{ "Event": { "analysis": "1", "date": "2026-05-09", "extends_uuid": "", "info": "[Threat Intel] OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION", "protected": false, "publish_timestamp": "1779546933", "published": true, "threat_level_id": "3", "timestamp": "1779546932", "uuid": "7cfaa038-80a3-4812-9a1a-2df64b55ab01", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#f9b12b", "local": false, "name": "misp-galaxy:producer=\"Cyfirma\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#8b05c0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1123\"", "relationship_type": "" }, { "colour": "#d74cce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#3bc6ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Code Signing - T1553.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command Obfuscation - T1027.010\"", "relationship_type": "" }, { "colour": "#3f00e6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compile After Delivery - T1027.004\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ecc598", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Account - T1136.001\"", "relationship_type": "" }, { "colour": "#89c389", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"MSBuild - T1127.001\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade File Type - T1036.008\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#682cad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#c8f8ef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Binary Proxy Execution - T1218\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#44e07f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Token Impersonation/Theft - T1134.001\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#f8140a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778497216", "to_ids": false, "type": "link", "uuid": "61df492f-62c8-4c20-8aa3-7189ef7ebbad", "value": "https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778497216", "to_ids": false, "type": "text", "uuid": "cf9dc706-299b-4d52-b8c7-8175cadb5f07", "value": "A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778497216", "to_ids": false, "type": "text", "uuid": "7e17e1bc-4226-43b6-a6a1-63e382b413b3", "value": "Name: OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION\nAuthor: AlienVault\nAdversary: \nTags: [\"lolbin abuse\", \"powershell\", \"surveillance\", \"uac bypass\", \"amsi bypass\", \"credential theft\", \"fileless execution\", \"connectwise screenconnect\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: []\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778972187", "to_ids": true, "type": "hostname", "uuid": "8f136ab1-c102-4c25-8a95-66389e9f759f", "value": "legitserver.theworkpc.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546925", "to_ids": true, "type": "md5", "uuid": "f433a362-c392-422b-882e-66214f1978ff", "value": "7dd05336097e5a833f03a63d3221494f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546927", "to_ids": true, "type": "sha256", "uuid": "ad79bc75-a147-4a04-86f6-976977e2dd50", "value": "a635f0c94c98b658ae799978994f0d0a292567cd97b8a19068a8423d1297652a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546929", "to_ids": true, "type": "sha1", "uuid": "09e87f60-28bc-460b-bc07-e83f9ffeac86", "value": "21c1e7557b13a63c2c87ca29c701347553077268", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546930", "to_ids": true, "type": "sha1", "uuid": "ac655fa0-3b52-4f8c-b2ce-430837a34098", "value": "91451c9755494a1151763764d96a3178002b367d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546932", "to_ids": true, "type": "sha1", "uuid": "fe4410fe-bd56-44da-bc09-8aec109d5931", "value": "af525cbdf7ba92921d05593bc35a81528ffa1083", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778972208", "to_ids": true, "type": "ip-dst", "uuid": "4e2b62a5-0908-4712-afc7-281775ee0ce3", "value": "45.138.16.64", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1778961742", "uuid": "7e3fd585-0cfe-4f01-b8e0-b019627f5e5f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1778961742", "to_ids": false, "type": "text", "uuid": "3ccce003-685e-456c-82d3-423728ea13fb", "value": "APT_UDS_CompiledDropper" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1778961742", "to_ids": false, "type": "comment", "uuid": "e3c82d02-cf46-4f47-8e12-9c9b05d0b6d7", "value": "Detects the compiled uds.exe dropper via exact hash or IL string patterns" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1778961742", "to_ids": true, "type": "yara", "uuid": "ec659f0f-38c2-4d84-a38d-a84a78dae5d6", "value": "rule APT_UDS_CompiledDropper {\r\nmeta:\r\ndescription = \u201cDetects the compiled uds.exe dropper via exact hash or IL string patterns\u201d\r\nauthor = \u201cCYFIRMA Research\u201d\r\ndate = \u201c2026-04-25\u201d\r\nseverity = \u201cCritical\u201d\r\nhash_md5 = \u201c7DD05336097E5A833F03A63D3221494F\u201d\r\nhash_sha256 = \u201cA635F0C94C98B658AE799978994F0D0A292567CD97B8A19068A8423D1297652A\u201d\r\nstrings:\r\n$il_ps = \u201cpowershell.exe\u201d ascii wide\r\n$il_bypass = \u201c-ExecutionPolicy Bypass\u201d ascii wide\r\n$il_path = \u201cC:\\\\Systems\\\\\u201d ascii wide\r\n$il_file = \u201c.ps1\u201d ascii wide\r\n$meta_ver = \u201c0.0.0.0\u201d ascii\r\n$meta_name = \u201cuds\u201d ascii\r\ncondition:\r\nuint16(0) == 0x5A4D and 4 of them and filesize < 10KB\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1778961763", "uuid": "90ec1319-175a-418b-95c8-6c3c4d7a61d1", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1778961763", "to_ids": false, "type": "text", "uuid": "327ebe46-1580-4455-a90f-34d7cbc44858", "value": "APT_CSC_CompiledLauncher" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1778961763", "to_ids": false, "type": "comment", "uuid": "c2b82f8f-83b3-4185-845f-4ed1adc21a88", "value": "Detects csc.exe-compiled invisible PowerShell launcher (uds.exe pattern)" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1778961763", "to_ids": true, "type": "yara", "uuid": "53cd308d-0544-4bfe-a5c8-156e8c1c55b0", "value": "rule APT_CSC_CompiledLauncher {\r\nmeta:\r\ndescription = \u201cDetects csc.exe-compiled invisible PowerShell launcher (uds.exe pattern)\u201d\r\nauthor = \u201cCYFIRMA Research\u201d\r\ndate = \u201c2026-04-24\u201d\r\nseverity = \u201cHigh\u201d\r\nstrings:\r\n$s1 = \u201cpowershell.exe\u201d ascii wide\r\n$s2 = \u201c-ExecutionPolicy Bypass\u201d ascii wide\r\n$s3 = \u201cCreateNoWindow\u201d ascii wide\r\n$s4 = \u201cProcessStartInfo\u201d ascii wide\r\n$s5 = \u201cUseShellExecute\u201d ascii wide\r\ncondition:\r\nuint16(0) == 0x5A4D and 4 of them and filesize < 100KB\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1778961784", "uuid": "0f215364-1ef4-42a6-8130-2ba321dd084f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1778961784", "to_ids": false, "type": "text", "uuid": "527a259a-28f3-4abf-9317-cb97cba07ffc", "value": "APT_ScreenConnect_Dropper" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1778961784", "to_ids": false, "type": "comment", "uuid": "e195a051-af21-41eb-9d7d-13c0f6ca99b4", "value": "Detects obfuscated PowerShell sysupdate.jpeg dropper" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1778961784", "to_ids": true, "type": "yara", "uuid": "a315c418-ce98-4944-b107-80a3e1ef9ec3", "value": "rule APT_ScreenConnect_Dropper {\r\nmeta:\r\ndescription = \u201cDetects obfuscated PowerShell sysupdate.jpeg dropper\u201d\r\nauthor = \u201cCYFIRMA Research\u201d\r\ndate = \u201c2026-04-24\u201d\r\nseverity = \u201cCritical\u201d\r\nstrings:\r\n$ps_var1 = \u201c$updateDir\u201d ascii wide\r\n$ps_var2 = \u201cGetRandomFileName().Replace\u201d ascii wide\r\n$obfuscation1 = \u201cI\u2019w\u2019r\u201d ascii wide\r\n$obfuscation2 = \u201cGkJsnxQROR\u201d ascii wide\r\n$path_mimic = \u201cC:\\\\Systems\u201d ascii wide\r\ncondition:\r\nall of them and filesize < 50KB\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546910", "uuid": "772bc3cc-093d-4674-946c-b338c5edd044", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546909", "to_ids": true, "type": "md5", "uuid": "c4296c3f-0449-4520-92c8-52b7ea2a5275", "value": "752a7188f2bab1926a63254e29f3108a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546910", "to_ids": true, "type": "sha1", "uuid": "2c18a3f6-9e02-4b3f-b291-d43b765de3a9", "value": "3cf97b5207e51a1ae8e640450279abef204f0466", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546910", "to_ids": true, "type": "sha256", "uuid": "c920c885-2c1d-4e3d-a792-ec5cec235438", "value": "7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778970009", "to_ids": true, "type": "ssdeep", "uuid": "8f948484-3fb2-41ae-b30f-05028de2da15", "value": "49152:xVN9Mu/qTBHt+CBJqbe9BkitnoDfqfTurHUezJ/T:xVI+uBHtFqbUkiNWfCTo0ed" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778970009", "to_ids": false, "type": "size-in-bytes", "uuid": "cdc6b8a0-3e8d-4244-98e4-f1d15d43b1b2", "value": "1801298" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778970009", "to_ids": true, "type": "vhash", "uuid": "427b8cfb-c21e-45fc-8c46-b916ba41b0ca", "value": "e20a737c53e80571a3ce5be4dc089804" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778970009", "to_ids": true, "type": "filename", "uuid": "ac608d64-4bd2-4d97-a1a8-990e50bbdd5f", "value": "OneDriveServer.zip" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778970009", "to_ids": false, "type": "text", "uuid": "be9bb612-b4cf-4b6e-94c8-e40ef99497af", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:16/68\nFirst Submission:2026-03-21T01:49:52.000000+00:00\nLast Submission:2026-04-15T05:31:07.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546913", "uuid": "54d27014-ac1a-4ff0-9838-d558ef69ee98", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546912", "to_ids": true, "type": "md5", "uuid": "c1f9e68d-e237-4744-accc-078862735c4d", "value": "a40e6ca64bbeaf7e42100371defa2c51", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546913", "to_ids": true, "type": "sha1", "uuid": "4c5870be-cb4f-4c11-8bdc-e5786aa6f26f", "value": "98661a28d73703ec3728e8f9b25dfab043f4ca6f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546913", "to_ids": true, "type": "sha256", "uuid": "691c2101-1ef5-4192-bc07-655281d31d6f", "value": "ee3d776cdaf82335e4293e19ee313cc35eee49cde9963b96766a8f9c89d44a79", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778970031", "to_ids": true, "type": "ssdeep", "uuid": "3503a507-18a8-490e-8807-f9f4cc9f52f5", "value": "48:LWbqvD+XSTqFjtt9P7FFbAoCj6Vvf4wIf2IXmPxaaH5SbM:LWbqvD+X1jttxF6o7gf2X0aog" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778970031", "to_ids": false, "type": "size-in-bytes", "uuid": "c933532e-1a43-4b7b-8781-c32e96682730", "value": "2497" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778970031", "to_ids": true, "type": "vhash", "uuid": "16390548-f245-4139-9a1a-178946a2a510", "value": "d782e3fe9685d813fa9304dcbc0ecb95" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778970031", "to_ids": true, "type": "filename", "uuid": "df49ed15-b253-4fbf-a0ed-2f4e4c4b7985", "value": "sysupdate.jpeg" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778970031", "to_ids": false, "type": "text", "uuid": "4327bb0f-12e6-41cb-bbc0-38e5acd2871f", "value": "Type Description: Powershell\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:27/61\nFirst Submission:2026-04-14T15:58:54.000000+00:00\nLast Submission:2026-05-07T04:37:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546916", "uuid": "485d153e-83df-4f90-b6b9-082a2d11a828", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546915", "to_ids": true, "type": "md5", "uuid": "9713aaf4-3885-49eb-aec7-37ca177f3b47", "value": "cdc55f204dd2d7e2240d5b785250e68d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546915", "to_ids": true, "type": "sha1", "uuid": "7dbc99da-2efa-41b4-a366-201aa1e9c6c7", "value": "19e1234a94f0445e8fdb9ae0f75554292db48c1c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546916", "to_ids": true, "type": "sha256", "uuid": "a446fa69-cf7e-4a99-9216-bbadc7b9571c", "value": "cea1d85967d2c456fccecae3a70ff2adfe4c113aacf9d18c35906c2ed24ca9b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778970074", "to_ids": true, "type": "ssdeep", "uuid": "a6cd4322-05f7-409c-97ab-d3f1b517c144", "value": "24576:15psFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTsUTp:bpsJkGYYpT0+TFiH7efPk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778970074", "to_ids": false, "type": "size-in-bytes", "uuid": "c8226789-269a-4f33-abe7-d17ca91af712", "value": "1742392" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778970074", "to_ids": true, "type": "vhash", "uuid": "bc423c60-3d39-4652-b9a8-47f6e4ded169", "value": "316036651513806648b3083266a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778970074", "to_ids": true, "type": "filename", "uuid": "f48a542c-750b-4c2f-931a-554dd4d7ec9f", "value": "ScreenConnect.Windows.dll" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778970074", "to_ids": false, "type": "text", "uuid": "2e636c22-6fd1-4662-bafb-5a711366a25b", "value": "Type Description: Win32 DLL\nMicrosoft: None\nVT Total Detection:1/71\nFirst Submission:2025-12-19T08:10:20.000000+00:00\nLast Submission:2026-02-11T01:33:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546918", "uuid": "c742002a-1c34-4688-967c-a264802f4712", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546917", "to_ids": true, "type": "md5", "uuid": "a1e3f612-b3e3-4724-8bb4-ede527d0c0d9", "value": "fcb58cddda40825616c70c93b312a79a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546918", "to_ids": true, "type": "sha1", "uuid": "3cb2bc7a-541f-45cf-a8d3-8e56ad14529f", "value": "94acd6b46cce2a0b84cc5efad3e661eeaa58a612", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546918", "to_ids": true, "type": "sha256", "uuid": "f2c44e09-1662-4ccf-b2ea-573304b861da", "value": "ecd5ed16975d556d1d17bc980f248f8a5262bed11df9d9cf999efd9c273c11df", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778970096", "to_ids": true, "type": "ssdeep", "uuid": "b8a2fdef-235d-47d9-a485-1de44f8112ad", "value": "1536:gg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgcrU0HMX7dFo:JhbNDxZGXfdHrX7rAc6myJkgcrU0He7o" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778970096", "to_ids": false, "type": "size-in-bytes", "uuid": "d9bd8d38-712e-471b-9312-7ae5b53fe907", "value": "95288" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778970096", "to_ids": true, "type": "vhash", "uuid": "ba6012f2-5ea9-413d-a2cd-f4e8856f836e", "value": "094056655d155560c8z469z67z4jz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778970096", "to_ids": true, "type": "filename", "uuid": "fa68f100-5f41-4a91-876e-f29e84c40db6", "value": "screenconnect.clientservice.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778970096", "to_ids": false, "type": "text", "uuid": "f8e7ddff-37bd-4add-8a4d-8ddf8bce30aa", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:6/71\nFirst Submission:2025-12-19T08:10:20.000000+00:00\nLast Submission:2026-05-07T09:57:12.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546921", "uuid": "6fb483b8-3016-4e9a-83b5-b5fd7600dfd8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546920", "to_ids": true, "type": "md5", "uuid": "988126d8-83fc-4103-9ab4-6752eda8fe5f", "value": "e753145ce08d7778e1e4a9e08eb8026c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546920", "to_ids": true, "type": "sha1", "uuid": "956b7462-254e-424b-a245-937b585dd339", "value": "1c8324a920e5532f98621bd06089c45be89ab903", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546921", "to_ids": true, "type": "sha256", "uuid": "644bd758-227a-49e2-92e4-877220d472e1", "value": "4d8ac85c5b98c69ba44146df61183e9bf613edd796aa516c3ae73611b7d77c06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778970117", "to_ids": true, "type": "ssdeep", "uuid": "5c28d303-f2bf-4e98-9d40-3b98260e59f8", "value": "48:6SqUA4hGA4EcfGJCsRolcOsfN58eDAXulMiFOqXSfbNtm:GULYA41YfNOe1aiFuzNt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778970117", "to_ids": false, "type": "size-in-bytes", "uuid": "7ae68b1c-f2c9-43cf-bc39-9cc0330a630b", "value": "4096" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778970117", "to_ids": true, "type": "vhash", "uuid": "0b726b1c-94ff-4c6a-a7fa-45f99f7b730b", "value": "243036151512001140020" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778970117", "to_ids": true, "type": "filename", "uuid": "cc71c726-0874-4338-9365-277b89386a89", "value": "uds.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778970117", "to_ids": false, "type": "text", "uuid": "eff1c42b-8825-4aaf-a2be-42f435a1210c", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:42/71\nFirst Submission:2026-04-14T16:05:56.000000+00:00\nLast Submission:2026-04-14T16:05:56.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546923", "uuid": "e800b99b-45a3-4a52-87c9-e9277cdb5c2b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546922", "to_ids": true, "type": "md5", "uuid": "5752bec5-cf89-46a5-a3da-82bd2fa41cb4", "value": "0e54371193e52ca7250eb040eb099a9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546923", "to_ids": true, "type": "sha1", "uuid": "e639875d-101b-4c8c-82ef-616c4eca8d43", "value": "7478fb0111f4d5fa0925aace2c3df538f47abe65", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546923", "to_ids": true, "type": "sha256", "uuid": "51008d6e-e88f-4e24-b6f1-8a85354d3ed7", "value": "e4c9f3bb4a65c640795bfc1a56c0b56485b849ccd97027eed7ad9aa78a732a4f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778970160", "to_ids": true, "type": "ssdeep", "uuid": "2cb53e74-00d8-4f5e-b5f3-c3b51ef8f153", "value": "24576:dr0QdxKAg+/fz5psFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFn:d0/ApNpsJkGYYpT0+TFiH7efPjQ9Se" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778970160", "to_ids": false, "type": "size-in-bytes", "uuid": "30a588d2-c437-4d4b-97a7-370cfd8c9778", "value": "2510032" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778970160", "to_ids": true, "type": "vhash", "uuid": "74667360-bf47-4858-a4db-20d87c9e6880", "value": "026056655d15656az459z6tz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778970160", "to_ids": true, "type": "filename", "uuid": "ce4dc842-7d0b-4217-809f-f2ed1861d70b", "value": "07qbt.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778970160", "to_ids": false, "type": "text", "uuid": "0b30ec56-de32-4a16-81c8-041657d2605f", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:38/71\nFirst Submission:2026-01-08T15:29:06.000000+00:00\nLast Submission:2026-01-08T15:29:06.000000+00:00" } ] } ] } }