{ "Event": { "analysis": "1", "date": "2026-04-14", "extends_uuid": "", "info": "[Threat Intel] Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks", "protected": false, "publish_timestamp": "1776462996", "published": true, "threat_level_id": "2", "timestamp": "1776462996", "uuid": "809bcf4e-bad1-4d37-a9d5-10e392b16aa2", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#110e53", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DNS - T1071.004\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#ad5a96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"", "relationship_type": "" }, { "colour": "#4bc785", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT37\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164409", "to_ids": false, "type": "link", "uuid": "3f3d256b-696f-478e-9625-857a562f6479", "value": "https://www.genians.co.kr/en/blog/threat_intelligence/pretexting", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776164409", "to_ids": false, "type": "text", "uuid": "92c61915-bb49-4d0a-a559-3ca1679230fe", "value": "APT37 conducted a sophisticated social engineering campaign utilizing Facebook accounts claiming locations in Pyongyang and Pyongsong, North Korea, to conduct reconnaissance and build trust with targets. After establishing relationships through Facebook Messenger, the threat actor migrated conversations to Telegram and employed pretexting tactics, claiming to share encrypted PDF documents containing military weapons information. Victims were persuaded to install a tampered Wondershare PDFelement installer that executed embedded shellcode for initial compromise. The attack chain delivered follow-on commands through a JPG-disguised payload hosted on a compromised Japanese real estate website. The malware abused Zoho WorkDrive OAuth2 APIs as C2 channels, exfiltrating screenshots, documents, system information, and audio files. The campaign employed multiple evasion techniques including code cave injection, process hollowing into legitimate dism.exe, XOR encryption layers, and fileless in-memory execution." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776164409", "to_ids": false, "type": "text", "uuid": "393b8205-9dee-4752-8df7-275820ff032d", "value": "Name: Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks\nAuthor: AlienVault\nAdversary: APT37\nTags: [\"apt37\", \"zoho workdrive c2\", \"north korea\", \"rokrat\", \"shellcode injection\", \"social engineering\", \"process hollowing\", \"installer tampering\", \"pretexting\", \"facebook reconnaissance\"]\nTgtd countries: []\nMlwr families: [\"ROKRAT - S0240\"]\nAttack_ids: [\"T1113\", \"T1071.004\", \"T1036.005\", \"T1204.002\", \"T1566.001\", \"T1071\", \"T1106\", \"T1140\", \"T1036\", \"T1055\", \"T1059\", \"T1204\", \"T1566\", \"T1574\", \"T1055.012\", \"T1027\", \"T1573\", \"T1132\", \"T1059.003\", \"T1027.002\", \"T1071.001\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776393040", "to_ids": false, "type": "threat-actor", "uuid": "7af7fe61-8cd4-44cc-9cdd-ade633e8e393", "value": "APT37", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT37\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776399339", "to_ids": true, "type": "md5", "uuid": "b9a35f10-e1eb-414c-a31f-ea2ed1ef645d", "value": "085128b4e96633c82beb2101f5c525e4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776399340", "to_ids": true, "type": "md5", "uuid": "59e4c33c-2f49-4f82-9377-0aff9aedfa7f", "value": "c637b3e7d74c2d678663454d16311b15", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776402540", "to_ids": true, "type": "ip-dst", "uuid": "a8944bf2-b554-47da-9b85-2a5dcdcb2df8", "value": "222.122.49.15", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776402561", "to_ids": true, "type": "ip-dst", "uuid": "818d4360-3d06-4886-ae15-d7b0cb13e888", "value": "38.32.68.195", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776402583", "to_ids": true, "type": "url", "uuid": "d8a75a0a-4f6e-41e3-9882-ddad24bcd40d", "value": "http://japanroom.com/board/DATA/1288247428101.jpg", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776402604", "to_ids": true, "type": "url", "uuid": "1fb588c7-7c68-4ca2-b0c0-cad4a02243c3", "value": "https://www.genians.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776402625", "to_ids": true, "type": "domain", "uuid": "c3cae2c8-3578-4b12-9042-181539d04c7c", "value": "japanroom.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164409", "to_ids": true, "type": "email-src", "uuid": "fa9eb518-9b60-4f85-a9ac-24877d4ac5ac", "value": "tac@genians.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776402646", "to_ids": true, "type": "hostname", "uuid": "6320d99e-c343-41e6-a577-6d99e7ebe2d7", "value": "www.genians.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776462770", "uuid": "0fefd569-a36f-489e-851a-65eb097554b4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776462770", "to_ids": true, "type": "md5", "uuid": "f1045004-4f7f-4c58-bc25-bc08b3d3826f", "value": "28d0143718153bf04c1919a26bb70c2d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399336", "to_ids": true, "type": "sha1", "uuid": "6fa5cb6a-ba70-4347-8eb8-08e10a4a7844", "value": "4137911f14563fdf7500159ee7a386d9c54bbdae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399336", "to_ids": true, "type": "sha256", "uuid": "fb10c8cc-c309-4b46-841a-bf3d66917c6e", "value": "dad0ca56b3fe2aeb1f7908765f279db5fc33392caf4849c573a5d63bf7e15604", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398589", "to_ids": true, "type": "ssdeep", "uuid": "b7a246d8-a999-4126-a277-8956262c62c7", "value": "24576:+Y25U04ZgufscIzZQBu5IlRMM+dMiY0i9RqbtF7cJApksPw:+H6SXuBuKoiP+tFnp3Y" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398589", "to_ids": false, "type": "size-in-bytes", "uuid": "7bfd7ba3-944e-43a5-85e5-bd78b4c06c84", "value": "854620" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398589", "to_ids": false, "type": "text", "uuid": "6bc07db2-8673-440f-9883-041e97253c19", "value": "Type Description: unknown\nMicrosoft: None\nVT Total Detection:2/62\nFirst Submission:2026-04-14T00:27:05.000000+00:00\nLast Submission:2026-04-14T00:27:05.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776462792", "uuid": "bfabcd95-6d2a-444f-badf-c4f7eccc1187", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776462792", "to_ids": true, "type": "md5", "uuid": "df7e21d3-4d8b-490f-a83a-34574293d160", "value": "36be2cbb59cd1c3f745d5f80f9aee21c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399336", "to_ids": true, "type": "sha1", "uuid": "02ce9282-6220-458e-919a-b1b00ce8eeed", "value": "d0f8b7885e65a2d0714f91f7275d100bca25a886", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399337", "to_ids": true, "type": "sha256", "uuid": "aa0a85ad-36f1-4b29-bc68-43579af667a0", "value": "3ecb8632582982f5ea4cef6b32ac468bd43c61896b5de57416c8100f8ab90102", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398611", "to_ids": true, "type": "ssdeep", "uuid": "70d95bf2-ae92-467c-8d0a-d045cfd3bfe3", "value": "49152:LyzNg7jH8hXgcewfXzWNIj/TzCqhBNsEIU3B7uRNroI44p:LyzNrlewfXrBNNI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398611", "to_ids": false, "type": "size-in-bytes", "uuid": "4df88d7d-ef75-493c-8fb5-94ed1c143d65", "value": "2345968" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776398611", "to_ids": true, "type": "vhash", "uuid": "9b6d1c4f-df9d-4180-a0d2-3b4e054d847a", "value": "026066655d1d0565619031zf3200bb7za07013zd02006e032z247z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398611", "to_ids": true, "type": "filename", "uuid": "d9e6fe4b-09b1-4aa0-90fa-33236a45eed3", "value": "_3ecb8632582982f5ea4cef6b32ac468bd43c61896b5de57416c8100f8ab90102.exe" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 17/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398611", "to_ids": false, "type": "text", "uuid": "c5cbc071-2a42-4472-bf46-7c14997745f0", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/DownChollima.YBF!MTB\nVT Total Detection:40/72\nFirst Submission:2026-04-14T00:30:00.000000+00:00\nLast Submission:2026-04-15T07:40:27.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776462813", "uuid": "79dec983-b270-4710-8288-0debd4de7c65", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776462813", "to_ids": true, "type": "md5", "uuid": "89cc02e9-29fb-4821-91a5-5e7a5731c0bc", "value": "c681fe3f42e82e9240afe97c23971cbc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399338", "to_ids": true, "type": "sha1", "uuid": "e03ff5fe-e1d1-4d9d-9aee-f1aaa2ff24e4", "value": "6625f25a82a9739476402a759a514a59f822f5d8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399338", "to_ids": true, "type": "sha256", "uuid": "f8bb3126-6ee3-4cf7-8a58-3c52de7161f2", "value": "d5a3321b215d2b141de7ebe24398cf43320a2016e4f20d079ddf7015ceb069a8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398653", "to_ids": true, "type": "ssdeep", "uuid": "90cf5897-a9ba-405a-bdc4-2d55f0a69f16", "value": "24:X2z+pbIQBojkR7S8Ni9CscFbGJZDGkDp+HJl19ygeCGJJy/d+QNTRm7PA0h3BiYr:+3aTNWuClkJJtneJywOTRm73h3BPS6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398653", "to_ids": false, "type": "size-in-bytes", "uuid": "6fb55bdc-7471-4f5a-b90c-f3f016ba9a48", "value": "1426" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 17/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398653", "to_ids": false, "type": "text", "uuid": "ebb71db6-8211-4b31-8cae-e035716d1168", "value": "Type Description: unknown\nMicrosoft: None\nVT Total Detection:2/62\nFirst Submission:2026-04-14T00:35:49.000000+00:00\nLast Submission:2026-04-14T00:35:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776462834", "uuid": "183eedba-4347-49af-b34c-09dd9f776bf7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776462834", "to_ids": true, "type": "md5", "uuid": "cc839768-391a-4433-871c-44687d0964d9", "value": "d44a22d2c969988a65c7d927e22364c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399339", "to_ids": true, "type": "sha1", "uuid": "1285994c-3fc5-4c12-95dc-c8235ef35237", "value": "441603f740667fd5b4365b880b55a6cb6991cd96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399339", "to_ids": true, "type": "sha256", "uuid": "6db1b40c-d351-428b-99b4-5e0152718e59", "value": "8448b5ff7fac8b65dd9e5056a8a4b3e4230b7b602f46e24f1667821a64a90e6e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398675", "to_ids": true, "type": "ssdeep", "uuid": "ec35e299-1fa2-47c7-86ee-ae8019c58581", "value": "24576:RTQp3ZF156B61dy6qLGATBCGpB5JRKzNFs:RkPF7N1w6qLGa" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398675", "to_ids": false, "type": "size-in-bytes", "uuid": "84f84088-4789-43e0-84ad-780226646da7", "value": "854619" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398675", "to_ids": false, "type": "text", "uuid": "6c9b1b98-b3e9-4f8f-8eac-b8e40457adf0", "value": "Type Description: unknown\nMicrosoft: None\nVT Total Detection:2/62\nFirst Submission:2026-04-14T00:38:35.000000+00:00\nLast Submission:2026-04-14T00:38:35.000000+00:00" } ] } ] } }