{ "Event": { "analysis": "1", "date": "2026-05-04", "extends_uuid": "", "info": "[Threat Intel] Lorem Ipsum Malware: Trojanized MS Teams Installers", "protected": false, "publish_timestamp": "1779546394", "published": true, "threat_level_id": "3", "timestamp": "1779546393", "uuid": "7f88d213-40af-4515-80ca-76c2c7e04ded", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#3d38fc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Acquire Infrastructure - T1583\"", "relationship_type": "" }, { "colour": "#9edfba", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "relationship_type": "" }, { "colour": "#e76389", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hide Artifacts - T1564\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#e8825f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Upload Tool - T1608.002\"", "relationship_type": "" }, { "colour": "#454726", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#c9dbdd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"", "relationship_type": "" }, { "colour": "#4a5d84", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Services - T1583.006\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#6fe7f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#add7fd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Services - T1584.006\"", "relationship_type": "" }, { "colour": "#3f00e6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compile After Delivery - T1027.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#50bcaa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Discovery - T1518\"", "relationship_type": "" }, { "colour": "#8d021b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dead Drop Resolver - T1102.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Trusted Developer Utilities Proxy Execution - T1127\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Firmware - T1592.003\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777978811", "to_ids": false, "type": "link", "uuid": "508a35ce-8e23-46f4-86ab-97c9e208f5ae", "value": "https://www.bluevoyant.com/blog/lorem-ipsum-trojanized-microsoft-teams-installers-multi-stage-loader-backdoor", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777978811", "to_ids": false, "type": "text", "uuid": "6fabe31e-b648-43d9-8e8d-0c2164b36da0", "value": "An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777978811", "to_ids": false, "type": "text", "uuid": "83464f75-f5e7-4a5a-a46f-182712f39f84", "value": "Name: Lorem Ipsum Malware: Trojanized MS Teams Installers\nAuthor: AlienVault\nAdversary: \nTags: [\"microsoft teams\", \"multi-stage loader\", \"seo poisoning\", \"code-signing abuse\", \"trojanized installers\"]\nTgtd countries: [\"United States of America\"]\nMlwr families: [\"Lorem Ipsum\"]\nAttack_ids: [\"T1583\", \"T1587.001\", \"T1564\", \"T1140\", \"T1195\", \"T1055\", \"T1608.002\", \"T1584\", \"T1102\", \"T1608\", \"T1583.006\", \"T1547.001\", \"T1588.002\", \"T1562.001\", \"T1584.006\", \"T1027.004\", \"T1071.001\", \"T1518\", \"T1102.001\", \"T1127\"]\nIndustries: [\"Healthcare\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626513", "to_ids": true, "type": "domain", "uuid": "87e7fa42-e811-4d7a-b556-0d7d85cb9a1c", "value": "official-teams-storage.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626534", "to_ids": true, "type": "domain", "uuid": "0eef6d0e-94b0-4814-b833-58ff3865c188", "value": "biblegodlike.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626555", "to_ids": true, "type": "domain", "uuid": "2f3346fb-df9f-4424-8821-e9a0b52ec432", "value": "graburban.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626576", "to_ids": true, "type": "domain", "uuid": "5c3f19e3-1b33-4582-9120-fd31ecc98830", "value": "reeeeealy.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626598", "to_ids": true, "type": "domain", "uuid": "7a5e009d-6334-4005-baba-7ac03e3d0dfc", "value": "semigoddess.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626619", "to_ids": true, "type": "hostname", "uuid": "42a4b671-28bc-4f27-8600-508c20f8dbd5", "value": "www.letsdiskuss.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626640", "to_ids": true, "type": "url", "uuid": "459d9b17-5051-4131-b331-4781b5b9b221", "value": "https://official-teams-storage.com/files_dws_arch/MTSetup_v15.3.71194.msi", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626661", "to_ids": true, "type": "url", "uuid": "5820a78b-4cb2-442a-b662-86517d3f1e51", "value": "https://www.letsdiskuss.com/user/dhuahsd12d2752", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626682", "to_ids": true, "type": "domain", "uuid": "320d852f-0451-4ef6-a7e1-8ff3b01ee15a", "value": "valeurban.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626703", "to_ids": true, "type": "domain", "uuid": "d39276e2-4ac7-469b-a4a3-71b8a77b596f", "value": "letsdiskuss.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778626724", "to_ids": true, "type": "domain", "uuid": "c17f9357-f76c-4264-98bb-58d36957d3b6", "value": "plainraw.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546385", "uuid": "8711e74f-3d81-4e6f-ab44-b72d33f23c47", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546384", "to_ids": true, "type": "md5", "uuid": "4136077f-6458-43d6-82c2-758aab55c55d", "value": "c64bf46572ec023b645fc7eef50e06d6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546384", "to_ids": true, "type": "sha1", "uuid": "a3de99ed-6e4f-4da9-ba0b-daec60e42aee", "value": "6e6a356056305e2df3745e9203c923afdc5d3752", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546385", "to_ids": true, "type": "sha256", "uuid": "f60b3e9e-b876-4445-9ebe-55b50c65cc67", "value": "448afbdb6752c86e627d269ea244994d2c072d5110b490232dd7834943b043cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778622183", "to_ids": true, "type": "ssdeep", "uuid": "34fe0f6a-0dde-44f1-b284-f9880238f377", "value": "24576:UgWraDsHIxWPuWqpL4yY+NJnwWq1CuKP+gVmq93M18c8msiUn+/M:2raAHIxWvgNJfYCEoH+QmsDn+k" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778622183", "to_ids": false, "type": "size-in-bytes", "uuid": "adce1955-c97c-4b1f-bfd0-fcb32f11c09d", "value": "1224704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778622183", "to_ids": true, "type": "vhash", "uuid": "31c127e8-098c-48c6-a97a-a5d854889898", "value": "fab7755e4498d65611500ac2d20f2357" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778622183", "to_ids": true, "type": "filename", "uuid": "e0156a1b-4027-4a44-8122-e38662d4f918", "value": "SetupMT_V5_7765.msi" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778622183", "to_ids": false, "type": "text", "uuid": "6b8bfdfd-314d-4533-8638-db9c872eba53", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win32/Malcert\nVT Total Detection:22/62\nFirst Submission:2026-04-01T17:08:09.000000+00:00\nLast Submission:2026-04-07T04:10:04.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546388", "uuid": "e7a9fc1f-9398-47a1-8704-c5480397f75c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546387", "to_ids": true, "type": "md5", "uuid": "3839a736-aeac-4b3a-b32c-fdfed34f88f8", "value": "6bbec72c41204231bf846ee8f0fae4b7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546387", "to_ids": true, "type": "sha1", "uuid": "a0fcd7c5-c8ac-4c2c-9070-08e8f1b3433b", "value": "2217e15ab94985a32f7d92119f28d5065262d7b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546388", "to_ids": true, "type": "sha256", "uuid": "a7cb4301-20cd-4e45-9b83-2763c6630d75", "value": "82ebca8612e203f6d8a2dcdc5e586095ebf94e5e29724ba92cd8bd090df47eb2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778622204", "to_ids": true, "type": "ssdeep", "uuid": "0e060684-376e-4c22-8fda-1ce827357d2c", "value": "24576:0SQm/OV0VxpR4y7bsDpIJxmaIF/yY8dX9+xkj3x1RBtm1sUs:0bm02tsDpIeFVYbVm1Vs" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778622204", "to_ids": false, "type": "size-in-bytes", "uuid": "03d1956c-a813-45c8-88d8-afc9f6e37438", "value": "1212416" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778622204", "to_ids": true, "type": "vhash", "uuid": "8473606f-b980-491b-a502-09457f6b89ca", "value": "fab7755e4498d65611500ac2d20f2357" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778622204", "to_ids": true, "type": "filename", "uuid": "c835357d-d87e-4c86-a523-18a835c9a7c7", "value": "Setup_MT_V14.63.msi" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778622204", "to_ids": false, "type": "text", "uuid": "dde161bb-f116-4564-880b-c75697e173e6", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:28/61\nFirst Submission:2026-04-02T14:16:45.000000+00:00\nLast Submission:2026-04-02T14:16:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546390", "uuid": "59ca139a-d003-4b3b-bc8e-94f84fc51ca4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546390", "to_ids": true, "type": "md5", "uuid": "ec962b5f-bd59-423f-a813-5c0e0c7803e9", "value": "005002b31c6d738879379497e76842d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546390", "to_ids": true, "type": "sha1", "uuid": "e00e38aa-dcb1-4ef7-be48-5977eba09b75", "value": "5a715c644b36299c2c5d79397f3cc2717959e468", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546390", "to_ids": true, "type": "sha256", "uuid": "f50113f2-dfc5-4b3d-80a6-66cc32036516", "value": "ba5d73ca2c5aced43c7605e5652ba31fc63ca9b1f419ee4b934757c010c60f75", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778622226", "to_ids": true, "type": "ssdeep", "uuid": "c703ab1c-268d-4725-91ef-cf9eaf55a806", "value": "24576:6YQcO9sadDt4Ip9A5ya0sLoSaVAcmrBLOUb96gMzbFtiAI9cim1xUnk:RQSadD+RwsLdaCPNj96gGKbBm1mn" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778622226", "to_ids": false, "type": "size-in-bytes", "uuid": "78ea02ec-b804-4a5b-b441-073f91a7dba5", "value": "1191936" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778622226", "to_ids": true, "type": "vhash", "uuid": "8498579a-5496-484d-b1ae-fb361d56fdb3", "value": "fab7755e4498d65611500ac2d20f2357" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778622226", "to_ids": true, "type": "filename", "uuid": "ad0a5bdc-62d2-448b-9729-6f8c5e64bd0c", "value": "MTSetup_v15.3.7110.msi" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 09/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778622226", "to_ids": false, "type": "text", "uuid": "6e2a19cf-2fd5-4b33-aa94-0e6470213824", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win32/NjRat.RCD!MTB\nVT Total Detection:26/62\nFirst Submission:2026-04-01T12:57:54.000000+00:00\nLast Submission:2026-04-01T19:50:41.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546393", "uuid": "bcff1c55-5a40-4f17-aa90-1b8fba1c1084", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546392", "to_ids": true, "type": "md5", "uuid": "ba3d6fd5-b248-4e7e-b52b-c5ba5a7973e6", "value": "3ff61a00c1a6be20f14f6d126913a609", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546393", "to_ids": true, "type": "sha1", "uuid": "91c4e0db-1ee8-4465-b141-81a5b214b4de", "value": "071dcaba6e221a35f70406071405669f228cbadc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546393", "to_ids": true, "type": "sha256", "uuid": "1bb541d5-4ab4-4b16-a5b6-fd5a51ecab54", "value": "045b76fa552dbfdfb7e5de66c9c599fe91151384be6a9849ec8965aa7251b818", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778622248", "to_ids": true, "type": "ssdeep", "uuid": "f27262a8-4a26-4041-92e9-ea77ed71de58", "value": "24576:MXi7m6PYnzOlHAGkG1D1xGcbpmByP+yXNpHQ1Dx/cGGJg/3pHJcBm0OUnWKUJJE:MS7rSilHAgjxRGyXqTegPp6m0vn/UJJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778622248", "to_ids": false, "type": "size-in-bytes", "uuid": "cb9be5f6-d080-4e99-b95a-03c8ff7bb904", "value": "1523712" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778622248", "to_ids": true, "type": "vhash", "uuid": "c7d056df-80f7-499a-a79f-e3db43b539c9", "value": "fab7755e4498d65611500ac2d20f2357" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778622248", "to_ids": true, "type": "filename", "uuid": "d36bf338-af77-462e-98de-7e4a701a2fc9", "value": "7s9njk.exe" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 10/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778622248", "to_ids": false, "type": "text", "uuid": "92ed3e2e-60fd-495c-a29f-46a3b7a17ff2", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win32/Suschil!rfn\nVT Total Detection:25/62\nFirst Submission:2026-04-22T17:16:15.000000+00:00\nLast Submission:2026-04-22T17:16:15.000000+00:00" } ] } ] } }