{ "Event": { "analysis": "1", "date": "2026-04-04", "extends_uuid": "", "info": "[Threat Intel] TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation", "protected": false, "publish_timestamp": "1779544396", "published": true, "threat_level_id": "2", "timestamp": "1779544395", "uuid": "69ccf22e-8e9f-447e-8265-46b69c84a6ec", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Financial Theft - T1657\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#3b2e13", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Plist Modification - T1547.011\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#98f3da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776913218", "to_ids": false, "type": "link", "uuid": "91eb756e-4b3f-487f-abac-d43454e22256", "value": "https://intel.breakglass.tech/post/twizadmin-103-241-66", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776913218", "to_ids": false, "type": "text", "uuid": "a20d8e07-84df-4a48-8f10-5b728be82cde", "value": "A sophisticated multi-stage malware operation was identified through an exposed C2 panel at 103.241.66[.]238:1337, combining cryptocurrency clipboard hijacking across eight chains, BIP-39 seed phrase theft, browser credential exfiltration, ransomware module (crpx0), and Java RAT builder managed via FastAPI-based panel with license key system. The operation targets Windows and macOS using FedEx and OnlyFans-themed social engineering lures, with complete source code exposed in open directories. The ransomware component communicates with three Russian .ru domains resolving to 31.31.198[.]206 at REG.RU hosting, operating under the identity DataBreachPlus with Telegram, qTox, and ProtonMail contacts. Ten cryptocurrency wallet addresses spanning Bitcoin, Ethereum, Tron, Dogecoin, Litecoin, Solana, Ripple, and Bitcoin Cash were extracted from configurations, indicating a Malware-as-a-Service operation with tiered licensing." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776913218", "to_ids": false, "type": "text", "uuid": "ad093020-5755-4638-ac22-937b5d057d3b", "value": "Name: TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation\nAuthor: AlienVault\nAdversary: DataBreachPlus\nTags: [\"crypto clipper\", \"twizadmin\", \"multi-platform\", \"russian-speaking\", \"infostealer\", \"crpx0\", \"maas\", \"ransomware\", \"cryptocurrency theft\"]\nTgtd countries: []\nMlwr families: [\"TwizAdmin\", \"crpx0\"]\nAttack_ids: []\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776913218", "to_ids": false, "type": "threat-actor", "uuid": "8862c03d-e7a1-4f57-9b39-2a41c45ee37c", "value": "DataBreachPlus" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777313886", "to_ids": true, "type": "ip-dst", "uuid": "d7aa08a1-be43-47f5-b100-1def224e2f0f", "value": "31.31.198.206", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777313907", "to_ids": true, "type": "domain", "uuid": "1100392a-4db8-4988-8686-0725d469e625", "value": "fanonlyatn.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777313928", "to_ids": true, "type": "url", "uuid": "46407df9-348d-4b3e-8dd7-86bdef8a9c76", "value": "https://fanonlyatn.xyz/files/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777313949", "to_ids": true, "type": "url", "uuid": "56e54b86-8cfe-4204-ae23-667ba36bf682", "value": "https://fanonlyatn.xyz", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:27/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544388", "to_ids": true, "type": "sha256", "uuid": "53a9c372-e965-432d-afc8-cd352cca38d0", "value": "3fcd267e811d9b83cafa3d8d6932fa1c56f4fd8dcf46f9ec346e0689439532d4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:27/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544390", "to_ids": true, "type": "sha256", "uuid": "21ae6d41-65b8-4b76-892a-705adda0a01c", "value": "584796212f99efc7ac765d6048913fe34e46a64b13a8a78fb3a465b8c61f3527", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:27/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544392", "to_ids": true, "type": "sha256", "uuid": "13043d50-78cf-43fa-aa26-82d8262e279a", "value": "74ab520e94b2f3b8915ec7b47abab7a2d7e9759add5aa195af7edf0ffa5b4150", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:27/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544393", "to_ids": true, "type": "sha256", "uuid": "b3383e3a-077b-4944-93b1-b26843ceb2f4", "value": "9d9783f57fd543043e0792d125831883259c823a5eaa69211e5254db4db4eaec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:27/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544395", "to_ids": true, "type": "sha256", "uuid": "63e7db90-d701-45cb-8a67-566370c9dd9b", "value": "aa11f154b17a4f81f951dbeaab78b58ea012f5b6ea16e4f894bd90971e01bae4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777313970", "to_ids": true, "type": "url", "uuid": "475c25b7-7501-4648-a616-6e5d7a26794c", "value": "http://fanonlyatn.xyz/files/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777313992", "to_ids": true, "type": "url", "uuid": "d2601542-ab37-4429-abd5-2a285727145c", "value": "https://beboss34.ru/crpx0/notify.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314013", "to_ids": true, "type": "url", "uuid": "d74ecd53-a019-4493-a20d-81eb7fbbc2a4", "value": "https://caribb.ru/crpx0/notify.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314035", "to_ids": true, "type": "url", "uuid": "18e73d35-ff8b-4d71-9d21-9a74609fe145", "value": "https://fanonlyatn.xyz/api.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314056", "to_ids": true, "type": "url", "uuid": "1394b24e-dfd5-420c-9c02-34d375647d51", "value": "https://fanonlyatn.xyz/api_address_match.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314077", "to_ids": true, "type": "url", "uuid": "56cf0410-e88c-4813-ae54-3d9c424166e2", "value": "https://fanonlyatn.xyz/api_dropper_log.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314099", "to_ids": true, "type": "url", "uuid": "e16064cc-5c42-46c9-920c-901a0ff29980", "value": "https://fanonlyatn.xyz/builds/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314120", "to_ids": true, "type": "url", "uuid": "23badb2d-3e3d-424a-bc8b-18dcbd1dbd55", "value": "https://mekhovaya-shuba.ru/crpx0/notify.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314141", "to_ids": true, "type": "domain", "uuid": "ecad5031-0d1a-4613-ab40-6705f5760075", "value": "beboss34.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314162", "to_ids": true, "type": "domain", "uuid": "d88db2aa-45a0-4ac1-a7bc-34bd4848a4e8", "value": "caribb.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314183", "to_ids": true, "type": "domain", "uuid": "1c5cc84c-49c4-4f43-8286-187495ca913b", "value": "mekhovaya-shuba.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314205", "to_ids": true, "type": "hostname", "uuid": "f7ba25f8-1d52-4c7e-9749-07bd27981f73", "value": "secure-shard-091.of-cdn.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314226", "to_ids": true, "type": "hostname", "uuid": "c5e2b718-8454-44fd-9396-c0a9273bcab3", "value": "www.fanonlyatn.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 1337", "deleted": false, "disable_correlation": false, "timestamp": "1777293203", "to_ids": true, "type": "ip-dst|port", "uuid": "171f83df-cd7e-4cf3-a6e8-dd485e381bc1", "value": "103.241.66.238|1337" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314247", "to_ids": true, "type": "ip-dst", "uuid": "d66ae77d-386c-4915-bfb6-3972c920e160", "value": "172.67.147.155", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314269", "to_ids": true, "type": "ip-dst", "uuid": "ed835856-e5ab-4d36-9bb6-0d1cde2816bd", "value": "104.21.28.214", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777314290", "to_ids": true, "type": "url", "uuid": "2ecab617-1642-46f9-a8a6-875fbc80fb9b", "value": "https://t.me/DataBreachPlus", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777293203", "to_ids": true, "type": "email-src", "uuid": "dd7585cd-c59a-4aa2-a830-1c0bf8be32ee", "value": "databreachplus@proton.me" }, { "category": "Financial fraud", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777293236", "to_ids": true, "type": "btc", "uuid": "a8de52fe-2d9f-4fe5-b85a-f2f6bd4ad0dc", "value": "1KC2kXDeyBH9yocYSQy6DQ1ou5hRRRBtpZ" }, { "category": "Financial fraud", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777293236", "to_ids": true, "type": "btc", "uuid": "2e37aef4-d32a-42f8-8ba5-106bcba36528", "value": "3887CPBvo96AZAm5Gn339isJTXVjdaFogR" }, { "category": "Financial fraud", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777293236", "to_ids": true, "type": "btc", "uuid": "a47d31f0-c08a-46e8-bbf2-d4a5a453e7c4", "value": "bc1qhwxpvjpdlyz7ekmjq6y67t2m2m2e5jq62ykfl4" }, { "category": "Financial fraud", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777293236", "to_ids": true, "type": "btc", "uuid": "42b738b1-8b03-4572-9a2c-1e0c15da5499", "value": "bc1qs24qevh60nv3r5aqt8ssh7wettczjagz24vest" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544384", "uuid": "204dac28-757c-4f4f-adc7-038d4bd4de45", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544383", "to_ids": true, "type": "md5", "uuid": "ffe64ab1-3c70-49a8-8c0a-838c8b08db52", "value": "18142071dc460a67385758da0bc7a1cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544383", "to_ids": true, "type": "sha1", "uuid": "fe501d52-e63e-4d22-afb8-baae6d5bc824", "value": "23128eb91117dd6d5292d79f386e1de143ee2ae0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544384", "to_ids": true, "type": "sha256", "uuid": "fe4f5d51-27dc-4c4d-84f1-e4ea69584791", "value": "06299676b43749b8477c4bc977c09512957fc9b66fd5030c1874069632ce6092", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777304044", "to_ids": true, "type": "ssdeep", "uuid": "7a8b2afb-a91e-499a-9691-886d8a7e19de", "value": "768:7HUmxPmIdG9HStXhs97DKjB/woLq+lvaK9TmIo:70mxPmIdYVi9BB59/o" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777304044", "to_ids": false, "type": "size-in-bytes", "uuid": "96670a1f-0f6f-4226-b2d4-a10ca18ee610", "value": "26261" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777304044", "to_ids": true, "type": "vhash", "uuid": "3022f12b-98c4-49c2-90e5-4ee74ed20b7f", "value": "fb0b5defcba8493a6d6fb992e1920e75" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777304044", "to_ids": true, "type": "filename", "uuid": "52f23771-7db7-43fb-80e8-cb3aa5d84521", "value": "last.zip" }, { "category": "Other", "comment": "Checked: 27/04/2026\nLast-scan\t: 22/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777304044", "to_ids": false, "type": "text", "uuid": "ef2bbd7a-2286-4787-8c37-171cac05df0e", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:3/67\nFirst Submission:2026-04-22T14:40:19.000000+00:00\nLast Submission:2026-04-22T14:40:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544386", "uuid": "884c8fb7-0ee8-4648-a4f7-7785766821f6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544385", "to_ids": true, "type": "md5", "uuid": "13aa9017-0814-43d0-8c5d-261bda9800b1", "value": "3bf9a862fb87039e1c796513fafbac7d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544386", "to_ids": true, "type": "sha1", "uuid": "60b28902-bb53-4ef9-b7bd-6f8f412c50d2", "value": "be6946aae1890e92903a9068e4835697b69e43c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544386", "to_ids": true, "type": "sha256", "uuid": "561caab0-fded-44b5-b4f2-12e763869fbb", "value": "f7ddba605e3d04e06d2f7b0fc4a38027ae58ca65a69d800dd2f43c8e94ca8396", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777304172", "to_ids": true, "type": "ssdeep", "uuid": "cdad960b-b4d5-476b-9e81-1f31f39235c7", "value": "768:7ikE9x9yTmD4ISsjooyDFUOCynu3CSukcU7VI6RbJmEZQnmz18AriMFBafXpa9dL:7iYTHIPjKTdq7VTh4uadAbbafG2M" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777304172", "to_ids": false, "type": "size-in-bytes", "uuid": "668a2f92-1cbd-4995-a05e-6d3cff17bf3b", "value": "115345" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777304172", "to_ids": true, "type": "filename", "uuid": "bd7a3361-46d7-42e1-8666-c2e174f9d787", "value": "v1.1.py" }, { "category": "Other", "comment": "Checked: 27/04/2026\nLast-scan\t: 29/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777304172", "to_ids": false, "type": "text", "uuid": "d06cebc8-e0ee-4117-90c5-de6ade60fe4b", "value": "Type Description: Python\nMicrosoft: None\nVT Total Detection:1/62\nFirst Submission:2026-03-29T12:03:44.000000+00:00\nLast Submission:2026-03-29T12:03:44.000000+00:00" } ] } ] } }