{ "Event": { "analysis": "1", "date": "2026-03-31", "extends_uuid": "", "info": "[Threat Intel] From Inbox to Intrusion: Multi\u2011Stage Remcos RAT and C2\u2011Delivered Payloads in Network", "protected": false, "publish_timestamp": "1775970096", "published": true, "threat_level_id": "2", "timestamp": "1775970096", "uuid": "73e7f86c-6352-476f-8e22-ac6d1af1779d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Remcos\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775098820", "to_ids": false, "type": "link", "uuid": "e132da32-c54c-4ba5-ac7f-f0de9e79b053", "value": "https://www.pointwild.com/threat-intelligence/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775098820", "to_ids": false, "type": "text", "uuid": "467d4b57-e1ed-44c6-900b-bb6598c8fde5", "value": "This multi-stage fileless Remcos RAT attack leverages a phishing-delivered JavaScript dropper to trigger a reflective PowerShell loader that executes payloads entirely in memory. The infection chain utilizes obfuscation techniques like rotational XOR and Base64 encoding to reconstruct .NET payloads, significantly reducing the disk-based detection footprint. Stealth is maintained by using aspnet_compiler.exe as a LOLBin to proxy malicious execution and dynamically retrieving the final payload from a remote C2 server." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775098820", "to_ids": false, "type": "text", "uuid": "800c758c-8203-4169-bfb7-f3f166bc1f5f", "value": "Name: From Inbox to Intrusion: Multi\u2011Stage Remcos RAT and C2\u2011Delivered Payloads in Network\nAuthor: AlienVault\nAdversary: \nTags: [\"js dropper\", \"remote access trojan\", \"remcos\", \"phishing\", \"rat\"]\nTgtd countries: []\nMlwr families: [\"Remcos\"]\nAttack_ids: []\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775964169", "to_ids": true, "type": "md5", "uuid": "43c41454-fd55-48a5-9ff4-4f42fc096325", "value": "508c092eaf1c1a178195aadfa1b7ecae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965828", "to_ids": true, "type": "url", "uuid": "b8530a74-a74d-406a-b169-f449d0c3952d", "value": "http://192-3-27-141.host.colocrossing.com:8087", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965849", "to_ids": true, "type": "domain", "uuid": "c649c0dc-ee43-42d9-b814-61c2547c4566", "value": "almacensantangel.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965870", "to_ids": true, "type": "hostname", "uuid": "5ba9039a-8794-45c2-bc10-2a5cfb68ebd3", "value": "192-3-27-141.host.colocrossing.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965892", "to_ids": true, "type": "url", "uuid": "59de75b7-1aae-49f2-b8b0-f4f9d3e64117", "value": "https://almacensantangel.com/ENCRYPT.Ps1", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 8087", "deleted": false, "disable_correlation": false, "timestamp": "1775961805", "to_ids": true, "type": "ip-dst|port", "uuid": "a1331fb6-a713-4fd5-8da2-8b45cdf53ba6", "value": "192.3.27.141|8087" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965913", "uuid": "b991bb45-8881-4d50-bce9-a5e4ae4b2fb3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965913", "to_ids": true, "type": "md5", "uuid": "6fcbc569-d608-46ef-8cfb-e6aee80fbddd", "value": "0a9728de22d85c6a2b375924bfb643dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964161", "to_ids": true, "type": "sha1", "uuid": "37a380e9-f0c3-4b45-a27a-86b63730fe9a", "value": "e45a45d1344e9e3604cc6cb46eee30435ec4846e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964162", "to_ids": true, "type": "sha256", "uuid": "e3c7c137-05af-4de0-9bd5-34c57c8a46ba", "value": "f2fea93809b9b15ec1ef6d3954c5d1055bafec9cce25a4710edae13aff0824bf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963557", "to_ids": true, "type": "ssdeep", "uuid": "5751ef1d-df96-44b3-ab06-f47ad44ff91f", "value": "12288:10VeviPzwxda+C/XE41vrS2UqitJydD+CuGfiobhq4:10VGizwxhXEB5itJ+D1fPr" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963557", "to_ids": false, "type": "size-in-bytes", "uuid": "44b86064-ede2-4dd6-8708-886409239711", "value": "493578" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963557", "to_ids": true, "type": "vhash", "uuid": "4b980b46-b089-4651-863d-4c929d91db3d", "value": "04503f7f7d7\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963557", "to_ids": true, "type": "filename", "uuid": "7a9d3ea5-797d-4ac9-8609-7ad415ffedaa", "value": "f0buejloc.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963557", "to_ids": false, "type": "text", "uuid": "4ae2810c-4017-4986-aab9-3e109b30f48d", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:36/72\nFirst Submission:2026-03-20T06:50:19.000000+00:00\nLast Submission:2026-03-20T06:50:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965934", "uuid": "8801ccb6-271e-4013-8c55-38a3639a36dc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965934", "to_ids": true, "type": "md5", "uuid": "b953b63c-f4ab-413d-bce5-8eac914ec607", "value": "75b7ed9f524cdb1c6f044864c4d3353c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964163", "to_ids": true, "type": "sha1", "uuid": "4eb359f1-ed54-4d87-8c1c-91d14f14dc50", "value": "01ff53964c2b9591c4cc7bc11a9858d4d8ca7be2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964163", "to_ids": true, "type": "sha256", "uuid": "d0808209-e5f9-47cf-bba9-229c654b01c9", "value": "c52829026f7cf9948234d6d350658272bbe8eaf6a86453aa1bda70047446245c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963600", "to_ids": true, "type": "ssdeep", "uuid": "7ff9e7f8-dd5e-43d6-91f5-42e3757023d4", "value": "768:bWe+EhzPLMQuPb8ugTtL6TrqyxsRIRgEIC1Yly2HDJp0GdWR/1HPX82DPa03:DrLMJIjgriegEl10hf0GsRJXda03" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963600", "to_ids": false, "type": "size-in-bytes", "uuid": "ea506d1c-6a00-4784-8b61-05dad06f8cd6", "value": "45078" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963600", "to_ids": true, "type": "filename", "uuid": "0f51e6f2-16b8-49d7-8fd0-56440f372186", "value": "803adc709d3254eb95f77b11e7695d31_41_Eml.eml" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963600", "to_ids": false, "type": "text", "uuid": "dad3082f-34f8-4650-81f3-a05b298111a6", "value": "Type Description: Email\nMicrosoft: None\nVT Total Detection:21/62\nFirst Submission:2026-03-12T06:05:03.000000+00:00\nLast Submission:2026-04-10T09:18:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965955", "uuid": "66038374-1762-48e7-84cd-d85b98371e94", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965955", "to_ids": true, "type": "md5", "uuid": "efed6a6f-8902-4018-ade9-98f70d9132fd", "value": "957b2710fef66141707064c76f1dd1a9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964164", "to_ids": true, "type": "sha1", "uuid": "f44bec96-7bf8-4f8f-8acb-40eec880d915", "value": "4ae85c0930294a623e81f82c066943ab4de64c41", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964164", "to_ids": true, "type": "sha256", "uuid": "7f4a4236-5abf-4bac-8396-0fceaa648307", "value": "dfaea00290e25c08d2c2eb0152c2150e132c7df45cffb595290ad141b685de97", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963621", "to_ids": true, "type": "ssdeep", "uuid": "6b64aee2-c2bc-4e90-aef1-7eac5ffd8062", "value": "1536:u3vnIg4tj4FsrBX7fwB4Brl0vs3aeJkqOjc:uEusFLe6aeJVOA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963621", "to_ids": false, "type": "size-in-bytes", "uuid": "2d6fd7aa-db6d-4803-b47c-0cfc1b234ffa", "value": "65024" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963621", "to_ids": true, "type": "vhash", "uuid": "9e72aaa4-a304-4b21-8960-235ba8510adb", "value": "36403665151360961860030" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963621", "to_ids": true, "type": "filename", "uuid": "6fe9e434-1a2f-4372-8633-a23a05e19524", "value": "ALTERNATE.dll" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963621", "to_ids": false, "type": "text", "uuid": "2991ea41-be4e-450d-a37b-08ff4911a7c8", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:MSIL/Heracles.GXH!MTB\nVT Total Detection:45/72\nFirst Submission:2026-03-17T06:10:01.000000+00:00\nLast Submission:2026-03-17T06:10:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965976", "uuid": "197d3186-0c53-4643-8f6f-05815086858a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965976", "to_ids": true, "type": "md5", "uuid": "c9e9ca7e-474f-4f17-bbdb-dc39dec043e5", "value": "a5c70d896526146238a15a93dfdb2f97", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964165", "to_ids": true, "type": "sha1", "uuid": "a53b49f7-901b-402a-9297-490bf2283d55", "value": "b3f9ffa6ed4fb98069c9d77dc73a1839bc5c2b6b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964165", "to_ids": true, "type": "sha256", "uuid": "b9810934-dbe3-41b5-a0d3-ee09feb82973", "value": "ee25bbfc7de3f5b04d555c0f754645286ccb27be8a1e618c9ef9d239d22b083e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963643", "to_ids": true, "type": "ssdeep", "uuid": "fb81b57d-3875-460a-915a-03f60132c81d", "value": "384:P8H3/ngpuvwpYy00aoJav6T5thFOmF2HxckCOFwNcr8CWEhY:a3Dvw+UT32CG2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963643", "to_ids": false, "type": "size-in-bytes", "uuid": "0c74de3b-515c-4fc1-b4e5-7920ada52a05", "value": "21925" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963643", "to_ids": true, "type": "vhash", "uuid": "5efebce0-2066-4ede-ae66-66dfe894fb7e", "value": "f453eb5ba89a3d856833c25f955cdf99" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963643", "to_ids": true, "type": "filename", "uuid": "6417b3de-9f3c-4979-97e3-f59f5c98ff62", "value": "MV MERKET COOPER SPECIFICATION.js" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963643", "to_ids": false, "type": "text", "uuid": "0d2eb069-0e80-4669-9242-e57528b2efec", "value": "Type Description: JavaScript\nMicrosoft: Trojan:JS/Nemucod.SJ!MTB\nVT Total Detection:32/63\nFirst Submission:2026-02-18T19:57:48.000000+00:00\nLast Submission:2026-02-19T09:46:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965997", "uuid": "77103151-d4a4-45ce-89fa-79c8aa2d363d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965997", "to_ids": true, "type": "md5", "uuid": "35e56d15-6c53-4d1b-aaf3-5b1ac01c1438", "value": "a739d0c4821d2bc1b8a226a5d8846c28", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964166", "to_ids": true, "type": "sha1", "uuid": "e5417b52-b131-4bfa-aad4-6e9aaf7f812d", "value": "13e256b213bb3b63d65676cd9beb3affd66df663", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964166", "to_ids": true, "type": "sha256", "uuid": "1b50c2e8-4242-4b5e-8ee4-f22b785d7c03", "value": "fe661c52f0792e06aa1517fd123feedba5eeacfe2307a3afdb8c0b487d488a8f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963665", "to_ids": true, "type": "ssdeep", "uuid": "291286a5-c25a-406f-8bcc-9e3dbd081fc3", "value": "192:uz05L2mkmXt/cbLsW2XCJoNO+IgLFrjMN3EKJK7ADBA/Xa:dRujcfXEN+I8FXMxEkKUDYXa" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963665", "to_ids": false, "type": "size-in-bytes", "uuid": "a1efc20c-ec00-4c19-bbfa-4ebc64c71fdf", "value": "9233" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963665", "to_ids": true, "type": "vhash", "uuid": "cf5b21b8-0283-455d-b08e-7d95085c9cf4", "value": "8ec091829c385b93a33b57d9153c0939" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963665", "to_ids": true, "type": "filename", "uuid": "f75252b1-7b22-46f5-bfbc-232abc687734", "value": "MV MERKET COOPER SPECIFICATION.zip" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963665", "to_ids": false, "type": "text", "uuid": "0ba40257-ccbf-4725-af2a-57888fd8ce74", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:33/66\nFirst Submission:2026-02-18T14:47:39.000000+00:00\nLast Submission:2026-02-18T15:20:05.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775966018", "uuid": "1cd74098-14b0-46cf-86c6-57306ff3df5c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775966018", "to_ids": true, "type": "md5", "uuid": "b6075207-7ba3-4a43-b3fc-cc9174d44467", "value": "d79dbfab8af7a6f19b6abf934a90c1b7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964168", "to_ids": true, "type": "sha1", "uuid": "6667b0b0-5487-4c7f-9b2d-07a19274d61c", "value": "fdf33152b10ff557683e06c1ae345b03a10e69b2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964168", "to_ids": true, "type": "sha256", "uuid": "f8b28b0e-6e11-4ce2-af4a-cb714b21e77e", "value": "cd6d5a4199dfe10b29c141f75afdc962f3c3c97d9764b577060451269a4030d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963686", "to_ids": true, "type": "ssdeep", "uuid": "a5389f97-5667-418c-823d-f7f8860969d4", "value": "24576:YkqSML2XC2WufwnV0QmAKH0Pg4FtatxYInNPOHOEj:qTi4CugzdZW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963686", "to_ids": false, "type": "size-in-bytes", "uuid": "a1966679-7873-4cbc-bf16-66622fee8fa4", "value": "2419375" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963686", "to_ids": true, "type": "filename", "uuid": "14689133-d381-4adc-bbee-367618aa7d6d", "value": "ENCRYPT.Ps1" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963686", "to_ids": false, "type": "text", "uuid": "798a52ee-d780-4a04-9403-ad576f255cab", "value": "Type Description: Powershell\nMicrosoft: TrojanDropper:PowerShell/Obfuse.SA!MSR\nVT Total Detection:31/63\nFirst Submission:2026-03-16T12:26:23.000000+00:00\nLast Submission:2026-03-16T12:26:23.000000+00:00" } ] } ] } }