{ "Event": { "analysis": "1", "date": "2026-05-15", "extends_uuid": "", "info": "[Threat Intel] Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files", "protected": false, "publish_timestamp": "1779547461", "published": true, "threat_level_id": "3", "timestamp": "1779547460", "uuid": "6cc3f205-3931-4e73-a46d-b5a657ab4949", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#a320c3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unsecured Credentials - T1552\"", "relationship_type": "" }, { "colour": "#211c82", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"", "relationship_type": "" }, { "colour": "#62e1b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Session Hijacking - T1185\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#327a31", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Binary Padding - T1027.001\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#288f3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials in Files - T1081\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Gremlin\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900407", "to_ids": false, "type": "link", "uuid": "3b4799da-aabe-4373-9a88-05f9b8bef6f7", "value": "https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778900407", "to_ids": false, "type": "text", "uuid": "a6577162-09c3-4a53-857b-b9e694eda8bf", "value": "This analysis examines new obfuscation techniques employed by Gremlin stealer malware to conceal malicious payloads within embedded resources. A variant protected by sophisticated commercial packing utility uses instruction virtualization, transforming code into custom bytecode executed by a private virtual machine. The malware siphons sensitive information including payment card details, browser cookies, session tokens, cryptocurrency wallet data, and FTP/VPN credentials from compromised systems. It exfiltrates data to attacker-controlled servers at hxxp[:]194.87.92[.]109 for potential publication or sale. Recent iterations incorporate expanded Discord token extraction, active financial fraud through crypto clipper functionality that replaces cryptocurrency wallet addresses in real-time, and WebSocket-based session hijacking to bypass modern cookie protections. The malware employs advanced anti-analysis techniques including XOR-encoded payloads in .NET resource sections, identifier renaming, string encryp..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778900407", "to_ids": false, "type": "text", "uuid": "b72c5f11-cbb3-47c1-ad4c-f2ed3d03ba6a", "value": "Name: Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files\nAuthor: AlienVault\nAdversary: \nTags: [\"quasar rat\", \"lokibot\", \"obfuscation techniques\", \"session hijacking\", \"discord token theft\", \"agent tesla\", \"credential harvesting\", \"telegram exfiltration\", \"infostealer\", \"guloader\", \"cryptocurrency clipper\", \"gremlin stealer\"]\nTgtd countries: []\nMlwr families: [\"Gremlin stealer\", \"Agent Tesla - S0331\", \"GuLoader - S0561\", \"Lokibot - S0447\", \"Quasar RAT\"]\nAttack_ids: [\"T1056.001\", \"T1539\", \"T1115\", \"T1082\", \"T1106\", \"T1005\", \"T1140\", \"T1567\", \"T1552\", \"T1032\", \"T1185\", \"T1555.003\", \"T1027.001\", \"T1528\", \"T1041\", \"T1027\", \"T1081\", \"T1567.002\", \"T1027.002\", \"T1071.001\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779004733", "to_ids": true, "type": "ip-dst", "uuid": "888cb06d-5502-4a62-8857-4b1906cd4b1f", "value": "194.87.92.109", "Tag": [ { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779004753", "to_ids": true, "type": "url", "uuid": "05f07785-d5e2-4b86-91a4-b6a94a2ac81e", "value": "http://194.87.92.109/i.php", "Tag": [ { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547435", "uuid": "1ae79ae6-7b1a-4280-b593-7d82f8d6298c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547434", "to_ids": true, "type": "md5", "uuid": "a3e522e0-37d6-4590-8e48-72946f059635", "value": "a8b11209654053bd898e3aacb63bb8b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547434", "to_ids": true, "type": "sha1", "uuid": "90466842-dcac-4033-b272-299916acfc24", "value": "5009379fa6f260e87fc22b1c87cce0b39f89a2cc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547435", "to_ids": true, "type": "sha256", "uuid": "55591d36-da8b-49cf-af09-669223661c5d", "value": "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778999798", "to_ids": true, "type": "ssdeep", "uuid": "e35dae35-b571-4488-9efa-30f957564bef", "value": "6144:OYQdO8GAR3W/9k+ZUXe0Zz/7w2K4s7EsUjaMxWAbab:ws87WS+ZUHZz/AstjaMx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778999798", "to_ids": false, "type": "size-in-bytes", "uuid": "7b2df441-524f-44b1-88e8-7e69a2f81684", "value": "287232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778999799", "to_ids": true, "type": "vhash", "uuid": "97a1ba02-7b8c-4ec3-8da4-22e6913c8fac", "value": "025026651\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778999799", "to_ids": true, "type": "filename", "uuid": "e22478de-e3db-4a3a-bb51-331de7ddbd8b", "value": "CefSharp.BrowsersSubprocess.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778999799", "to_ids": false, "type": "text", "uuid": "114c9e25-38d9-467e-9456-31d89e3670be", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:41/71\nFirst Submission:2025-10-24T16:55:24.000000+00:00\nLast Submission:2025-10-24T16:55:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547437", "uuid": "48165304-7f54-48e7-9d87-0d01e4509821", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547436", "to_ids": true, "type": "md5", "uuid": "eec595e7-e5f6-4cea-accb-a062dd5ff486", "value": "11b07ef51fda4ff3c1063f579cb72542", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547437", "to_ids": true, "type": "sha1", "uuid": "9a9e5228-18e9-41e4-b29d-dd9a94a04e12", "value": "490ab9213ce0bf7689dd5f40e8217b1818f9f0c4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547437", "to_ids": true, "type": "sha256", "uuid": "ba6536ef-634d-49f2-b719-eaba006f9949", "value": "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778999820", "to_ids": true, "type": "ssdeep", "uuid": "b826ea8c-f941-47c7-ae0e-6501d56d5210", "value": "98304:0eXLcJRZr0t4wuCQVhg/ERbyM7+S0DvL1IN1NrL1pT:tgJRZXCQVdyMr0DLqTRh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778999820", "to_ids": false, "type": "size-in-bytes", "uuid": "ced16502-b228-41d9-834e-1885bc054add", "value": "4553216" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778999820", "to_ids": true, "type": "vhash", "uuid": "b7c2cfff-420c-47b1-b243-c07e6937c6d6", "value": "046066756d151f077bz1!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778999820", "to_ids": true, "type": "filename", "uuid": "c7241f5d-8d1d-4931-a09d-aebb39176d4b", "value": "amneziavpn.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778999820", "to_ids": false, "type": "text", "uuid": "625aad54-0738-49b7-8ac4-1e481764f9cd", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:48/71\nFirst Submission:2025-07-27T18:30:42.000000+00:00\nLast Submission:2025-07-27T18:30:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547439", "uuid": "f2cc3206-44d4-4799-9e53-56eadbed3e7a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547438", "to_ids": true, "type": "md5", "uuid": "8fb5b305-0fee-418f-bbae-7d409e6c8171", "value": "378cf21d5d2f72ae1aefe3c4418cb5ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547439", "to_ids": true, "type": "sha1", "uuid": "da0a9ebf-7b90-4f9d-862d-1bbb93213771", "value": "6b152b4e1e86bd5ccf4703158b21c9cde5b3fe36", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547439", "to_ids": true, "type": "sha256", "uuid": "fad4d2a5-f0f5-4baf-8ae1-06f075b9f85f", "value": "281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778999842", "to_ids": true, "type": "ssdeep", "uuid": "6f91178f-91e5-470b-96ba-de5ad460245a", "value": "6144:OYQdO8GAR3W/9k+ZUXA0Zz/7w2K4s7TsUjaMxWAbab:ws87WS+ZUxZz/ArtjaMx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778999842", "to_ids": false, "type": "size-in-bytes", "uuid": "5be6d3e0-ca12-4fc7-8b2e-c5baa6c8d344", "value": "287232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778999842", "to_ids": true, "type": "vhash", "uuid": "2da749b0-336a-4fe7-8744-901508a25a2d", "value": "025026651\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778999842", "to_ids": true, "type": "filename", "uuid": "94de7bd6-494e-44f3-ad2a-2ab1a9198a81", "value": "CefSharp.BrowsersSubprocess.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778999842", "to_ids": false, "type": "text", "uuid": "5a95ae19-bcb5-4069-9c7e-c6e77b36e462", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:53/71\nFirst Submission:2025-07-11T14:48:13.000000+00:00\nLast Submission:2025-07-11T14:48:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547442", "uuid": "56d9347c-0296-4489-a5d4-11b0e4e7604e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547441", "to_ids": true, "type": "md5", "uuid": "54d97189-3707-48c5-9059-bdf71070d4bd", "value": "8c0807260135014e429f5f6faf7ba242", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547442", "to_ids": true, "type": "sha1", "uuid": "a3c94fe8-1fe2-49d9-80ad-b9a6edcca852", "value": "56d6d789f6215aeb84e2ccaf4a19473461d46f75", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547442", "to_ids": true, "type": "sha256", "uuid": "e95c88da-6671-4439-bb5c-9fd8afff598b", "value": "691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778999864", "to_ids": true, "type": "ssdeep", "uuid": "032312cd-ebaa-4725-ab47-93cf14674c5b", "value": "6144:OYQdO8GAR3W/9k+ZUXo0Zz/7w2K4s7MsUjaMxWAbab:ws87WS+ZUJZz/AEtjaMx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778999864", "to_ids": false, "type": "size-in-bytes", "uuid": "d29f5d43-c9e1-4aaa-9d72-e12f442b70c2", "value": "287232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778999864", "to_ids": true, "type": "vhash", "uuid": "5dc73f20-b885-47dc-b8fc-a34e943b388f", "value": "025026651\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778999864", "to_ids": true, "type": "filename", "uuid": "df54c053-9135-4bec-9f0b-2f5bf02a14e4", "value": "CefSharp.BrowsersSubprocess.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778999864", "to_ids": false, "type": "text", "uuid": "cefeabf2-97e6-48c2-990e-12d5ea6bdfcc", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:45/71\nFirst Submission:2025-08-14T12:05:20.000000+00:00\nLast Submission:2025-08-14T12:05:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547445", "uuid": "d197bef6-d694-4c13-a427-a0de3415f060", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547444", "to_ids": true, "type": "md5", "uuid": "acb44827-cf26-4668-989c-bc1f9d2dd4b7", "value": "4bd2b8f4795c9817ac26f5e620b46aff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547445", "to_ids": true, "type": "sha1", "uuid": "2adf4bb0-f975-44f9-8017-e83464419adc", "value": "b4d8c1ccb773b737b4fe80940e20991045aca63e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547445", "to_ids": true, "type": "sha256", "uuid": "425ca110-86b2-438d-a8b4-17eeb6aa841a", "value": "971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778999886", "to_ids": true, "type": "ssdeep", "uuid": "b5819e54-5ab8-475d-a8b6-60285e61493e", "value": "6144:OYQdO8GAR3W/9k+ZUXK0Zz/7w2K4s7XsUjaMxWAbab:ws87WS+ZULZz/A/tjaMx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778999886", "to_ids": false, "type": "size-in-bytes", "uuid": "2a29f96e-2d19-4303-ad68-443edcd8d85f", "value": "287232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778999886", "to_ids": true, "type": "vhash", "uuid": "9fd31ed3-8678-44a1-994d-e7cad41ef53e", "value": "025026651\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778999886", "to_ids": true, "type": "filename", "uuid": "b8d2b69b-878a-41fc-ad76-8b033390ea67", "value": "CefSharp.BrowsersSubprocess.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 17/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778999886", "to_ids": false, "type": "text", "uuid": "50a98d9e-485c-4bba-9cd0-966ed79a7c28", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:56/71\nFirst Submission:2025-08-20T21:00:07.000000+00:00\nLast Submission:2025-08-20T21:02:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547448", "uuid": "6ffb6de1-c31b-4f91-aed2-fb87fcc108bf", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547447", "to_ids": true, "type": "md5", "uuid": "43018638-d4ff-4a99-bddd-e382d1855640", "value": "f0740c1f9e075d6f920a489592e7a7fe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547447", "to_ids": true, "type": "sha1", "uuid": "1e2ea6c3-6c36-46cb-805b-6426c93a31b8", "value": "20460b496c530918f705a9f8ce9f020e6ddcc4e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547448", "to_ids": true, "type": "sha256", "uuid": "4f8cb361-7cc6-440e-b5cb-7b90b6cf735c", "value": "9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778999907", "to_ids": true, "type": "ssdeep", "uuid": "6250d783-8f22-4946-befa-7295b6618794", "value": "6144:OYQdO8GAR3W/9k+ZUXB0Zz/7w2K4s7WsUjaMxWAbab:ws87WS+ZUWZz/A+tjaMx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778999907", "to_ids": false, "type": "size-in-bytes", "uuid": "92415767-9cab-4bd8-94da-a01b9622d27c", "value": "287232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778999907", "to_ids": true, "type": "vhash", "uuid": "e4f9e5ef-40cc-4340-9ef7-b1d21e4d4cf5", "value": "025026651\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778999907", "to_ids": true, "type": "filename", "uuid": "62d2d649-bd79-4a45-ab2f-06f4260f0366", "value": "CefSharp.BrowsersSubprocess.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778999907", "to_ids": false, "type": "text", "uuid": "df5176cc-4ffa-4842-995e-5a46e13ef288", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:53/71\nFirst Submission:2025-07-19T18:47:53.000000+00:00\nLast Submission:2025-07-19T19:17:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547450", "uuid": "3c35bc3c-3f71-4e39-bbb7-a24fc2e2cab8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547449", "to_ids": true, "type": "md5", "uuid": "4d23ae73-a2a4-4077-8be3-c3f72be460cc", "value": "cd765071a18484d24387d11ef7a4b61b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547450", "to_ids": true, "type": "sha1", "uuid": "5cd85b63-2e5d-4a24-858b-5df663840f39", "value": "8281e972aa8dc69a888a797739b5195b63b38a3d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547450", "to_ids": true, "type": "sha256", "uuid": "64cc5899-e88f-4783-a205-0a581812c210", "value": "9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778999929", "to_ids": true, "type": "ssdeep", "uuid": "4c79a123-7b66-46c7-b351-d47bc74e65fa", "value": "49152:aeDmXQForpgbRMEW1eb/3xuoX+V6RTHLyADHU:aWSQFo1gbRtW1g3xt8szLyAD" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778999929", "to_ids": false, "type": "size-in-bytes", "uuid": "38cd832d-8d1e-4ebe-9671-3d969f58d08a", "value": "1774592" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778999929", "to_ids": true, "type": "vhash", "uuid": "20ce9207-7110-4f96-a353-50f2994020d7", "value": "016026751\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778999929", "to_ids": true, "type": "filename", "uuid": "73fc4be3-c701-4982-97bd-48d4befb8f35", "value": "Linken Sphere 2.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778999929", "to_ids": false, "type": "text", "uuid": "71775285-099a-4887-b966-80efbc0cce92", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/XWorm.SLGF!MTB\nVT Total Detection:55/71\nFirst Submission:2025-07-11T14:45:08.000000+00:00\nLast Submission:2025-07-11T14:45:08.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547453", "uuid": "ea10b7d9-782e-4138-bb45-9c66c1374230", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547452", "to_ids": true, "type": "md5", "uuid": "751b8b71-f147-4531-aa55-90d1416ff80f", "value": "fab452b48aceecffb16a288a3b3267a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547452", "to_ids": true, "type": "sha1", "uuid": "70ddcdba-3ac6-4bf1-bdb8-efa8cecc17d9", "value": "088a0c11517c63e75455414178a2ae95e110304c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547453", "to_ids": true, "type": "sha256", "uuid": "bd9879e3-5ba4-444e-9fb1-dda8915c258c", "value": "a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778999951", "to_ids": true, "type": "ssdeep", "uuid": "e1c4d434-7796-416c-92bd-a3c260c9c606", "value": "6144:OYQdO8GAR3W/9k+ZUXi0Zz/7w2K4s7SsUjaMxWAbab:ws87WS+ZUzZz/AatjaMx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778999951", "to_ids": false, "type": "size-in-bytes", "uuid": "91ffe67f-8522-4f7e-8a80-16db0777f206", "value": "287232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778999951", "to_ids": true, "type": "vhash", "uuid": "e6a3335c-c71d-4daf-86a7-e559fd7f984c", "value": "025026651\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778999951", "to_ids": true, "type": "filename", "uuid": "ef2875a0-9555-417e-9cf9-f4f01a6ca93a", "value": "CefSharp.BrowsersSubprocess.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778999951", "to_ids": false, "type": "text", "uuid": "c804cd22-7124-468b-85b9-2d3ffa5f5f74", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:53/71\nFirst Submission:2025-07-12T12:14:23.000000+00:00\nLast Submission:2025-07-12T12:14:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547455", "uuid": "34dfc9ec-ea4c-4bda-9eb4-598b561de219", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547454", "to_ids": true, "type": "md5", "uuid": "6894a790-1140-434f-8433-f34e36b3e37b", "value": "e372813c16b0cc0f6e449197bce74f4f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547455", "to_ids": true, "type": "sha1", "uuid": "8702d028-ddde-4af0-bbe3-c61a27100d4f", "value": "4b7cde173da1d8d8f45efe1d8bef8491dc941ebe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547455", "to_ids": true, "type": "sha256", "uuid": "f8cc325c-82fa-4b83-ae95-e6e19eee9e2f", "value": "ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778999973", "to_ids": true, "type": "ssdeep", "uuid": "ff6d52b8-9420-49f8-a76a-c079b2f278c6", "value": "6144:OYQdO8GAR3W/9k+ZUXe0Zz/7w2K4s7hsUjaMxWAbab:ws87WS+ZUHZz/AJtjaMx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778999973", "to_ids": false, "type": "size-in-bytes", "uuid": "bac5d91a-42f5-4005-87d2-c97cec0f31d0", "value": "287232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778999973", "to_ids": true, "type": "vhash", "uuid": "32405605-612c-4e2a-9d0d-13cd33b24a34", "value": "025026651\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778999973", "to_ids": true, "type": "filename", "uuid": "0f0d32ee-ecb7-45d3-b31e-ee9e7e084f66", "value": "CefSharp.BrowsersSubprocess.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778999973", "to_ids": false, "type": "text", "uuid": "bc1e3b71-4937-440e-8269-28cc60833f65", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:53/71\nFirst Submission:2025-07-27T18:09:43.000000+00:00\nLast Submission:2025-07-27T18:17:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547458", "uuid": "b8b26e0e-83bf-4a91-8a2c-9be5806e9866", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547457", "to_ids": true, "type": "md5", "uuid": "6c711d0b-79ab-434d-820f-d9b3cbb84cac", "value": "3dbd6f4826765e00ac2012ee8a2f99ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547457", "to_ids": true, "type": "sha1", "uuid": "c56cae4f-c8f2-4b0e-976f-1dc84d12f181", "value": "4f4bbcb2f7e8d7e7cd367f178462bd7ef442b765", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547458", "to_ids": true, "type": "sha256", "uuid": "d0d5df1f-7f36-4cd9-96d4-8c12e0285f40", "value": "d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778999994", "to_ids": true, "type": "ssdeep", "uuid": "0b0283f4-7914-40ed-8dc5-5ed7e3ff0c7d", "value": "6144:OYQdO8GAR3W/9k+ZUXY0Zz/7w2K4s7FsUjaMxWAbab:ws87WS+ZUZZz/AttjaMx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778999994", "to_ids": false, "type": "size-in-bytes", "uuid": "dcd61eca-8f63-4930-8fe7-dfe34a984880", "value": "287232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778999994", "to_ids": true, "type": "vhash", "uuid": "43f14f3a-ef8d-4249-831d-e0ac24d1a904", "value": "025026651\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778999994", "to_ids": true, "type": "filename", "uuid": "6caa654c-dd47-4e31-994f-7363359ea524", "value": "CefSharp.BrowsersSubprocess.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778999994", "to_ids": false, "type": "text", "uuid": "aaa0d537-4a52-470f-a62d-b35aef9cc88e", "value": "Type Description: Win32 EXE\nMicrosoft: Program:Win32/Wacapew.C!ml\nVT Total Detection:53/71\nFirst Submission:2025-08-06T19:30:07.000000+00:00\nLast Submission:2025-08-06T19:30:07.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547460", "uuid": "cd9592e8-ae18-4e48-affa-7b764dae586f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547460", "to_ids": true, "type": "md5", "uuid": "14b32191-ba28-4226-82e3-43405d70bf94", "value": "36dec15d87647786d954c3d681ae27b9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547460", "to_ids": true, "type": "sha1", "uuid": "7a7b7ca5-a837-461c-8566-0f6e7cce9f16", "value": "5724a9d251997adc83fd50d117fb4c106cb3dcc8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547460", "to_ids": true, "type": "sha256", "uuid": "072f320f-2d2c-446f-9a8f-18ea37a1d34c", "value": "f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779000016", "to_ids": true, "type": "ssdeep", "uuid": "cadb621c-7656-4007-9502-ffba708c6d25", "value": "6144:OYQdO8GAR3W/9k+ZUXo0Zz/7w2K4s7usUjaMxWAbab:ws87WS+ZUJZz/AGtjaMx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779000016", "to_ids": false, "type": "size-in-bytes", "uuid": "9c615749-74f2-4340-99f0-7e176bf2063b", "value": "287232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779000016", "to_ids": true, "type": "vhash", "uuid": "3c1eaa71-c0ec-4fea-a161-0631d7ec9af4", "value": "025026651\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779000016", "to_ids": true, "type": "filename", "uuid": "df76a901-507b-4597-a744-155369429a4a", "value": "CefSharp.BrowsersSubprocess.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779000016", "to_ids": false, "type": "text", "uuid": "962c9cf7-67da-497f-95df-20f84922e480", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:55/71\nFirst Submission:2025-10-21T05:56:10.000000+00:00\nLast Submission:2025-10-21T05:56:10.000000+00:00" } ] } ] } }