{ "Event": { "analysis": "1", "date": "2026-05-15", "extends_uuid": "", "info": "[Threat Intel] Spring harvest - Leek Likho group's campaign to hunt for documents", "protected": false, "publish_timestamp": "1779596374", "published": true, "threat_level_id": "2", "timestamp": "1779596374", "uuid": "8483102e-5129-4460-b958-d38750a66fe4", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#4985d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#bd512b", "local": false, "name": "misp-galaxy:target-information=\"Belarus\"", "relationship_type": "" }, { "colour": "#15cd0b", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779159607", "to_ids": false, "type": "link", "uuid": "0cab81d1-90bf-4455-9be6-4b26fbb536f7", "value": "https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1779159607", "to_ids": false, "type": "text", "uuid": "35c8e92d-8408-492c-8646-f9cf5ebb0346", "value": "The Leek Likho group (also known as SkyCloak or Vortex Werewolf) was first described by researchers in 2025, when a series of targeted attacks on public sector organizations in Russia and Belarus became known. This campaign was called Operation SkyCloak. We observed the continuation of its activity during February-April 2026, and also discovered a new technique that attackers use to filter files." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1779159607", "to_ids": false, "type": "text", "uuid": "f543dd29-bb30-49ab-9ece-e35ad2b8c4ae", "value": "Name: Spring harvest - Leek Likho group's campaign to hunt for documents\nAuthor: AlienVault\nAdversary: \nTags: [\"Likho\", \"Skycloak\", \"telegram\", \"dropbox\", \"messenger app\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1547\", \"T1090\", \"T1059\"]\nIndustries: [\"Government\"]" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593161", "to_ids": true, "type": "md5", "uuid": "6b9d34ca-a37b-4adb-8126-2dcbc4f87374", "value": "099e92221466c0d380f8fac942b65641", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593162", "to_ids": true, "type": "md5", "uuid": "ecac88e7-1aa7-4e1f-aaaf-34c6318a7733", "value": "27dde6318bb7b2ca4f1f5df97007fbb8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593163", "to_ids": true, "type": "md5", "uuid": "6b7ab3a2-f40d-4de4-ab04-dcc7c67ec9d7", "value": "284a56c416681090b3965250db2052d7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593164", "to_ids": true, "type": "md5", "uuid": "8ac3165b-2fb4-4ceb-9c38-04af8fa2b2d7", "value": "53bb7a229647cd4de8e23c075d4ffc2a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593164", "to_ids": true, "type": "md5", "uuid": "e16025d2-33c7-4154-ae41-47bc27285c45", "value": "85a2bd811866efadf369d6c0c54fc5b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593165", "to_ids": true, "type": "md5", "uuid": "3f1e6012-7866-4c32-8911-c8b47dfca638", "value": "b8095944013853d982c4c045372a97c1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593167", "to_ids": true, "type": "md5", "uuid": "0ee06cc8-78db-42bf-810f-948484a7cc20", "value": "c26198c104844e44d77d3da5389c040d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593168", "to_ids": true, "type": "md5", "uuid": "ebc5a502-0551-4bdf-826a-a67681131d1b", "value": "ebc8b65e3e35f66147fa4cbb9051a192", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593169", "to_ids": true, "type": "md5", "uuid": "e93e2209-3f91-49bb-b457-a963ff5a1e5c", "value": "ef0b5a716fcaaa26553a16c0c725a1bf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779546560", "to_ids": false, "type": "threat-actor", "uuid": "cb573e42-c259-41c7-b898-c3ba88becd0a", "value": "Leek Likho", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779593875", "uuid": "6b97de78-59a4-47fd-91d5-c29d04aa1c43", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779593875", "to_ids": true, "type": "md5", "uuid": "96b4f3cd-55bc-4a64-84a3-1fe38866dcb5", "value": "6615ea2fa3b879d27687a7ce917e93b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593100", "to_ids": true, "type": "sha1", "uuid": "29cf6cba-4d5d-4dbd-b93c-50e780139e5d", "value": "8d4f19b221751297b0c3a10f105772d7286c9411", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593101", "to_ids": true, "type": "sha256", "uuid": "a8d75cd3-4885-4a70-9e02-37c90da3fdc4", "value": "6f31cf7a11189c683d8455180b4ee6a60781d2e3f3aadf3ecc86f578d480cfa9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590233", "to_ids": true, "type": "ssdeep", "uuid": "77649f13-8b6c-4abf-9ab4-a76cf6ccca7b", "value": "24576:1FbpQCgnGN1o4w+fkWq8tRluDV7e1WFu+dVVv9m6octogu9RyH:1LQCgnGN1PfkkgVi1OuCQ6octm6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590233", "to_ids": false, "type": "size-in-bytes", "uuid": "5e6dc09d-31c3-4391-95fd-1ce0f7a1f20f", "value": "1343920" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590233", "to_ids": true, "type": "vhash", "uuid": "e27cd47d-e38c-4303-8ab3-abf0e5e98e6c", "value": "016076655d156515555293z22za3fz85z24z1d7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590233", "to_ids": true, "type": "filename", "uuid": "59a438e4-6768-4ab1-9831-8a4d4fda430f", "value": "sshd.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 21/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590233", "to_ids": false, "type": "text", "uuid": "a4443bf1-a75a-48b4-b6af-a4d6a4bd5f37", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:1/71\nFirst Submission:2023-12-18T22:54:05.000000+00:00\nLast Submission:2026-05-18T03:56:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779593896", "uuid": "91f8d9c3-a733-4442-bed8-e5737d94a04d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779593896", "to_ids": true, "type": "md5", "uuid": "5bd3e14c-b745-4240-939b-253697233301", "value": "37e83a8fc0e4e6ea5dab38b0b20f953b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593102", "to_ids": true, "type": "sha1", "uuid": "039c2fce-c28d-4708-b158-5c55952045bb", "value": "3e7b02953ccaef1d63c4e1c4bc69daa1656e5ab0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593102", "to_ids": true, "type": "sha256", "uuid": "c92ca9ad-3cbb-43e5-b3eb-f006414d5070", "value": "a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590255", "to_ids": true, "type": "ssdeep", "uuid": "c986e083-f3cd-4a75-9ff3-b3c1502bb924", "value": "6144:vQn+mU3isQNjODH5am4rU5x31cMBZQIhH84efS4jQ:vH53fMmWMKMBTH84eFc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590255", "to_ids": false, "type": "size-in-bytes", "uuid": "4797ab3c-4148-4b3c-8dbc-ba80cebe6736", "value": "384432" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590255", "to_ids": true, "type": "vhash", "uuid": "2f6d1330-841b-44e3-9bc3-e853d30a9be1", "value": "035076655d155515555153z12z96nz25zc7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590255", "to_ids": true, "type": "filename", "uuid": "a3bf3195-db42-46a5-8f80-15fe14c3a7b2", "value": "krita.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590255", "to_ids": false, "type": "text", "uuid": "aa965574-be9c-447b-94b3-3ed9e6a178ee", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2023-12-18T22:54:05.000000+00:00\nLast Submission:2026-05-18T03:56:48.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779593917", "uuid": "9cf3e59a-c791-40d5-953e-e82961557004", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779593917", "to_ids": true, "type": "md5", "uuid": "afcbd7fc-eb02-442f-9897-54d5ebe39766", "value": "6eafae19d2db29f70fa24a95cf71a19d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593103", "to_ids": true, "type": "sha1", "uuid": "d706323b-674a-49f0-a3f4-516a35b0fbc7", "value": "b6d7215f6336c1f2873006cc38c7babc0b56f1d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593103", "to_ids": true, "type": "sha256", "uuid": "a54de54a-bfd5-41ad-88cb-bd6c17b819f5", "value": "feae0baf291ff54a1366f0cd628665d2b1c9fe279ce2544d4f84c7aa46064f3c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590277", "to_ids": true, "type": "ssdeep", "uuid": "1abc05c0-9e1a-4347-b8a5-46ca161a6598", "value": "3072:82Q0NG/TvIOa6Pircz/sG9fver+Uh+77/evGeTgCu:86G/Tvo3wN9fGrmwGYgJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590277", "to_ids": false, "type": "size-in-bytes", "uuid": "de07295e-767c-4069-8742-e8a89154dae4", "value": "189360" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590277", "to_ids": true, "type": "vhash", "uuid": "a8afe360-805b-47cd-abca-cd00c8218ed9", "value": "015076655d155515555az62nz6fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590277", "to_ids": true, "type": "filename", "uuid": "4b8514c5-2aa8-4bb6-bf4e-fc4e79f482f0", "value": "ssh-shellhost.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590277", "to_ids": false, "type": "text", "uuid": "e7e7845b-7a6a-4c4f-bc92-f322c0ee2f0e", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2023-12-18T22:54:05.000000+00:00\nLast Submission:2026-05-18T03:56:40.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779593938", "uuid": "04dc9c50-9e68-486c-8533-c5ed3a8bdb7b", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779593938", "to_ids": true, "type": "md5", "uuid": "87acabc6-7e81-496b-b742-e5a6d2d6a7f4", "value": "3e3c5471c69e933fcffa4f497ca936b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593104", "to_ids": true, "type": "sha1", "uuid": "06f5a515-44c6-4686-a8fa-d6d87e46293d", "value": "2282e2158b7fb714f77d8b0974d980b87884933f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593104", "to_ids": true, "type": "sha256", "uuid": "816489c1-6827-4b97-b2c4-614877472993", "value": "8339333e1a1a8babc3fd72542e8fda58d19dd096cf2463867ca0328348338570", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590299", "to_ids": true, "type": "ssdeep", "uuid": "07125e76-1c82-4ab1-98e6-0807c386e880", "value": "48:8rEfRSnJIvOfUrm79e7iDQe77e72aWHHod0BdDabiMH:8rEfRYizrm5qi0q7qLEHjBdDz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590299", "to_ids": false, "type": "size-in-bytes", "uuid": "e8e735e9-6f3e-41a2-9091-f95128975d60", "value": "2471" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590299", "to_ids": true, "type": "vhash", "uuid": "b77ec103-8cee-4d3e-9d1e-6a0ae5bc9d55", "value": "466a5593db6bbf051754b3be59cc3698" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590299", "to_ids": true, "type": "filename", "uuid": "b847a6a4-7fd5-4736-be02-96827a21913c", "value": "Proekt_prikaza_681_o_pooshchrenii.pdf.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590299", "to_ids": false, "type": "text", "uuid": "314a9707-4915-4ec5-ad8b-c41a0b86ec1b", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:37/62\nFirst Submission:2025-12-15T15:41:41.000000+00:00\nLast Submission:2025-12-15T15:41:41.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779593960", "uuid": "da7a9b4b-9a87-4946-9fa4-0b3d594e06e8", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779593960", "to_ids": true, "type": "md5", "uuid": "69c865fe-5025-40c4-950e-c6131145042a", "value": "44652be9dc36c33ef0a35d4422523f7c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593105", "to_ids": true, "type": "sha1", "uuid": "bd964aa4-22fd-4153-ac5a-8738de4f9a94", "value": "675ce37d4549fb9e2fabee91befa53c0bac157e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593105", "to_ids": true, "type": "sha256", "uuid": "7fd81247-dbfc-4021-adf6-89f06f3c3288", "value": "8f4836cca1850053e87a769a84baed3cdde060ad3fce26f101a20b37375835f1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590321", "to_ids": true, "type": "ssdeep", "uuid": "8fc0ffac-0ae1-4aa6-accc-9760d350b49b", "value": "393216:ld6Gn9v3wyfEotZEOHB7RowsY3UPw/pZI:T6I3NrHvo56lZI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590321", "to_ids": false, "type": "size-in-bytes", "uuid": "7adc16e6-6e29-447f-b3c6-5d7a3816392c", "value": "12853676" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590321", "to_ids": true, "type": "vhash", "uuid": "1776cef0-a534-4702-8ad7-2618a1436f4e", "value": "4d15898dc88d8d6882a1afe9e5287fc4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590321", "to_ids": true, "type": "filename", "uuid": "f4d5f9d7-2ddd-41fd-9689-5947ed97b3c9", "value": "Proekt_prikaza_681_o_pooshchrenii.zip" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 22/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590321", "to_ids": false, "type": "text", "uuid": "0405912e-31f8-4102-b90d-f26f9f4ee23a", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:39/67\nFirst Submission:2025-12-15T15:40:50.000000+00:00\nLast Submission:2025-12-15T15:40:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779593981", "uuid": "f274ea36-836c-4dcf-a40e-37606f6d9a29", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779593981", "to_ids": true, "type": "md5", "uuid": "1416940d-3f63-426d-aae7-081bd7f70def", "value": "8dbeb747aab3d3814bcee52c3b0f6ee5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593106", "to_ids": true, "type": "sha1", "uuid": "012383ad-42e9-4318-b757-12540a3614ef", "value": "fc3b95b64aa817262e1dbb2fbfe6983e70a5f340", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593106", "to_ids": true, "type": "sha256", "uuid": "86c79063-39d7-4d0f-b98a-9eabcd625a59", "value": "76542efd8113416322268676c8c32fc900661fe17db68a1ac9c2bcdcd936a7a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590343", "to_ids": true, "type": "ssdeep", "uuid": "1e740b33-7149-413c-8dc8-2a1ca960f9a6", "value": "48:dezhVatA84Y42EZAbUlCAEDUswhnzlPfzzN2PgQ:dKsff42EabUN0UZJpPfzgPt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590343", "to_ids": false, "type": "size-in-bytes", "uuid": "f8b9249c-130b-48f4-96aa-6fa8dfc34a54", "value": "2067" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590343", "to_ids": true, "type": "vhash", "uuid": "781015ec-a49b-427b-8030-4e7b015898f9", "value": "66bce2bbd50bf85b03e7c53483c42123" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590343", "to_ids": true, "type": "filename", "uuid": "840a5194-8664-445c-bfbf-b5c689476cde", "value": "permanentReportTitle" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 20/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590343", "to_ids": false, "type": "text", "uuid": "45eed853-8567-4da5-8bce-b4810a8afb05", "value": "Type Description: Powershell\nMicrosoft: Trojan:Win32/Alevaul!rfn\nVT Total Detection:32/62\nFirst Submission:2025-12-15T20:27:38.000000+00:00\nLast Submission:2025-12-15T20:27:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594002", "uuid": "a146ef1c-b8d7-402a-a2cf-b2001d847e6d", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of f4d05a5cb783f1cdd179795125d23139", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594002", "to_ids": true, "type": "md5", "uuid": "126fa3e1-6121-4fdc-94ce-2ed3d8363b26", "value": "f4d05a5cb783f1cdd179795125d23139", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of f4d05a5cb783f1cdd179795125d23139", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593108", "to_ids": true, "type": "sha1", "uuid": "1fd5a0b9-91c2-4c2c-849a-697bf309b4a1", "value": "854fb7550238d9e4983319540afc4b76f4a74237", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of f4d05a5cb783f1cdd179795125d23139", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593108", "to_ids": true, "type": "sha256", "uuid": "97c1d8a4-a609-4ff4-bfe1-de226504c843", "value": "1280cca4b520bfd018296c4d1645b7c9c8c7c4608752506285dad0e251b22e32", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590365", "to_ids": true, "type": "ssdeep", "uuid": "fd594dcd-5645-49f6-990b-fe96df80a4f7", "value": "196608:ohUuV5Th/Ni/jPaOSaT2XPm9N9WuTkrUWxTIAO/f5pf0QixaczfT2KlhGxunKg9e:oU0Fh/NCWOSEu+9NWTifcx9GKHfdudiO" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590365", "to_ids": false, "type": "size-in-bytes", "uuid": "b532d1b9-41d2-4180-9a6d-231b8a0be1e5", "value": "12484310" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590365", "to_ids": true, "type": "vhash", "uuid": "72a522dd-aa0c-49a9-b01c-6aff0b71b087", "value": "4d15898dc88d8d6882a1afe9e5287fc4" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590365", "to_ids": false, "type": "text", "uuid": "22a19491-e5d4-4f72-801d-59223cf180cc", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of f4d05a5cb783f1cdd179795125d23139\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:41/67\nFirst Submission:2025-12-15T23:51:13.000000+00:00\nLast Submission:2025-12-15T23:51:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594023", "uuid": "ed454575-a8fb-49ae-b76f-868a78d0b3d0", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-description:SHA256 of ffefe836255e742abc3dc692d1dda3a4", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594023", "to_ids": true, "type": "md5", "uuid": "96cdc8a3-c693-49ef-a30c-409bef5a6a46", "value": "ffefe836255e742abc3dc692d1dda3a4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of ffefe836255e742abc3dc692d1dda3a4", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593109", "to_ids": true, "type": "sha1", "uuid": "94d8c3d7-914b-4fa7-8ad7-8f55d6a00a7a", "value": "863c91ef48d1fed77d260376a464bf0686d8afc6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of ffefe836255e742abc3dc692d1dda3a4", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593109", "to_ids": true, "type": "sha256", "uuid": "b6f7150f-5887-4058-a224-5d1f9b762d28", "value": "1ba396a8cd9af661e0a5ceb1107c787290cff3ab05b70a9c5154f4e040f716be", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590387", "to_ids": true, "type": "ssdeep", "uuid": "5d833556-3d42-4f74-a7ec-a7ef46702c23", "value": "96:wVNOD0QfgFj6gMXq7k16MKuLKLLLWBwr+WWrY+BThiBN6rU5O7d:wVNc0AmGbEk16AUNMxQN6rWu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590387", "to_ids": false, "type": "size-in-bytes", "uuid": "fb29795a-0958-4c3d-b6af-63d1f4a763ee", "value": "4336" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590387", "to_ids": true, "type": "vhash", "uuid": "3de92a57-9010-4e42-89a3-a1ba60d1fc51", "value": "4a8bf03e84e7d0f8b15c5c2165f8573b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590387", "to_ids": true, "type": "filename", "uuid": "75846896-c135-405b-8762-5ae50e87b14f", "value": "pdfGroup" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 20/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590387", "to_ids": false, "type": "text", "uuid": "897b9018-d602-4e14-9853-58b0e4b9834e", "value": "IOC-description:SHA256 of ffefe836255e742abc3dc692d1dda3a4\r\nType Description: Powershell\nMicrosoft: None\nVT Total Detection:27/61\nFirst Submission:2025-12-30T13:31:47.000000+00:00\nLast Submission:2025-12-30T13:31:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594044", "uuid": "d438b0af-ac7a-427c-8e85-dc3d565af378", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 873480ab887de3a9cbbcccb982747637", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594044", "to_ids": true, "type": "md5", "uuid": "a5dd7e45-1fe0-427d-89a7-383b4e012a7a", "value": "873480ab887de3a9cbbcccb982747637", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 873480ab887de3a9cbbcccb982747637", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593110", "to_ids": true, "type": "sha1", "uuid": "4437beb2-75ff-47e3-bfa5-00e11989ab2a", "value": "7490e916130a814b1e33c955f4a64ad23c08df5b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 873480ab887de3a9cbbcccb982747637", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593110", "to_ids": true, "type": "sha256", "uuid": "a57f3ca0-0ad2-49a9-b4fb-a31ff04d4734", "value": "2727d521ef98815ba82b2c2cc504123db59e1e4df487e3d6253280d21d00020e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590408", "to_ids": true, "type": "ssdeep", "uuid": "33362372-87ea-4716-8bcc-7a5b62193730", "value": "48:8rEfRSn4Zazmz5+SzM3DAhzII0XAwH4Gd0i/jdDabiMH:8rEfRZZnzASzHhq9HQUdDz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590408", "to_ids": false, "type": "size-in-bytes", "uuid": "f9805730-08a8-4cc3-b514-09ddbb93e8a3", "value": "2449" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590408", "to_ids": true, "type": "vhash", "uuid": "a96426d2-52ba-4485-b932-45d40d4f6f74", "value": "466a5593db6bbf051754b3be59cc3698" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590408", "to_ids": true, "type": "filename", "uuid": "43b5659f-1407-4eb5-8a52-871f41d37965", "value": "Proekt_prikaza_VNG_po_lichnomu_sostavu.pdf.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590408", "to_ids": false, "type": "text", "uuid": "02f55fb6-2576-4f53-ab73-575a2a1694eb", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 873480ab887de3a9cbbcccb982747637\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:37/62\nFirst Submission:2025-12-11T13:46:57.000000+00:00\nLast Submission:2025-12-11T13:46:57.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594066", "uuid": "f646d69b-1cd5-4651-b6a7-b90df41ade17", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 0b6f7356919b9632c1158681ee0462f3", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594066", "to_ids": true, "type": "md5", "uuid": "cce118ea-08bd-4a70-af67-0ef0c3849412", "value": "0b6f7356919b9632c1158681ee0462f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 0b6f7356919b9632c1158681ee0462f3", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593111", "to_ids": true, "type": "sha1", "uuid": "29e9f25e-36ec-47e5-ac4d-8badac6c18a0", "value": "7b50320a005cf68e5c17d51a8fd8422ceef1611a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 0b6f7356919b9632c1158681ee0462f3", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593111", "to_ids": true, "type": "sha256", "uuid": "259c85ae-9e51-4533-afb1-3e6d5bc848e5", "value": "2a9b971c835e2ee5f190d068c602601fdaf718d8bfe085c2032d59a6f25ed082", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590430", "to_ids": true, "type": "ssdeep", "uuid": "c9f434a2-f661-4db3-bd6c-5cf0a7ccd862", "value": "196608:j0kbfrkMDJePO6TnNLe5n38ey4NsSE4l0IbW+eeuXRCbs3fXvDLkWoXEpXcewU+j:jgm65SpqNSJWrRos3fX7UUtcewcnWjfh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590430", "to_ids": false, "type": "size-in-bytes", "uuid": "72b3d589-8d81-46aa-9665-f0cfe114e25f", "value": "12524776" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590430", "to_ids": true, "type": "vhash", "uuid": "e05691e5-b489-4994-831d-18c983d506fc", "value": "4d15898dc88d8d6882a1afe9e5287fc4" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590430", "to_ids": false, "type": "text", "uuid": "8b10970b-9fc7-41cb-a4a0-ae684d3d5960", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 0b6f7356919b9632c1158681ee0462f3\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:39/67\nFirst Submission:2025-12-30T11:04:01.000000+00:00\nLast Submission:2025-12-30T11:04:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594087", "uuid": "240def2d-b398-4d17-a529-52e2e730adbb", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 4d5074d6e0722ceec45a083fa8444164", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594087", "to_ids": true, "type": "md5", "uuid": "66df32e0-50ba-47a4-b498-d111145bc806", "value": "4d5074d6e0722ceec45a083fa8444164", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 4d5074d6e0722ceec45a083fa8444164", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593112", "to_ids": true, "type": "sha1", "uuid": "8eb81d50-8142-4e5b-9abc-ed8b28e5ac53", "value": "aba35de9e819396f89f34c03058ebe71a7f98b6b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 4d5074d6e0722ceec45a083fa8444164", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593113", "to_ids": true, "type": "sha256", "uuid": "69b8dde8-cc67-4af1-a8dd-957144745f3e", "value": "42910bf2aa4ac9d62e2b32e6fadc42f11bd7215fee492ecf72cfd6238965d066", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590452", "to_ids": true, "type": "ssdeep", "uuid": "47367570-3d7e-430d-8e02-860922ffef56", "value": "48:8jefAnhjMeYzmxW7xMxkgR7xGxdkHt68HrtTd0vjKlLxM:8jefSjMebWFgkgjukQ8HroW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590452", "to_ids": false, "type": "size-in-bytes", "uuid": "364ace00-f392-4a52-bdb2-e650ee0f85e9", "value": "2439" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590452", "to_ids": true, "type": "vhash", "uuid": "4f9f07a2-63da-449c-9b45-dbbc796ec8f4", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590452", "to_ids": true, "type": "filename", "uuid": "e6569781-fe22-4e99-87e5-c1cbb59b2a90", "value": "Scan_Media_1757_dsp_Prikaz_na_perepodgotovku.pdf.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590452", "to_ids": false, "type": "text", "uuid": "b527f9ab-e1f9-449d-8878-1bf3556e8143", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 4d5074d6e0722ceec45a083fa8444164\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:36/61\nFirst Submission:2025-12-30T11:04:49.000000+00:00\nLast Submission:2026-01-13T05:39:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594108", "uuid": "a8876e1c-9f29-4d7e-ae6f-23e901dba413", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-description:SHA256 of f1bc5841f6d6be1820848a7718bf4cce", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594108", "to_ids": true, "type": "md5", "uuid": "bf6466b9-cf29-43e1-8340-673d13607882", "value": "f1bc5841f6d6be1820848a7718bf4cce", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of f1bc5841f6d6be1820848a7718bf4cce", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593114", "to_ids": true, "type": "sha1", "uuid": "1510f06a-bf85-455c-ba92-b7bec21b3613", "value": "e7f20ba2f9c12f164fef37c618481564b4db3399", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of f1bc5841f6d6be1820848a7718bf4cce", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593114", "to_ids": true, "type": "sha256", "uuid": "eb1904c9-0620-4dad-8d7f-4306c05d15d1", "value": "44abef9297d6573674b27416435c891317cfb9de8753d075806d5777563e6cc2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590474", "to_ids": true, "type": "ssdeep", "uuid": "77845f92-a4a8-4bbd-a1ce-339378aefdb3", "value": "24:kkVQbMIW4weggx72S1lgLdBFGqsESQXKLXfKe6/7oyiDs9h9+jXrOOo2ftkD/XTi:LgvdgaqSEdMCqfKn/U5sj6aDm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590474", "to_ids": false, "type": "size-in-bytes", "uuid": "a774f3bc-c96c-4a4e-8794-702c08cc007f", "value": "1943" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590474", "to_ids": true, "type": "vhash", "uuid": "1638d13c-e991-41a5-a3b8-4882343db34d", "value": "66bce2bbd50bf85b03e7c53483c42123" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590474", "to_ids": true, "type": "filename", "uuid": "03fb0237-8dc5-454f-b558-c436a5ab70ec", "value": "totalQuerySignal" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 22/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590474", "to_ids": false, "type": "text", "uuid": "fb40c9e4-db49-4013-8a2b-0710b48c1417", "value": "IOC-description:SHA256 of f1bc5841f6d6be1820848a7718bf4cce\r\nType Description: Powershell\nMicrosoft: Trojan:Win32/Alevaul!rfn\nVT Total Detection:30/62\nFirst Submission:2025-12-16T02:48:25.000000+00:00\nLast Submission:2025-12-16T02:48:25.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594130", "uuid": "cec8721d-00ef-4fd2-bfc4-a094796be0d6", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-description:SHA256 of f2b470dc3fcd8a2fd7860851a81f3eb0", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594130", "to_ids": true, "type": "md5", "uuid": "55644463-cd97-40dc-ad3f-4c0b6c02c749", "value": "f2b470dc3fcd8a2fd7860851a81f3eb0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of f2b470dc3fcd8a2fd7860851a81f3eb0", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593115", "to_ids": true, "type": "sha1", "uuid": "fd317032-0f76-468a-8d1c-0ca97d3b2d0e", "value": "b708bb12f86b0eb55a7f49cec9510efbc6b3e262", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of f2b470dc3fcd8a2fd7860851a81f3eb0", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593115", "to_ids": true, "type": "sha256", "uuid": "99b31c93-7444-41a9-8925-5f4ee1b6c27d", "value": "6efdf511512be5e256951813f2008ce2c4572d6ef191c69a62b7555aa33255ac", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590495", "to_ids": true, "type": "ssdeep", "uuid": "c4be38a9-9665-4946-ad36-2697722f7b3f", "value": "96:dXOD0QxljWsXclQ1oI/3zIL6zLstV3f68s550B0/O5m:dXc08lKs0Q960Gf6fu0/P" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590495", "to_ids": false, "type": "size-in-bytes", "uuid": "fb80ae33-a6ee-4c62-accc-f3675b572148", "value": "4162" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590495", "to_ids": true, "type": "vhash", "uuid": "90460657-a219-4319-a2ba-ca9b85fc81ad", "value": "4a8bf03e84e7d0f8b15c5c2165f8573b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590495", "to_ids": true, "type": "filename", "uuid": "e0b8431b-08b7-4992-ae1f-819dc407b93f", "value": "avgAccountDate" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 20/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590495", "to_ids": false, "type": "text", "uuid": "afe6d6d3-c4d5-432e-9c6d-aa83c7a760e2", "value": "IOC-description:SHA256 of f2b470dc3fcd8a2fd7860851a81f3eb0\r\nType Description: Powershell\nMicrosoft: None\nVT Total Detection:28/61\nFirst Submission:2026-01-02T13:57:32.000000+00:00\nLast Submission:2026-01-02T13:57:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594151", "uuid": "ca0c37a7-fd6a-42ea-a992-500a5fc67a4d", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-description:SHA256 of 99dc0dbaf5bd3918803391ec8d6d802c", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594151", "to_ids": true, "type": "md5", "uuid": "62fe0a3b-5b69-4550-93bc-9f1618e2d4f5", "value": "99dc0dbaf5bd3918803391ec8d6d802c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of 99dc0dbaf5bd3918803391ec8d6d802c", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593116", "to_ids": true, "type": "sha1", "uuid": "731883a0-5564-4321-96a9-d7852539277f", "value": "b2de369415574ffeb3858ff6a6213aa8397a331f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of 99dc0dbaf5bd3918803391ec8d6d802c", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593116", "to_ids": true, "type": "sha256", "uuid": "19bf52d3-a16e-4ef3-a1b6-6f89a22a782f", "value": "85fba8ba8377974392b9147a2adf2d2955e9dfbb8d9e0659c7f90487b1105ae7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590517", "to_ids": true, "type": "ssdeep", "uuid": "1f8111f9-0eea-42c8-aae1-7130237b3697", "value": "24:ZTVQbl5wUFIU2m2SZcpzNYsEma8LQXxodQXk95oIJSRKw2likeF1347nYfd2BWJW:ZTk5B0tRd/C2CkvV8QAjokd2s7S" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590517", "to_ids": false, "type": "size-in-bytes", "uuid": "f8569362-3233-4a37-a382-6ea904dd03e0", "value": "1810" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590517", "to_ids": true, "type": "vhash", "uuid": "d9474b2d-b75b-4782-8e56-254858fb2733", "value": "66bce2bbd50bf85b03e7c53483c42123" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590517", "to_ids": true, "type": "filename", "uuid": "7d236387-9e60-406d-a421-fef5624f06f9", "value": "configSummary" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 22/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590517", "to_ids": false, "type": "text", "uuid": "e5d26867-958d-424d-a4bf-a120a41002f5", "value": "IOC-description:SHA256 of 99dc0dbaf5bd3918803391ec8d6d802c\r\nType Description: Powershell\nMicrosoft: Trojan:Win32/Alevaul!rfn\nVT Total Detection:25/62\nFirst Submission:2025-12-11T13:52:26.000000+00:00\nLast Submission:2025-12-11T13:52:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594172", "uuid": "2c8ce085-6311-45c1-9cbb-f1739c6189e7", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of ac60971512c77f845cc4ec47400368a6", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594172", "to_ids": true, "type": "md5", "uuid": "6ac9612c-6650-4e84-b8ea-11ad5e4a4574", "value": "ac60971512c77f845cc4ec47400368a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of ac60971512c77f845cc4ec47400368a6", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593117", "to_ids": true, "type": "sha1", "uuid": "508e7abc-90f2-4e75-bb7f-48867756914d", "value": "85d1c4c90242c054b17060885de556dfa5fe4cf9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of ac60971512c77f845cc4ec47400368a6", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593118", "to_ids": true, "type": "sha256", "uuid": "959fc736-c740-41b2-bc1a-70ca923c7f24", "value": "8f9029a5d5351078fc2f0b5499557c0f969b337817947314e37b2c7407ae2300", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590539", "to_ids": true, "type": "ssdeep", "uuid": "05f2e47d-c4d1-404e-a3c4-50bf7384c0d6", "value": "24:8GkhWfORi/SQAhW3+/CWAmSCy4ejI499+5o27uQzhHvQgUMkWLdHuddqV2dDab/j:8rEfRSn8wy4eTGpv/HBud0wdDabiMH" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590539", "to_ids": false, "type": "size-in-bytes", "uuid": "bef7a6ef-85ec-4640-91ea-9ee4f7abce61", "value": "2463" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590539", "to_ids": true, "type": "vhash", "uuid": "2b0fe23e-6a41-4748-85ea-34912b3ec317", "value": "466a5593db6bbf051754b3be59cc3698" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590539", "to_ids": true, "type": "filename", "uuid": "f3fb0f2f-4825-4db8-80a9-6a6c7250d7ec", "value": "Spisok na peremeshchenie.pdf.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590539", "to_ids": false, "type": "text", "uuid": "d604871e-6cdf-4627-b8f0-a03247a84a68", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of ac60971512c77f845cc4ec47400368a6\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:37/62\nFirst Submission:2025-12-15T23:52:14.000000+00:00\nLast Submission:2025-12-15T23:52:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594193", "uuid": "e7263e02-e7c9-4bcd-8baf-52a0a54f1f3e", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of ab24e08da9e205ee3d3a5a2a05345cb9", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594193", "to_ids": true, "type": "md5", "uuid": "59b1be6e-52c8-4475-a5b0-58f8ec207774", "value": "ab24e08da9e205ee3d3a5a2a05345cb9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of ab24e08da9e205ee3d3a5a2a05345cb9", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593119", "to_ids": true, "type": "sha1", "uuid": "082e8d01-77e0-4ca1-9c54-57405550d04d", "value": "29de6fff67bdd0d8fb8e68476ff1040fde48420a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of ab24e08da9e205ee3d3a5a2a05345cb9", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593119", "to_ids": true, "type": "sha256", "uuid": "6a6262cc-f74a-45ad-9816-f4386dfa37c4", "value": "b4195e7584ac97d9c444ee6292160c80f9c889e6cba27cc656506d3c5fcffd48", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590560", "to_ids": true, "type": "ssdeep", "uuid": "949cb210-c50a-4c65-9adb-ca5dd5e926b2", "value": "196608:vzHrez0ULspj/jbbEnAgrbYD7Estcq5RMo4OrskJcRfwQrpXEboCSFbTOm6rhOfi:246spj//LOW7S7a+/1xUrh45ns" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590560", "to_ids": false, "type": "size-in-bytes", "uuid": "12bdae26-56dd-4fd4-8a46-0893fa2f585b", "value": "12415010" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590560", "to_ids": true, "type": "vhash", "uuid": "4bca9441-dee2-40e1-9eeb-7e4991dbd981", "value": "6d6a3b5b67152c82fb9145b10a846c5f" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590560", "to_ids": false, "type": "text", "uuid": "afcaab2f-5fb3-42bf-8d92-7afcd0ccb3fe", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of ab24e08da9e205ee3d3a5a2a05345cb9\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:39/67\nFirst Submission:2026-01-02T11:23:52.000000+00:00\nLast Submission:2026-01-02T11:23:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594215", "uuid": "a6dcf537-162c-4d75-bfdf-08d00ac1816a", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 6a72ad3c06a29e12e668e8701daee00e", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594215", "to_ids": true, "type": "md5", "uuid": "7537d059-1631-4b20-8b4c-8096984ddd73", "value": "6a72ad3c06a29e12e668e8701daee00e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 6a72ad3c06a29e12e668e8701daee00e", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593120", "to_ids": true, "type": "sha1", "uuid": "853d0db6-cd81-4578-8f42-995a5db64675", "value": "c2a8dae7ab6ea92dcfecbe2ab6ac7efc289d6a18", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 6a72ad3c06a29e12e668e8701daee00e", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593120", "to_ids": true, "type": "sha256", "uuid": "0173a8d0-c22a-44fd-a817-446514083d5a", "value": "de73c1b5597f091b5e42e5d5b4dc40a46ddee4682308f5bbe010a32ede57b111", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590583", "to_ids": true, "type": "ssdeep", "uuid": "2234ce70-6a66-457c-a416-51454db4f2f5", "value": "48:8njffmn8cDU7Mm8saRTDcxhYHId065OSabiMH:8jfflWQMmgpcxhYHDEOSz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590583", "to_ids": false, "type": "size-in-bytes", "uuid": "3e186c5c-ed33-43f8-871f-7aa224eec7f2", "value": "2505" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590583", "to_ids": true, "type": "vhash", "uuid": "a03c2678-77b3-440f-a67e-334c24798d5b", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590583", "to_ids": true, "type": "filename", "uuid": "ce96167a-d116-41cf-8c07-f6892cbaad7d", "value": "Iskh_6626_Predstavlenie_na_naznachenie_na_VD.pdf.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 22/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590583", "to_ids": false, "type": "text", "uuid": "08423bdc-c0c4-446d-81a4-e902e33f13f4", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 6a72ad3c06a29e12e668e8701daee00e\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:34/62\nFirst Submission:2026-01-02T11:24:30.000000+00:00\nLast Submission:2026-01-15T02:53:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594236", "uuid": "c9185ecd-ff37-4421-a226-8821961f87c5", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 57dbf8c275fa56b9a84e9c4b9a35399e", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594236", "to_ids": true, "type": "md5", "uuid": "0767ca56-87c3-4fde-a02f-75589b463c3d", "value": "57dbf8c275fa56b9a84e9c4b9a35399e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 57dbf8c275fa56b9a84e9c4b9a35399e", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593122", "to_ids": true, "type": "sha1", "uuid": "2181b227-8d3e-4256-a534-fe240bc575be", "value": "aaa3b6ca2753ae491b639631c236cae350bdb0f7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 57dbf8c275fa56b9a84e9c4b9a35399e", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593122", "to_ids": true, "type": "sha256", "uuid": "ec0a48fa-d0b2-44db-a207-86e124f8ed31", "value": "fc8a6cc400dd822b6f5fc40c85a547cf7f266169edddb84a90f4b3f25956318c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590604", "to_ids": true, "type": "ssdeep", "uuid": "76c17667-89b7-4614-8ef1-bfc9d826eb7a", "value": "393216:QcwjwsrbtjPul1gOQaC4CVJs02GyGc/FajXt72:Qcwjw0jHOQzVCSiajXtK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590604", "to_ids": false, "type": "size-in-bytes", "uuid": "364ac149-4ba6-463a-bb38-3573537bbd38", "value": "12659164" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590604", "to_ids": true, "type": "vhash", "uuid": "d2a8ab44-26d2-42cb-b151-5720464447d0", "value": "4d15898dc88d8d6882a1afe9e5287fc4" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 22/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590604", "to_ids": false, "type": "text", "uuid": "47591e1f-e514-4783-b910-04d659142656", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 57dbf8c275fa56b9a84e9c4b9a35399e\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:37/67\nFirst Submission:2025-12-11T13:45:19.000000+00:00\nLast Submission:2025-12-11T13:45:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594257", "uuid": "440a6aea-ac7c-4714-b5b3-4fb952611352", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594257", "to_ids": true, "type": "md5", "uuid": "8765ce4d-5cd3-4a9b-8424-2d86609d643d", "value": "6616717dfb2a795113b47d862c5412e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593123", "to_ids": true, "type": "sha1", "uuid": "457a42ff-1d6f-4cce-bdfa-5ee5b217241e", "value": "c22150121a13713b395a155af5d55680dde56ac1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593123", "to_ids": true, "type": "sha256", "uuid": "30ec6191-31bb-4a11-8548-06ec35a68795", "value": "a79b5162f9a49df3db4f001325938b9dc7bdc471b71108ed178350c89252e3a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590626", "to_ids": true, "type": "ssdeep", "uuid": "16422f87-4774-4b8d-9a78-de7d7c3625b8", "value": "48:8PLDfQFnIXcqBjbbYMD0AsrHnd0IRMPe4:8PLDfQ+XRHkMD0dHCIRse" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590626", "to_ids": false, "type": "size-in-bytes", "uuid": "144b0ae5-03e8-466c-8275-1bd7c74692a9", "value": "2295" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590626", "to_ids": true, "type": "vhash", "uuid": "33b91e61-1a6c-4d58-9c27-1cae419108eb", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590626", "to_ids": true, "type": "filename", "uuid": "b71c6969-f9f9-4f78-a111-0da8ad6964fe", "value": "zesijt0hv.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590626", "to_ids": false, "type": "text", "uuid": "c3acb0cd-580e-4c31-bdbd-59bb00259b4f", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:36/62\nFirst Submission:2026-01-30T12:13:37.000000+00:00\nLast Submission:2026-01-30T12:13:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594278", "uuid": "96860ab1-bf5b-43e0-be1c-6fc715ad9ba3", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594278", "to_ids": true, "type": "md5", "uuid": "e3ec9e90-e77b-4621-b232-1f4f0063bba3", "value": "99732e49668e56527963742922277459", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593124", "to_ids": true, "type": "sha1", "uuid": "ee2363bb-2b54-413f-8f33-748681af405f", "value": "8e49c3ee98fc722c77b3b37e3abafb3581369b6e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593124", "to_ids": true, "type": "sha256", "uuid": "aab30f95-b051-4f97-ba4a-8c91ea285d57", "value": "111e42c31f8e4ae3764f339d7ad04b20bb21be5d97ede13aaa7c73e72cb7549d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590648", "to_ids": true, "type": "ssdeep", "uuid": "b5b52212-8953-4040-a5f0-8a86f32df317", "value": "393216:f1UZfGlH2Tkx486MPu8DLGR7zQwg7fmrqkY1JtpMrf:WZaHeou2gx/eNtwf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590648", "to_ids": false, "type": "size-in-bytes", "uuid": "da8278d4-6d2e-483d-980b-2025a4c2e813", "value": "12995440" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590648", "to_ids": true, "type": "vhash", "uuid": "dd4658a5-271e-4a34-8a0e-345bd8cd08e5", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 17/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590648", "to_ids": false, "type": "text", "uuid": "2a5feb1b-8270-4b15-97f1-03b2d0d4ee33", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:39/67\nFirst Submission:2026-01-30T12:12:07.000000+00:00\nLast Submission:2026-01-30T12:12:07.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594299", "uuid": "8da7d7b8-e21b-42d1-9cb9-428de76c65e2", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 2156c270ffe8e4b23b67efed191b9737", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594299", "to_ids": true, "type": "md5", "uuid": "8fea6639-b063-4ccb-8457-b5a1ecfc5964", "value": "2156c270ffe8e4b23b67efed191b9737", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 2156c270ffe8e4b23b67efed191b9737", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593125", "to_ids": true, "type": "sha1", "uuid": "93ca4f76-aedf-4148-a037-205b3cc3919d", "value": "975d8bdfec6b58ae9004d526fa9f852108026a9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 2156c270ffe8e4b23b67efed191b9737", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593125", "to_ids": true, "type": "sha256", "uuid": "ff1cdaab-4374-466a-9562-4881740ec807", "value": "0a78005858bef767b39cfbbeb543a80dfde46807ee75594de77d3ddfe119e8b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590670", "to_ids": true, "type": "ssdeep", "uuid": "e21482e5-9766-4c91-8377-12ebde09dbf5", "value": "196608:BZked/YGndPectif51wK1C809VDAkxILC/hNEHhqisKSW6In9mNkTn6WktcjKCTc:19GBg1XxWC/hNMTnt6BKnJVc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590670", "to_ids": false, "type": "size-in-bytes", "uuid": "52ed3464-df98-4284-b993-2c8035db0c2f", "value": "12304687" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590670", "to_ids": true, "type": "vhash", "uuid": "5d4e7e79-2d73-4ced-8d1d-1971f437f9b5", "value": "6d6a3b5b67152c82fb9145b10a846c5f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590670", "to_ids": true, "type": "filename", "uuid": "c3db94e6-bfca-4db4-8513-09fb2be0a591", "value": "Iskhod_7582_Predstavlenie_na_naznachenie.zip" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590670", "to_ids": false, "type": "text", "uuid": "74f7ab3b-e6a3-46c9-9612-1fbef6108b18", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 2156c270ffe8e4b23b67efed191b9737\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:39/67\nFirst Submission:2026-01-23T05:53:06.000000+00:00\nLast Submission:2026-01-23T05:53:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594322", "uuid": "ba5136f9-a55f-4c9e-8684-6f3f4f30688f", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594322", "to_ids": true, "type": "md5", "uuid": "c248d0b3-e2b7-4b1a-8285-f9ec48b11e3b", "value": "a6d095dc0e01f97db7e74cb5bed402dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593126", "to_ids": true, "type": "sha1", "uuid": "240b9a3d-1921-46f7-8500-7f565b8674d5", "value": "940658590d938380b71fd5055635c02564a63ef1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593126", "to_ids": true, "type": "sha256", "uuid": "7b07e90a-7d86-44d0-9744-38aae575ee4c", "value": "1fbdb99357ace6d6db830c63850a6e8a4ea3607776c4668feb135f3ff0d95151", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590692", "to_ids": true, "type": "ssdeep", "uuid": "451d2a96-3dd1-4aef-bd63-1395e00ad22a", "value": "48:8VKLfVnkDZF3tbzpLzGxSJUWIwB1SHgd0RQ+:8oLfMr3thuxSapCSHbR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590692", "to_ids": false, "type": "size-in-bytes", "uuid": "a53565c5-f499-4ab8-aceb-cdb5b0df4eb1", "value": "2363" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590692", "to_ids": true, "type": "vhash", "uuid": "6fdf3842-9c66-43ed-9df0-49288ab851ca", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590692", "to_ids": true, "type": "filename", "uuid": "97824e37-6e49-4084-b5c9-4ed3dbc21b62", "value": "snvgbnl41.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590692", "to_ids": false, "type": "text", "uuid": "39c46eba-8222-4b5f-8976-8dfc642fb033", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:36/62\nFirst Submission:2026-01-23T05:53:41.000000+00:00\nLast Submission:2026-02-23T10:29:40.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594343", "uuid": "b06f084c-7955-42e9-8ed3-cf13e317ffff", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 53ac08488544ad1fefd6363db44549cf", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594343", "to_ids": true, "type": "md5", "uuid": "ef50e10f-e1ef-4b5c-be78-7e6df3504eea", "value": "53ac08488544ad1fefd6363db44549cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 53ac08488544ad1fefd6363db44549cf", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593127", "to_ids": true, "type": "sha1", "uuid": "5c540084-525b-4d56-8de3-09b294999dda", "value": "3dd268fb969eaeb5d9068e185a9e33d5e25073cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 53ac08488544ad1fefd6363db44549cf", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593127", "to_ids": true, "type": "sha256", "uuid": "2ee16217-fd3a-49cf-b1dc-63f848ac0446", "value": "63297928883b0dc4e0735963dbcb2b2fa0c1e131af6d486f882070a6eb7e339a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590713", "to_ids": true, "type": "ssdeep", "uuid": "3b697eb1-23ce-4b50-9c03-0c4f45e161a2", "value": "196608:ub+cPJsN1g+0NFlOvwILGLzEB2oYpN5F0XuGdZFFPXEBdnEojL9yUM5rl0AK4+0E:eJsm0Sv3vF4uUvFPX26+VM5vH3wOt2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590713", "to_ids": false, "type": "size-in-bytes", "uuid": "17778570-19b9-48e6-8068-40c436249001", "value": "12753369" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590713", "to_ids": true, "type": "vhash", "uuid": "226be368-89ce-45e3-b343-aecd2a9e4df7", "value": "6d6a3b5b67152c82fb9145b10a846c5f" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 17/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590713", "to_ids": false, "type": "text", "uuid": "ab3f1270-ecee-409b-8551-5b6c8dbc839e", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 53ac08488544ad1fefd6363db44549cf\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:38/67\nFirst Submission:2026-01-19T15:16:16.000000+00:00\nLast Submission:2026-01-19T15:16:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594365", "uuid": "d2a15e68-e390-40b9-a197-a047bc759f26", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 227b3fa386cad73f0f388d801060e2c8", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594365", "to_ids": true, "type": "md5", "uuid": "cb3c4ebd-ccf1-4819-af45-3dd83b799e49", "value": "227b3fa386cad73f0f388d801060e2c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 227b3fa386cad73f0f388d801060e2c8", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593129", "to_ids": true, "type": "sha1", "uuid": "2310a1ab-a7b2-4527-a39d-fd152d0dc03b", "value": "aaba9f60d81467c27c82f5c6d6cb6accd6890fc4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 227b3fa386cad73f0f388d801060e2c8", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593129", "to_ids": true, "type": "sha256", "uuid": "fd283696-4df6-4d4a-8a79-d71aa35a803e", "value": "bbcdb82918f0decb1d6e20c90e872175cf278006948c5995ffd88033f56a1b71", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590735", "to_ids": true, "type": "ssdeep", "uuid": "a1740679-697d-4fe8-8bb7-8299648eb920", "value": "48:8vNXDfcJJnP9HOrOeajdCjo6rxI1gtMHxd0GjKlLxM:8lXDfGB9H0ooIWMHwN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590735", "to_ids": false, "type": "size-in-bytes", "uuid": "652435f6-b627-4c7b-bcef-ad6464bf44d4", "value": "2279" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590735", "to_ids": true, "type": "vhash", "uuid": "c393cf88-bd7d-46f8-b281-19aae8dc981b", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590735", "to_ids": true, "type": "filename", "uuid": "65ecc88b-12d6-4abd-924c-a1f375a4e723", "value": "k5bgyw.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 22/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590735", "to_ids": false, "type": "text", "uuid": "68cf2cdc-dd87-48b2-abfa-6fcfc8bca274", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of 227b3fa386cad73f0f388d801060e2c8\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HDA!MTB\nVT Total Detection:38/62\nFirst Submission:2026-01-19T15:17:20.000000+00:00\nLast Submission:2026-01-19T15:17:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594386", "uuid": "c6cc28ef-bd91-4639-8bc4-95c9733ee954", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594386", "to_ids": true, "type": "md5", "uuid": "4d88b07a-49c2-4ccf-9c3d-535560b7983b", "value": "6f49d5e80acdbef693263ef60399bb8b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593130", "to_ids": true, "type": "sha1", "uuid": "56563040-dc79-41f9-a439-78b89e463be8", "value": "9001e990f70fcb3cb7432ab3729bc9262395a371", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593130", "to_ids": true, "type": "sha256", "uuid": "9f1359f7-dd4c-465d-9daa-c4d4b74c3b1c", "value": "a43e2231b200b294b35dfb50fad446a0a7e42783c4f541981bc85a8930fb670a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590757", "to_ids": true, "type": "ssdeep", "uuid": "cb1739f7-f293-4ea4-bbb2-c8ca4e23de94", "value": "48:8qJEfCinLvf1ltVlMnUlT+FxHHn9W/d0Tinf8c:8qJEfCWtnVlM9Hsak" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590757", "to_ids": false, "type": "size-in-bytes", "uuid": "96c8898f-bcb6-4585-b5dc-b1ee39a9dad7", "value": "2335" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590757", "to_ids": true, "type": "vhash", "uuid": "bd3a14be-4760-4bcc-9795-f7562b6308fd", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590757", "to_ids": true, "type": "filename", "uuid": "257d43dd-9492-4f18-91bc-4484eda8b354", "value": "Proekt_prikaza_681_o_pooshrenii.\u200c\u200c\u200c\u200c\u200cpdf\u200c.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590757", "to_ids": false, "type": "text", "uuid": "3390cadf-1f47-4110-a483-84874e6cb032", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HEN!MTB\nVT Total Detection:34/62\nFirst Submission:2026-02-16T11:56:47.000000+00:00\nLast Submission:2026-02-16T11:56:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594407", "uuid": "9008caa3-9d4f-4bfa-a437-cfa2d691b6d3", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594407", "to_ids": true, "type": "md5", "uuid": "4abb1415-65d7-4917-acee-ef46d1cc2607", "value": "4b94efa49fb59a43ac4a9fdf04c87ef6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593131", "to_ids": true, "type": "sha1", "uuid": "ab6749a6-0d72-4cc9-b781-3befcb898a40", "value": "3d27e65ae5cb7aba8c529c8010b2414f24e4122b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593132", "to_ids": true, "type": "sha256", "uuid": "22f140f9-e98b-4165-803e-f4ac490c86e7", "value": "fe0d64d07ef03b2db6a7fa1ccbcc62c3f24f003d5f5726129ff22341321575b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590779", "to_ids": true, "type": "ssdeep", "uuid": "a46b5361-d457-413c-b511-60cd66b81c4f", "value": "393216:7xEj7DApaIMrPv0XmGWK4bEv7o7EPQGgdl:VE7G2GIg79Hkl" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590779", "to_ids": false, "type": "size-in-bytes", "uuid": "f8f4b30b-e2d9-4169-b2b7-adade4b95b30", "value": "12845179" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590779", "to_ids": true, "type": "vhash", "uuid": "88607a13-6c16-4383-9f98-a5a053aa9397", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590779", "to_ids": true, "type": "filename", "uuid": "c51114c2-e3e3-47e2-98cd-2bd58d66481c", "value": "_fe0d64d07ef03b2db6a7fa1ccbcc62c3f24f003d5f5726129ff22341321575b4.zip" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590779", "to_ids": false, "type": "text", "uuid": "7324f76c-8a9a-4857-8adf-150bf92bcaf1", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:35/67\nFirst Submission:2026-02-16T11:55:39.000000+00:00\nLast Submission:2026-02-17T21:41:08.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594428", "uuid": "798d075c-9a1b-43ec-a3c8-c4e5c7e4eb16", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-description:SHA256 of 63426f624c930a756faf7ce3e7b4789f", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594428", "to_ids": true, "type": "md5", "uuid": "041ea307-0421-49ee-8124-3c7c2e60167b", "value": "63426f624c930a756faf7ce3e7b4789f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of 63426f624c930a756faf7ce3e7b4789f", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593132", "to_ids": true, "type": "sha1", "uuid": "7c940e0e-258f-4146-a880-267080213e69", "value": "a609cf9a7250e6fbfc4cd3fdf04ea64b5a535617", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of 63426f624c930a756faf7ce3e7b4789f", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593132", "to_ids": true, "type": "sha256", "uuid": "cad8cddb-cb7d-4c6c-8201-e2e6abab4c1b", "value": "d38de5d71d04dcd70039b897c2edbc0981ba8940c249872f7c3a77b60abb3955", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590801", "to_ids": true, "type": "ssdeep", "uuid": "a7b14d56-fe49-44a8-b536-39b217b33abb", "value": "196608:wBCqhCg/qJmTFDrfroPZ+8gI7yGR5tyoyHSd0kE20+7ya74ka+D1uY+otXjiCKYG:NcqJWVrfrU7/+c5tyowpDQ8Il93Dvsh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590801", "to_ids": false, "type": "size-in-bytes", "uuid": "36ea022f-c8dc-43b1-852b-28e660c13ab5", "value": "12430156" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590801", "to_ids": true, "type": "vhash", "uuid": "5e15e2a6-deeb-4fc7-8e33-7aafa3c306b1", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590801", "to_ids": true, "type": "filename", "uuid": "5925195b-8323-4102-bf06-ad36ee019a42", "value": "spisok_ip_adresov_narusheniya.zip" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 17/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590801", "to_ids": false, "type": "text", "uuid": "fc9950fe-a535-404b-8092-b3ada9f7f112", "value": "IOC-description:SHA256 of 63426f624c930a756faf7ce3e7b4789f\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:36/67\nFirst Submission:2026-02-17T13:58:04.000000+00:00\nLast Submission:2026-02-17T14:02:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594449", "uuid": "3869117a-ae45-492b-8497-a4c3740420aa", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of dea287ef5916eced7808ca3704ae67a6", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594449", "to_ids": true, "type": "md5", "uuid": "37e9e99b-9c23-4fa9-b00e-7055e476e0f2", "value": "dea287ef5916eced7808ca3704ae67a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of dea287ef5916eced7808ca3704ae67a6", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593134", "to_ids": true, "type": "sha1", "uuid": "e0120485-b63d-4f62-b568-37c18b9b0e79", "value": "055e0229236497b91216b89395351ae8c9eed8f0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of dea287ef5916eced7808ca3704ae67a6", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593134", "to_ids": true, "type": "sha256", "uuid": "f5e47efc-c374-4934-94b4-45068b654199", "value": "d0b18d94c4abd7f0f3a3d07fd2172956f6ec9654b8cbf087954017dd92bd9e4f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590823", "to_ids": true, "type": "ssdeep", "uuid": "bb2a50c7-7f58-478f-b3b5-5ed353c3540a", "value": "393216:pEx9SPTatbIaGXKI3AD0VGdGlHtrpNqK9:Y9wkInwbOHZ9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590823", "to_ids": false, "type": "size-in-bytes", "uuid": "594e6fea-ce39-409b-be30-1414fd213bb3", "value": "12861229" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590823", "to_ids": true, "type": "vhash", "uuid": "39a0840a-f5da-4990-a3ac-ab236b8eb951", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590823", "to_ids": true, "type": "filename", "uuid": "28260c6e-71b5-41f8-aee6-e24699208e84", "value": "eaq8gcdk.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590823", "to_ids": false, "type": "text", "uuid": "39d97881-681b-43a1-8cb9-f456d558ddcc", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\nIOC-description:SHA256 of dea287ef5916eced7808ca3704ae67a6\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:37/67\nFirst Submission:2026-03-02T16:14:40.000000+00:00\nLast Submission:2026-03-02T16:14:40.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594470", "uuid": "04c72d19-d901-459a-8f86-7694e5b69fd8", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594470", "to_ids": true, "type": "md5", "uuid": "7fda2e42-90ac-43d6-9050-86acde05834c", "value": "1ec5607bd9c37d6aabc43066fcb87ca6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593135", "to_ids": true, "type": "sha1", "uuid": "c9f372f4-36db-498e-adbb-ddd79e0320d5", "value": "694feb5c1f2b605eb58b4218fdc3d056f5d19aad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593135", "to_ids": true, "type": "sha256", "uuid": "1cbdd7a2-0e2b-44f3-a418-7076a897b015", "value": "a2306445f6a9a9313ec3709c84bc3e932f75240fcaf2543bb1cdc3c362b64552", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590844", "to_ids": true, "type": "ssdeep", "uuid": "ca8d05ae-06a4-4247-86b5-bc85b01daa10", "value": "196608:M7uilBxtlDlt3WyUQAYnkhi6njHS5XjvOUb1q32Xonn2rE1GFQKKJ53GJmLIXeFd:guCBxtlRImEi6oXWybrYL8uC8Ak8Y" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590844", "to_ids": false, "type": "size-in-bytes", "uuid": "9b055820-ba73-4ae9-a79b-cf6e89590de9", "value": "12588972" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590844", "to_ids": true, "type": "vhash", "uuid": "0afd7093-8d49-4b01-8692-676f6ef39a01", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590844", "to_ids": true, "type": "filename", "uuid": "1c2c6f6a-9dff-4272-93be-5d9262e06827", "value": "Spisok_na_perepodgotovky_mart.zip" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590844", "to_ids": false, "type": "text", "uuid": "c92be499-47e2-480b-af5b-012505ee8a35", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:34/67\nFirst Submission:2026-03-20T15:13:16.000000+00:00\nLast Submission:2026-03-20T15:13:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594491", "uuid": "ffa1f9fe-c943-4fcd-9d4f-9c9b1ded061c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594491", "to_ids": true, "type": "md5", "uuid": "f55a01d1-535d-4b11-a795-9d2467967984", "value": "14167b8732f917d9b15df47de9a94125", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593136", "to_ids": true, "type": "sha1", "uuid": "d553ff0f-5b79-4948-b74e-f28b738e8dd0", "value": "d9579115f6883bac707b8d6b61e17080b21bb283", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593137", "to_ids": true, "type": "sha256", "uuid": "9c8f62f5-dad6-44be-a299-a67772eacda3", "value": "04ecdd725f741919deaed0aebf71113760126b4ea313b24ec7a2db21e4aeb42c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590887", "to_ids": true, "type": "ssdeep", "uuid": "79fea5a4-3413-4d86-a510-893a8540bbe0", "value": "24:8iJHcfmhyiwQAiWD+/CWRRmyrCDFDUYXj7sWlMfP4WlM/XQa6MprsPDUYX1cCUM1:8iJ8feAnnDPlMJlMIa62iHx7jd0WeAX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590887", "to_ids": false, "type": "size-in-bytes", "uuid": "8acbe4e4-6e13-4601-857f-648cf1748414", "value": "2315" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590887", "to_ids": true, "type": "vhash", "uuid": "c6169ff5-0b66-400a-9c90-28898d3ca436", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590887", "to_ids": true, "type": "filename", "uuid": "6bfb1c09-d006-42e7-ab9f-a2daa6560af2", "value": "6422_Predstavlenie_na_naznachenie.\u200b\u200b\u200c\u200c\u200dpdf\u200d\u200c\u200c\u200c.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590887", "to_ids": false, "type": "text", "uuid": "5ad50666-e990-4373-b1fd-502df74d289c", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HEN!MTB\nVT Total Detection:33/62\nFirst Submission:2026-03-11T06:34:32.000000+00:00\nLast Submission:2026-03-11T06:34:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594512", "uuid": "17af02d5-7e59-4314-ba5e-6d66e1179a49", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594512", "to_ids": true, "type": "md5", "uuid": "fa7b01a3-4c94-4074-93d4-9d79209bc02f", "value": "1a66a083fe2ac0adae45475825f3bb26", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593137", "to_ids": true, "type": "sha1", "uuid": "d938e34d-c093-4d32-b0a6-c527e8ebe72e", "value": "fe502ce3ebef49a9b3abe00578c4f4f7f652f976", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593138", "to_ids": true, "type": "sha256", "uuid": "9e2d2f83-1718-452c-83eb-9177d598f7b8", "value": "d999b540bcfb7b09f8fc42497f509cfcd26ac2d168a5dedfec0557a77af696c5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590909", "to_ids": true, "type": "ssdeep", "uuid": "28257d72-029c-4b3d-b5b7-49a02686143c", "value": "24:8s3YvHM9qfCdikQAWEHuWC+/CWtmyrgr7Xw7Fv00yV+HmVFHWiw7Fv0ST/UAUMka:8Vv3f2nxHh6WGWppHCf08d0i8ONTG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590909", "to_ids": false, "type": "size-in-bytes", "uuid": "b5661f14-e985-4804-89a3-1be5d18cc7a3", "value": "2377" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590909", "to_ids": true, "type": "vhash", "uuid": "1b40c18c-7c61-4668-81d9-492c5efe177d", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590909", "to_ids": true, "type": "filename", "uuid": "3b40770a-79cb-49dd-b169-7f1091ecb4c6", "value": "Proekt_prikaza_568_o_pooshchrenii.\u200cpdf\u200d\u200d\u200c\u200b.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590909", "to_ids": false, "type": "text", "uuid": "56420413-7598-430f-89d5-4747d7f93acd", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HEN!MTB\nVT Total Detection:34/62\nFirst Submission:2026-03-21T15:25:05.000000+00:00\nLast Submission:2026-03-25T05:06:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594533", "uuid": "299c3aac-77b5-4f36-92ed-01de1afa8d4a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594533", "to_ids": true, "type": "md5", "uuid": "7c968df6-a49a-418c-8e11-75412370fc42", "value": "220ad634230523a239ab67253af00366", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593139", "to_ids": true, "type": "sha1", "uuid": "7ff4239a-93a9-4efe-8e9e-7f64113c5a4a", "value": "ab211e283d685bdb369fad41eedd30e6c48308a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593139", "to_ids": true, "type": "sha256", "uuid": "19aaced3-0f9b-4a9b-a7fb-9eaa240878b9", "value": "e297a21a91a34c389918900db40358212358273bcd42efc638ab02be00103ed6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590931", "to_ids": true, "type": "ssdeep", "uuid": "21eef962-8a4c-4083-bcf3-ef5ded497d8b", "value": "24:8YN3n/wfzki82QAVWC+/CWLmCmyrgc7Xwt2vGHacK+tage+S+IeY7CsIvaJeY7DK:8Q4f+2nDCJpLRbtVCsIib+AH4d0PU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590931", "to_ids": false, "type": "size-in-bytes", "uuid": "623f300e-a14b-405a-bc76-66bda6710bc8", "value": "2371" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590931", "to_ids": true, "type": "vhash", "uuid": "bc5600b9-0905-4b0e-b426-e0dff355d5e9", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590931", "to_ids": true, "type": "filename", "uuid": "077f1fd3-5529-4d6f-8f17-8e3ea025a448", "value": "Proekt_prikaza_611_o_pooshchrenii.\u200d\u200bpdf\u200d\u200d\u200d\u200d.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590931", "to_ids": false, "type": "text", "uuid": "0160b3cc-e826-473f-9fa3-f87e1d6512c1", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HEN!MTB\nVT Total Detection:33/62\nFirst Submission:2026-03-14T23:31:09.000000+00:00\nLast Submission:2026-03-14T23:31:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594555", "uuid": "c65e4a35-f895-4a7c-9193-610ea3c0f3cf", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594555", "to_ids": true, "type": "md5", "uuid": "a97801a0-2a00-4e49-bb32-f1cad7ef2df3", "value": "2a290051c0e6fc27dab6d4212ed37641", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593140", "to_ids": true, "type": "sha1", "uuid": "d857383a-6e2a-4b46-9702-38d45d8b942b", "value": "54cfebac288122d531120ad8df5b02422ec29106", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593140", "to_ids": true, "type": "sha256", "uuid": "1e17bd12-1883-49b0-8f78-f7976ab687f8", "value": "d0fb64fe998c332a1f99cadbe41d3ade4759301a0d891bc472023054973c1a8c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590995", "to_ids": true, "type": "ssdeep", "uuid": "2ac32f87-5835-4fca-8d38-5f0af123bde9", "value": "96:r06OD0QrUKjxvXCVVTKpTYTxJTO9ZfyOEyBs2BWm9OIXf:r06c009tyPTUZfW8TjP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590995", "to_ids": false, "type": "size-in-bytes", "uuid": "8a5ae673-933e-4fd3-918a-531d8ae177cf", "value": "4264" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590995", "to_ids": true, "type": "vhash", "uuid": "53484855-7cc2-45d4-a668-defc135d2ec8", "value": "4a8bf03e84e7d0f8b15c5c2165f8573b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590995", "to_ids": true, "type": "filename", "uuid": "1aa3ed63-0a55-462f-bada-047784fcf701", "value": "action" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 20/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590995", "to_ids": false, "type": "text", "uuid": "8c2a7c41-69bb-497a-ac0e-69294003f736", "value": "Type Description: Powershell\nMicrosoft: None\nVT Total Detection:23/61\nFirst Submission:2026-03-20T17:36:06.000000+00:00\nLast Submission:2026-03-20T17:36:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594576", "uuid": "e0ca75cf-5a0b-4b4b-8d32-e960b77a9053", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594576", "to_ids": true, "type": "md5", "uuid": "b9116314-9ddc-4264-af72-0f1bbfb243cb", "value": "3e610b98255e35f492835b8c81d829a9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593142", "to_ids": true, "type": "sha1", "uuid": "f4820f93-14a7-40bd-a926-141d2b845a54", "value": "e66b2bf09de1b0274f0b90ceb03929c90ce32d40", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593142", "to_ids": true, "type": "sha256", "uuid": "4bca0824-b0d4-4b62-a844-01255836cf18", "value": "fac9a4f5c951b02daebcc3a89d687a6cad1c848fb178c01eb89bcebf498c6da3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591016", "to_ids": true, "type": "ssdeep", "uuid": "56f0341c-8d60-4949-a46b-db1f0a4e57e5", "value": "24:81jwBJn8mfaZB+i5QQAGWC+/CW3kmy+CDFDY1AJMEq5B/mDY1mlYUMkWLhxlTGVT:81j0JXfaTSnF4DOOYHJqVd0PXd" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591016", "to_ids": false, "type": "size-in-bytes", "uuid": "c70486fa-74e2-4f5f-b053-5e83a73b3135", "value": "2325" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591016", "to_ids": true, "type": "vhash", "uuid": "ac09161f-89a4-4413-8bb0-184d59446a11", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591016", "to_ids": true, "type": "filename", "uuid": "a3409361-d80d-4e96-a3dc-b1a7d651fb78", "value": "6526_Predstavlenie_na_naznachenie.\u200b\u200cpdf\u200c\u200c\u200b\u200b\u200d.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591016", "to_ids": false, "type": "text", "uuid": "ca640495-8a7b-423e-ace6-112b3c7b306c", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HEN!MTB\nVT Total Detection:34/62\nFirst Submission:2026-03-03T15:16:12.000000+00:00\nLast Submission:2026-03-03T15:16:12.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594598", "uuid": "0383f956-4061-4a06-b3c7-0cfbaf7740c5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594598", "to_ids": true, "type": "md5", "uuid": "7e36de22-9311-4d52-8d66-9da9a85b89e1", "value": "5d72a10241aa04f7d19da448cba2cab9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593143", "to_ids": true, "type": "sha1", "uuid": "8150bdd8-c76d-4d0b-8b77-9c9f48b09078", "value": "95ac592113aff52cce12510683ce9fa950849bde", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593143", "to_ids": true, "type": "sha256", "uuid": "9d4f6308-a85c-4a07-b54a-cab8eff023ca", "value": "e70a5b0b22ce5fe10705e67ab9008ec52b2870c2a18d69d957ddd4e0d861274f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591059", "to_ids": true, "type": "ssdeep", "uuid": "a1925195-be97-44a9-bff3-f3f3a6a73946", "value": "96:eU42VOD0QYGjZ7X8+Ue/Jx9Pc9BA+9JAG19BAbGfKDaUSNQsBZhgyOIDaX:Bvc0OhrUeNqpNvRfeacGZNjDA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591059", "to_ids": false, "type": "size-in-bytes", "uuid": "ec3b224b-5f3c-4975-b044-6f0b256e8434", "value": "4672" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591059", "to_ids": true, "type": "vhash", "uuid": "2c240a77-71e9-4016-bda2-3388c533262d", "value": "4a8bf03e84e7d0f8b15c5c2165f8573b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591059", "to_ids": true, "type": "filename", "uuid": "b6183dc1-0f93-49ac-87d5-8e6f87bde570", "value": "avgOptionRatio" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 22/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591059", "to_ids": false, "type": "text", "uuid": "79ff6de8-0135-4add-8df4-7fbfffc66e83", "value": "Type Description: Powershell\nMicrosoft: None\nVT Total Detection:23/61\nFirst Submission:2026-03-15T01:58:10.000000+00:00\nLast Submission:2026-03-15T01:58:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594619", "uuid": "ce22bc29-1863-4a2d-8578-87871e5c3257", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594619", "to_ids": true, "type": "md5", "uuid": "5d90bb05-0b45-4147-a7ea-5df22e07cf05", "value": "7578d6578f17f3d2f532414cd7808396", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593145", "to_ids": true, "type": "sha1", "uuid": "ce33de8e-6ae5-4539-839e-ab8c4acd1007", "value": "622c5d0211160259091a302fb0a5a89392717f3f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593145", "to_ids": true, "type": "sha256", "uuid": "2fa582bb-eee6-4ff2-a03e-c6e3d06b0ccd", "value": "8ff9f6e3aaefcbf16d6bae2b042376baff2e451dfa5bc21c71b56b6121ef4ff0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591081", "to_ids": true, "type": "ssdeep", "uuid": "26fa6c65-d63b-45d6-933f-316d7c1d00fb", "value": "393216:cHIdxmlHy3kY4XR0GLynPf8ixUgBy8Sbhg/vaUtohZJ4:cCxaF5XR0GWnPe6S+vM4" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591081", "to_ids": false, "type": "size-in-bytes", "uuid": "64e10a97-1893-4da8-adb0-f6bdb99484ba", "value": "12725229" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591081", "to_ids": true, "type": "vhash", "uuid": "14f57c72-1b3b-4312-a77f-09fc44439bac", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591081", "to_ids": true, "type": "filename", "uuid": "35255003-230c-4cc2-90eb-59717d7fceaa", "value": "8ff9f6e3aaefcbf16d6bae2b042376baff2e451dfa5bc21c71b56b6121ef4ff0.zip" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591081", "to_ids": false, "type": "text", "uuid": "c1cbb02e-861f-4f7b-a9ae-5bf5a283b1ac", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:36/67\nFirst Submission:2026-03-11T06:33:25.000000+00:00\nLast Submission:2026-05-13T10:28:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594640", "uuid": "5dfe8528-1be5-406b-b4c7-f6fc96e7a329", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:case_4485_ekix4", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594640", "to_ids": true, "type": "md5", "uuid": "a7ebaecd-8cca-45a8-bece-1aa7cb84c779", "value": "82710b81e610f074fe97a4f76e7f0843", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:case_4485_ekix4", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593146", "to_ids": true, "type": "sha1", "uuid": "2b48a5b0-7e85-4d14-be62-c2256e6cb767", "value": "eb73acce3e09b649b6d736e5bbcfeeb0a00a7490", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:case_4485_ekix4", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593147", "to_ids": true, "type": "sha256", "uuid": "1c476038-ead8-4798-a12f-498f081a3965", "value": "f78d87ff967bbdebbc43c58c2b5376522d2bbc975c98727c75bf28e2eb23ffd0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591103", "to_ids": true, "type": "ssdeep", "uuid": "5a0b479d-e6d7-4abc-bf27-3807ddefc989", "value": "98304:WPhtxJn19KyRClWkOj8be1aEZvpc5Z/1ZyRuw7wldcJKBX6Nh+f:2TnR771a+G5p1ZyrO6X" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591103", "to_ids": false, "type": "size-in-bytes", "uuid": "0883386b-a523-4fe9-872b-cdd0368dd425", "value": "10385920" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591103", "to_ids": true, "type": "vhash", "uuid": "fa329549-84cf-44ff-8611-c9e254598088", "value": "01708665551d556d7d0550a3z42z69hz4011z34z257z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591103", "to_ids": true, "type": "filename", "uuid": "7a620c8e-5c6e-49dd-8d4f-2d130fbdb957", "value": "tor.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591103", "to_ids": false, "type": "text", "uuid": "30dd7748-62e7-4ac2-8d08-32c2659f3ef3", "value": "IOC-title:case_4485_ekix4\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2025-10-28T21:10:51.000000+00:00\nLast Submission:2026-05-23T10:34:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594661", "uuid": "a9d02f7b-45a5-4799-8b3e-3e0d5b067623", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594661", "to_ids": true, "type": "md5", "uuid": "0d12d15b-086a-4a6c-a5fb-340f19610cf3", "value": "8c0434571198367df2cd1344f2bdc0cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593147", "to_ids": true, "type": "sha1", "uuid": "0b4e9a0e-e716-4516-89c6-ed050a46ebcb", "value": "76b45853917fe87b3dc82331d542d1a6ddde806c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593147", "to_ids": true, "type": "sha256", "uuid": "8b027cdd-c05d-468c-896b-65f520cb29c1", "value": "06845a04d2329ca39c8378cb83118f6ffd278805f5b229cb65c21c4ca989fd56", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591146", "to_ids": true, "type": "ssdeep", "uuid": "acfa1bb7-4ce4-44b6-99bd-a9cc3dffb7e2", "value": "98304:YQdDmaIjFodwAtZLAcwIdoO5V92XDzGKNk/11VhFovYES:YQ1tIZod97Roq2eKNkqvRS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591146", "to_ids": false, "type": "size-in-bytes", "uuid": "99d26c66-67cf-44c5-b72b-4bd539591d12", "value": "17705984" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591146", "to_ids": true, "type": "vhash", "uuid": "3035c4e0-896c-4289-b0d1-95a69efbb448", "value": "017086655d65551d15541az2e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591146", "to_ids": true, "type": "filename", "uuid": "6f938e7a-140b-4a64-8e60-30358bd973f6", "value": "unrealengine.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591146", "to_ids": false, "type": "text", "uuid": "a722e0a3-b0a7-4cce-acae-b8aa036eb29b", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2025-10-28T21:10:51.000000+00:00\nLast Submission:2026-05-19T16:32:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594683", "uuid": "0e206bcf-52db-44db-8f75-a57c74db699c", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594683", "to_ids": true, "type": "md5", "uuid": "e2f1e545-fdd6-4ffe-9ee4-6349b6ee0c46", "value": "a9cfe3f8ad5def658e774eb2f6f0792c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593149", "to_ids": true, "type": "sha1", "uuid": "bec0e897-95f6-4cb6-8c4d-25a20eedd75c", "value": "a75a744a8106626c39f5682556a0e58c40ce7315", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593149", "to_ids": true, "type": "sha256", "uuid": "1d81758e-ba8d-47bf-8a68-021c56058c71", "value": "ddaef2e9377ce89222c3eadfb5b3c90e9a99f3d2d0635bbf5e7d8681eae051c7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591168", "to_ids": true, "type": "ssdeep", "uuid": "f8f1abd9-2f01-427c-a687-bab9935bb5c5", "value": "24:8mLPjgfF05yiJQAkyWD+/CWLlS+CDFwnWtrj5Lf5/cJNB25wnWtFBezUMkWLhxeL:8MkfaZn2DbdkJb2DKH0d0Z5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591168", "to_ids": false, "type": "size-in-bytes", "uuid": "936baee7-5626-4e2c-91f5-200c5976e3c2", "value": "2249" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591168", "to_ids": true, "type": "vhash", "uuid": "f96bd375-cedb-40f7-acc8-dc1d065b7b1d", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591168", "to_ids": true, "type": "filename", "uuid": "2f7c9977-2145-487a-83b1-2a36d33e24c4", "value": "6526_Predstavlenie_na_naznachenie.\u200c\u200d\u200bpdf\u200c\u200d.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591168", "to_ids": false, "type": "text", "uuid": "9c219b8d-cc11-4169-be36-25db79014353", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK!AMTB\nVT Total Detection:31/62\nFirst Submission:2026-03-02T16:15:44.000000+00:00\nLast Submission:2026-03-02T16:15:44.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594705", "uuid": "9c866843-3406-446b-9e10-d185194c9091", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594705", "to_ids": true, "type": "md5", "uuid": "f6dd602a-21a9-4ea6-98b9-bb990569a335", "value": "ad14a515332eb058436a7bba84b6affc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593151", "to_ids": true, "type": "sha1", "uuid": "ed4a8def-ed79-4653-a92e-6b8368645a97", "value": "6a31b2075ca3ec04011a2b040df0ed6c33e99498", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593151", "to_ids": true, "type": "sha256", "uuid": "5c379ebd-d955-45ba-b372-75f1f0db05b2", "value": "599b21b953c4091710062e753b50b419a182690cae376a5d6c3fbe60cd8e250e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591190", "to_ids": true, "type": "ssdeep", "uuid": "3d37bcd7-7869-4ed9-a012-6b4afa174ac6", "value": "24:2d94+SKHmSYeGKMhEMOF5pwO0gU3ODOiIQRvh7hwrF915E18LYuNArb/xvn:c5luFdOFQO033ODOiDdKrlsTuyZv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591190", "to_ids": false, "type": "size-in-bytes", "uuid": "ef652c41-768c-440e-b12d-30a2c6ea8e40", "value": "1404" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591190", "to_ids": true, "type": "filename", "uuid": "62b34a80-a368-4f06-aee5-47e9d4d69f0a", "value": "noteRef.xml" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591190", "to_ids": false, "type": "text", "uuid": "d1773e33-9330-4c1d-a464-b7313fa7a482", "value": "Type Description: XML\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2026-03-20T15:16:53.000000+00:00\nLast Submission:2026-03-20T15:16:53.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594726", "uuid": "d50422f7-cf62-4478-95d4-406dad21d1c2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594726", "to_ids": true, "type": "md5", "uuid": "065bcb26-639c-4a9e-8c0a-1596877909f1", "value": "b1549dc141bad1ef7419b819f2419514", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593152", "to_ids": true, "type": "sha1", "uuid": "b2f21d55-0592-4255-8de0-e969a58bdf41", "value": "02801b28d657bd3eab74538877b75b6f960c5663", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593152", "to_ids": true, "type": "sha256", "uuid": "d48b04f8-b9bc-4a60-a1b2-cf80f4b827ac", "value": "d9f900fd7b7b2d81d396a23fa9ce65b78856e4be7c254bdcafd03c1f1a382187", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591212", "to_ids": true, "type": "ssdeep", "uuid": "f77a9d3e-0d29-415b-aa08-3b2478889ed7", "value": "196608:T/N5JiLcabtbzRXqyg4EqSvKcagek2ss4KrKayHSegauoO+2ysrwkbwYmNnloMTI:DJ8cabtb9TxTSpewZuvegj+2jmlzh9eT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591212", "to_ids": false, "type": "size-in-bytes", "uuid": "69031753-75e7-4b02-80cd-c6005a1a88b7", "value": "12325220" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591212", "to_ids": true, "type": "vhash", "uuid": "a3aed456-fd55-40f5-a723-101cd65e51f5", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591212", "to_ids": true, "type": "filename", "uuid": "e9e2cc69-d24c-4fcf-a512-a6b369d48ac3", "value": "r4hd3e71v.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591212", "to_ids": false, "type": "text", "uuid": "827a95cb-747d-4fd0-aba4-6bb6c1021619", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:37/67\nFirst Submission:2026-03-03T15:14:34.000000+00:00\nLast Submission:2026-03-03T15:14:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594747", "uuid": "70e6f17f-1e86-4f10-9bec-2eb330ac6c16", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594747", "to_ids": true, "type": "md5", "uuid": "e8e1f8ba-1c89-4c26-a0a8-fcd2f8744225", "value": "b95b03094ac3b361585ecfa88e0c78ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593153", "to_ids": true, "type": "sha1", "uuid": "9f0a4f86-99ef-4542-9a7c-0535446a33fa", "value": "ae5f7d3e621a862bc156483ec8894d5d56b23d8f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593153", "to_ids": true, "type": "sha256", "uuid": "5ec45ca5-c856-4597-bedf-cb667aa11389", "value": "0c6c020a92517dcd757939c4f907550dbff08f133311d74928f27cf4133db7e9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591254", "to_ids": true, "type": "ssdeep", "uuid": "6e72d444-6f60-4dc0-961a-634e5b2f399f", "value": "24:8xvHM9qfCdikQA/WC+/CW1myLafAwnWyScIlCF06kCJ0R+1n7MOgcIlo+wnWybCv:8xv3f2nmYYU1DmYz7YJHCffd0Usib" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591254", "to_ids": false, "type": "size-in-bytes", "uuid": "8c11a8ef-780a-4cea-b050-3be61dc71d65", "value": "2295" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591254", "to_ids": true, "type": "vhash", "uuid": "ecec70b6-1150-4d51-9fb4-e8df1be2d6a4", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591254", "to_ids": true, "type": "filename", "uuid": "7022775d-9505-4704-afc9-b381e17d7873", "value": "Spisok_na_perepodgotovky_mart.\u200c\u200b\u200d\u200d\u200cpdf\u200d\u200d\u200c\u200c.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591254", "to_ids": false, "type": "text", "uuid": "23372d92-1e02-45fa-8b63-9edb05902ae9", "value": "IOC-title:ALF:TrojanDownloader:PowerShell/Ploprolo.DB\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HEN!MTB\nVT Total Detection:32/62\nFirst Submission:2026-03-20T15:14:09.000000+00:00\nLast Submission:2026-03-20T21:54:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594768", "uuid": "663b761b-9958-4082-9dea-8409823101ee", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:invalid_trailer_structure", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594768", "to_ids": true, "type": "md5", "uuid": "d68f1517-6e91-477b-bd03-8b591de504e9", "value": "cbbd3923adb5705a1ce61cdebb6a93b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:invalid_trailer_structure", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593154", "to_ids": true, "type": "sha1", "uuid": "e253f417-7481-4930-a37c-17aa91f7098b", "value": "c6aeba8b8469176baaba41c3c1fc32543f656982", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:invalid_trailer_structure", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593154", "to_ids": true, "type": "sha256", "uuid": "ae092300-9222-4568-a260-9dc3d37dcd85", "value": "f5f9f66d0fbc1ab7ad0efe82e0aa29e1665047e945c7b821bb4189901c57ef13", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591297", "to_ids": true, "type": "ssdeep", "uuid": "10102af9-a75d-4914-bd03-29f59f616a83", "value": "3072:Jab033P1qsuORwfXMDmtr0gWxFc22cMvl5KcnPzlMS04+W2MRLlg:J3ksuORw/MFHc22Xl5K0zlMF4+WtRg" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591297", "to_ids": false, "type": "size-in-bytes", "uuid": "799f5192-6f05-4ee8-bdf3-99b6196fe59a", "value": "158026" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591297", "to_ids": true, "type": "vhash", "uuid": "790ab152-887f-416b-b89c-04a9559b0192", "value": "9ef651312734427a5247e5eaf64dc1870" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591297", "to_ids": true, "type": "filename", "uuid": "34415b2d-68e4-4340-96e4-e9dcb918abb6", "value": "Spisok_na_perepodgotovky_mart.pdf" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591297", "to_ids": false, "type": "text", "uuid": "4278581e-dd1f-441a-a2a9-2f4d4098dc77", "value": "IOC-title:invalid_trailer_structure\r\nType Description: PDF\nMicrosoft: None\nVT Total Detection:0/63\nFirst Submission:2026-03-20T15:16:53.000000+00:00\nLast Submission:2026-03-20T15:16:53.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594789", "uuid": "91f0432e-dad9-4bcd-b90a-2b6352aff00d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594789", "to_ids": true, "type": "md5", "uuid": "052aaa97-acca-478e-bb6f-3b4e30fcd8b1", "value": "d57868d796f5ffac7a038f1392509625", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593156", "to_ids": true, "type": "sha1", "uuid": "deee9801-431e-4cac-a91b-b57bff4de3c2", "value": "9ee0dcf77b0e2040ea4fca58ffd18b20fb78e243", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593156", "to_ids": true, "type": "sha256", "uuid": "0aea1aa8-bc49-4398-a4b9-5396fe2f4dee", "value": "f1ab9444b8af0883661dd672729dfae6ea14612876c878f53995a9da1385405e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591319", "to_ids": true, "type": "ssdeep", "uuid": "01876f43-fc28-4875-afa3-55fb69ba528d", "value": "196608:iLrP9ibufeWrkgiDhZWisMdJTsSKgOS7l0tKRb7xrsIHRtVL5FxvhmZS9t+mHKC8:GrlfeKYZ/T/2eBssPVL5LUZSquKFxxLJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591319", "to_ids": false, "type": "size-in-bytes", "uuid": "4dbd7c4c-56d0-462e-946f-03bc63bb01c1", "value": "12533547" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591319", "to_ids": true, "type": "vhash", "uuid": "995d0187-d392-4be1-ade6-bc419d509172", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591319", "to_ids": true, "type": "filename", "uuid": "3c1dc401-d8db-4c4e-9dc3-6af1a4c7a60e", "value": "Proekt_prikaza_611_o_pooshchrenii.zip" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 21/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591319", "to_ids": false, "type": "text", "uuid": "44f4b85d-64e2-4334-99d8-5847dd4e9e6d", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:35/67\nFirst Submission:2026-03-14T23:30:00.000000+00:00\nLast Submission:2026-03-15T00:21:51.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594810", "uuid": "08f006e5-1637-474e-a40a-6fc9adc1a039", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594810", "to_ids": true, "type": "md5", "uuid": "957e6bff-a625-400c-8d6a-c0b111ee5755", "value": "d688fb9bb64e916ff0bd68160caa6139", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593157", "to_ids": true, "type": "sha1", "uuid": "944465e3-f883-474c-9d67-c112ea44db1d", "value": "17575b7c6e0560e9c904775a4a584f9822d57a52", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593157", "to_ids": true, "type": "sha256", "uuid": "7fc5fb06-31dc-483c-bb6c-2dcf9177b6ca", "value": "f0845fdf742e64769bf2814f4416172023f5cda9e6c714e3a84d797b3ca8e419", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591341", "to_ids": true, "type": "ssdeep", "uuid": "a1963924-6a58-445d-9407-03dbcae7a3c7", "value": "24:2d94+SKHmSYeGKMhEMOF5pwO0gU3ODOiIQRvh7hwrF915E18LYuNAGib/xvn:c5luFdOFQO033ODOiDdKrlsTuydv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591341", "to_ids": false, "type": "size-in-bytes", "uuid": "60cb3fee-77e3-415e-8e22-7cfd8016d745", "value": "1409" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591341", "to_ids": true, "type": "filename", "uuid": "bb009027-1ffd-4d25-a9fc-156a91ac2fd6", "value": "currentSettingMode.xml" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591341", "to_ids": false, "type": "text", "uuid": "d1e2c663-2550-4d69-801c-de04e6c3dc5e", "value": "Type Description: XML\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2026-03-20T15:16:52.000000+00:00\nLast Submission:2026-03-20T15:16:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594832", "uuid": "77e60693-b070-4bf6-bacf-9a0eebb78ca1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594832", "to_ids": true, "type": "md5", "uuid": "824d443d-835c-4faa-b83c-5b9e0e304f72", "value": "d7e7f396a695cb23d0fda4dc716e47a6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593159", "to_ids": true, "type": "sha1", "uuid": "85585d5a-72a7-4ea4-801a-41223cfd7eea", "value": "95cc727a9bf07bff285060b3b68c4b3de828969c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593159", "to_ids": true, "type": "sha256", "uuid": "424b7299-f92e-4ee8-b0c4-730c53cd2912", "value": "1e6ffcefe2561cbaaae6ff7a21fd5f90098610fda4d39889a8f6d4a510c20c10", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591363", "to_ids": true, "type": "ssdeep", "uuid": "5b605f3a-2918-4681-b3e4-c110fd426754", "value": "24:8gjtnX8bffUOci1PQQAbWC+/CW8Si6OI9Tb2RYqxWMIlrAI9Tb2d/UMkWLhx4dde:8gJqfknFUeIB1QHUd0TN20R" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591363", "to_ids": false, "type": "size-in-bytes", "uuid": "41f5dd18-9052-4214-85a3-001b4b14bb2a", "value": "2171" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591363", "to_ids": true, "type": "vhash", "uuid": "adb9b84d-3b04-41c1-b4f8-7179ff850128", "value": "a8a65189899e694d0325acbfe2fbfa60" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591363", "to_ids": true, "type": "filename", "uuid": "a7c26846-9b1e-4e9b-8605-6c9a12acc63e", "value": "spisok_ip_adresov_narusheniya.\u200d\u200c\u200bpdf\u200d\u200d\u200c.lnk" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591363", "to_ids": false, "type": "text", "uuid": "62259d93-11f7-477a-a360-844b95604e4e", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/WinLNK.HEN!MTB\nVT Total Detection:31/62\nFirst Submission:2026-02-17T13:59:24.000000+00:00\nLast Submission:2026-02-17T13:59:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594853", "uuid": "c43eabd6-c528-4e79-b449-d448b3f7faa2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594853", "to_ids": true, "type": "md5", "uuid": "944577dc-0a5b-4faa-8953-f24c293fd1c5", "value": "e355f9f69019a1248f4959fea69fab5f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593160", "to_ids": true, "type": "sha1", "uuid": "aa6f1a3d-afa5-4e51-a9c0-002e26cfe6d1", "value": "13d994ecd0d5d1311c5c336398da3ccab84330bb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593160", "to_ids": true, "type": "sha256", "uuid": "21d22794-2980-4a61-8629-6b05e6341a18", "value": "604a0e724618a03d5db5dc678c6c5942e696f0ffe0ad0b645c7b177bcbcf2ce3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591385", "to_ids": true, "type": "ssdeep", "uuid": "c71b1f00-06ff-47a0-a40a-019831677c33", "value": "196608:ivMuqI3jjU/KM16lpUBdskxSxvGf172+zIJWLbhOBnsNCpatcrooSKUjee1A4eSW:2scWdbxSE7hzEWLbhkHp2SooSKe1NdAz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591385", "to_ids": false, "type": "size-in-bytes", "uuid": "9314969c-31ea-42a4-8f2f-aa39dcdb39e5", "value": "12460820" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591385", "to_ids": true, "type": "vhash", "uuid": "271e1c80-5690-4b88-a40b-753d55b5ff50", "value": "a3715111c7afca06ca3dbbbeff55ed72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591385", "to_ids": true, "type": "filename", "uuid": "f825929a-acaa-48f7-a8cd-08802b81ddd7", "value": "2_5300957054582694089.zip" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 19/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591385", "to_ids": false, "type": "text", "uuid": "32218086-df1e-4c5c-af39-6949041a9897", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:32/67\nFirst Submission:2026-03-12T07:52:50.000000+00:00\nLast Submission:2026-03-12T07:52:50.000000+00:00" } ] } ] } }