": true, "type": "sha256", "uuid": "b3126b41-30e3-47f7-8c31-01bdaa994f45", "value": "26e8e9c5e53c972997a278ca6e12708b8788b70575ca013fd30bfda34ab5f48f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545340", "to_ids": true, "type": "sha256", "uuid": "81fea7e8-dae9-4eab-9570-b3238068e345", "value": "415610a42c5b51347709e315f5efb6fffa588b6ebc1b95b24abf28088347791b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545342", "to_ids": true, "type": "sha256", "uuid": "c2f3ff10-7cfe-48ae-bebc-b080ab79ffbc", "value": "7391b531a07fccbbeaf59a488e1376cfe5b27aef757430a36d6d3a087c610322", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545344", "to_ids": true, "type": "sha256", "uuid": "59b0ddfc-3efb-4b9b-8aa8-3ecc3c5f36f4", "value": "a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545346", "to_ids": true, "type": "sha256", "uuid": "32ec721c-d53a-4170-ae50-212afe187c1c", "value": "a6871deb0480e1205c1daff10cedf4e60ad951605fd1a4efaca0a9c54d56d1cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545348", "to_ids": true, "type": "sha256", "uuid": "93ce0f6a-dc60-4d95-9d8e-9481ee842d9f", "value": "d186161ae8e33cd7702dd2a6c0337deb14e2b178542d232129c0da64b1af06e4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:28/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545349", "to_ids": true, "type": "sha256", "uuid": "3d138b64-757d-469c-aee1-dd4b63b6b280", "value": "ff7b0f114f87c67402dfc2459bb3d8954dd88e537b0e459482c04cffa26c1f07", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321465", "to_ids": true, "type": "url", "uuid": "40acaac0-76d4-4bfe-9dcb-545a4657fc73", "value": "https://audit.checkmarx.cx/v1/telemetry", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321486", "to_ids": true, "type": "hostname", "uuid": "18db8aea-bb8f-48d6-9f6f-8b1b7dc8a39f", "value": "audit.checkmarx.cx", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545327", "uuid": "562e70de-8ee9-46c7-a6c4-0b578e4004bb", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545326", "to_ids": true, "type": "md5", "uuid": "4de17b24-22e9-497f-8ffa-c256a579c7ef", "value": "d47de3772f2d61a043e7047431ef4cf4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545326", "to_ids": true, "type": "sha1", "uuid": "d42750d7-1e95-4ea7-bc53-b81465195967", "value": "2b12cc5cc91ec483048abcbd6d523cdc9ebae3f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545327", "to_ids": true, "type": "sha256", "uuid": "fb1a63cd-1989-4476-aa84-b7eda360be0e", "value": "24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777312327", "to_ids": true, "type": "ssdeep", "uuid": "ff299884-e9f8-451a-b199-34bd15ce060a", "value": "24576:GBBTyImRWl1buS/FDT1+pdPZd+gLErKYBfmyy5sHF2/K2m4mYfv7fAMoYlD88eaG:G3yqldYWIhluNwpY8G+Eh/c8Wgr" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777312327", "to_ids": false, "type": "size-in-bytes", "uuid": "dbcc0580-a23f-44c3-bc5a-17447d58afaf", "value": "10173700" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777312327", "to_ids": true, "type": "vhash", "uuid": "61fa89de-711d-4dd0-a4da-0321b39c28e5", "value": "8396561c380ad99c2b54fea90065fb43" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777312327", "to_ids": true, "type": "filename", "uuid": "f1be658d-5e16-4bf9-94a3-63afaecc662a", "value": "mcpAddon.js" }, { "category": "Other", "comment": "Checked: 28/04/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777312327", "to_ids": false, "type": "text", "uuid": "1d11c502-49ad-4750-9338-309382481e16", "value": "Type Description: JavaScript\nMicrosoft: Trojan:JS/Obfuse!MSR\nVT Total Detection:22/61\nFirst Submission:2026-04-22T20:19:02.000000+00:00\nLast Submission:2026-04-27T09:13:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545329", "uuid": "28bcc4d4-97c5-4bef-ab8c-ad52915f0283", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545329", "to_ids": true, "type": "md5", "uuid": "c599d6d3-0e08-4de8-9fa6-64e6130d66e0", "value": "e1023db24a29ab0229d99764e2c8deba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545329", "to_ids": true, "type": "sha1", "uuid": "614517d3-4640-46ad-ade7-c4223f036edd", "value": "250f3633529457477a9f8fd3db3472e94383606a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545329", "to_ids": true, "type": "sha256", "uuid": "276cd39e-aed4-40c8-96f7-2f20fd5c4c1f", "value": "2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777312349", "to_ids": true, "type": "ssdeep", "uuid": "91c463e7-2771-4b33-9e27-119492dfda53", "value": "786432:79E3x6X/lJqW4VhW1MgJg7mfCORoKHdNb8:xE8dJqW4Vg1i" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777312349", "to_ids": false, "type": "size-in-bytes", "uuid": "02b903da-8618-49be-ba01-4f697f91009d", "value": "95862946" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777312349", "to_ids": true, "type": "vhash", "uuid": "b11512ea-2260-4962-94dc-0173b277c986", "value": "77ac44bddf4050b946718bc38ad0cf3e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777312349", "to_ids": true, "type": "filename", "uuid": "58b9623e-83ef-4722-860d-78f7da66425d", "value": "kics" }, { "category": "Other", "comment": "Checked: 28/04/2026\nLast-scan\t: 28/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777312349", "to_ids": false, "type": "text", "uuid": "cd4b4245-c59b-4e2a-99f8-2222cf2e6189", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/Checkkics!MTB\nVT Total Detection:13/63\nFirst Submission:2026-04-22T14:14:13.000000+00:00\nLast Submission:2026-04-22T14:14:13.000000+00:00" } ] } ] } }