{ "Event": { "analysis": "1", "date": "2026-04-23", "extends_uuid": "", "info": "[Threat Intel] Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems", "protected": false, "publish_timestamp": "1779545618", "published": true, "threat_level_id": "3", "timestamp": "1779545618", "uuid": "8712b1f9-253b-4218-a493-6e889f70d584", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#7eb739", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Msiexec - T1218.007\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#14004b", "local": false, "name": "rectifyq:sub-category=\"leak-forums\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777028422", "to_ids": false, "type": "link", "uuid": "65f8ab06-a88b-492f-a355-000febc97f94", "value": "https://www.levelblue.com/blogs/spiderlabs-blog/crypto-drainers-as-a-converging-threat-insights-into-emerging-hybrid-attack-ecosystems", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777028422", "to_ids": false, "type": "text", "uuid": "cb33c21a-beb0-494c-877a-4362f59cdeba", "value": "Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777028422", "to_ids": false, "type": "text", "uuid": "9848b0a7-c0f3-4b95-93c7-a44cfd47bcb7", "value": "Name: Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems\nAuthor: AlienVault\nAdversary: \nTags: [\"wallet-phishing\", \"etherrat\", \"stepdrainer\", \"smart-contract-abuse\", \"drainer-as-a-service\", \"miolab\", \"cryptocurrency\"]\nTgtd countries: []\nMlwr families: [\"StepDrainer\", \"EtherRAT\", \"MioLab\", \"SUPERNOVA - S0578\"]\nAttack_ids: [\"T1059.007\", \"T1573.001\", \"T1082\", \"T1218.007\", \"T1140\", \"T1036\", \"T1505.003\", \"T1083\", \"T1497\", \"T1102\", \"T1204\", \"T1059.001\", \"T1547.001\", \"T1566\", \"T1027\", \"T1132\", \"T1070.004\", \"T1071.001\", \"T1564.001\"]\nIndustries: [\"Finance\", \"Technology\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612633", "to_ids": true, "type": "hostname", "uuid": "8e38a81d-5ff3-4d31-8789-af6087289c81", "value": "eth.merkle.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612654", "to_ids": true, "type": "hostname", "uuid": "83315beb-d842-454c-a096-7f868eb62de1", "value": "eth.drpc.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612675", "to_ids": true, "type": "hostname", "uuid": "5301cb82-f46a-4bc4-a50e-9ed4b4bb2e3d", "value": "rpc.mevblocker.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612696", "to_ids": true, "type": "hostname", "uuid": "1f6428e4-941c-4b59-b24b-3769c2f9f74a", "value": "rpc.flashbots.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612717", "to_ids": true, "type": "hostname", "uuid": "d766a103-096c-4861-a748-99d5d7b9204f", "value": "eth-mainnet.public.blastapi.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612738", "to_ids": true, "type": "hostname", "uuid": "0dceb5f3-2bd9-4ed5-8a42-fd7f9bfc5c72", "value": "mainnet.gateway.tenderly.co", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612759", "to_ids": true, "type": "hostname", "uuid": "2f314ccd-67fb-420e-8721-df1e92335bc1", "value": "rpc.payload.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612780", "to_ids": true, "type": "hostname", "uuid": "6e341768-4dcd-46ed-bc64-ed1d59470744", "value": "ethereum-rpc.publicnode.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612802", "to_ids": true, "type": "url", "uuid": "3e500f56-9831-4267-be55-8cef740b0362", "value": "http://mainnet.helius-rpc.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612823", "to_ids": true, "type": "hostname", "uuid": "53c980b7-77db-4686-8207-5720aebfa6da", "value": "mainnet.helius-rpc.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612844", "to_ids": true, "type": "domain", "uuid": "897f3862-f142-490e-80e3-5aa0aea36e72", "value": "aodefevrgdkhqltdnwgzbyjoywrlbntbhfwq.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612865", "to_ids": true, "type": "domain", "uuid": "ea33b079-0b70-4278-84d9-36b836e2ad05", "value": "wpuadmin.shop", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612887", "to_ids": true, "type": "domain", "uuid": "e23fc7f2-23ed-44b0-bfb9-76882dc71d49", "value": "moonscan.live", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612908", "to_ids": true, "type": "domain", "uuid": "7ac7b400-9dfe-4d01-82cd-f6dacae269e9", "value": "scanclaw.live", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612929", "to_ids": true, "type": "url", "uuid": "967b0615-61e1-4e5e-beac-5d1c79e37e6c", "value": "http://scanclaw.live/KjYQnKB-.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612950", "to_ids": true, "type": "url", "uuid": "4244a469-9f2e-4cc3-b7e1-64b5d519c87d", "value": "http://moonscan.live/7w2NU3Z-.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612972", "to_ids": true, "type": "domain", "uuid": "86bf42d1-51dc-44ac-807b-0f71b959d0f9", "value": "aahdjjsivunugynqjvyfbhqnjekniyfboma.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777612993", "to_ids": true, "type": "domain", "uuid": "1f54c424-b8c3-46f4-b533-8fae1c0a2f59", "value": "8kwfaa30jtlnwi.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777613014", "to_ids": true, "type": "url", "uuid": "53f95d28-de2d-4dfd-aae2-50c64293e598", "value": "http://rpc.flashbots.net/fast", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545608", "to_ids": true, "type": "sha256", "uuid": "03d1a0a6-5d19-46f5-9418-b48b3f5fe250", "value": "c44d5c888647e78947fc93006d92e5521795ef31f7b0cae1ec829fec60d4bd7a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545610", "to_ids": true, "type": "sha256", "uuid": "79c673a2-74a3-41af-99fd-36f7fbb5723b", "value": "b3e28c6a4fec257f4cdc63d93c84596c4c0ee67b839c0711e06d771dd5410b96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545612", "to_ids": true, "type": "sha256", "uuid": "7b841647-049a-471f-9926-7232f2470887", "value": "35e01440b9c63f17eb9e70096d2ec01d18309106a0d644db1110950d2d438e59", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545614", "to_ids": true, "type": "sha256", "uuid": "b68238dc-8429-4f65-96c2-4a1928f1a446", "value": "ba3512ed46270b9cb037bdc3d0b398fad2d3017d1b866645afb7445b089211fa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545616", "to_ids": true, "type": "sha256", "uuid": "a9cffc59-90b4-499e-8834-571c0f822c22", "value": "3188313f38e2114f5a9524bf812efaa7f70a89cd8ef2907b962cb1466251df70", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545618", "to_ids": true, "type": "sha256", "uuid": "b3690c8e-b024-4e84-bf89-048932df7362", "value": "53d232e7a2670a6f010c23ebd60ca8f881d0433eaf28883a79b41ddd09e47d88", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777613035", "to_ids": true, "type": "url", "uuid": "2bcdbebd-b811-42bc-89c6-4bdd22dd1573", "value": "http://corsproxy.io/?hXXps://api.mainnet-beta.solana.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777613056", "to_ids": true, "type": "hostname", "uuid": "9d466625-f506-4a1d-9c3a-4f5a80c6fb20", "value": "solana-mainnet.rpc.extrnode.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777613078", "to_ids": true, "type": "hostname", "uuid": "b37d0de5-24bf-486f-8eab-50f6e07c24c7", "value": "solana.publicnode.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545601", "uuid": "4aa30dc3-ea95-4ec5-b8fe-2938618859b0", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:compromised_site_redirector_fromcharcode", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545601", "to_ids": true, "type": "md5", "uuid": "a730aa88-e31c-40bb-93a2-a2aec4b31261", "value": "96c2ff1601099c21c598c24e6f43c7c4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:compromised_site_redirector_fromcharcode", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545601", "to_ids": true, "type": "sha1", "uuid": "63e5599e-6df9-4faf-8351-a8547d13ff70", "value": "d78fa2e81b7b5ccf287c793c5a9985caaa0f6162", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:compromised_site_redirector_fromcharcode", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545601", "to_ids": true, "type": "sha256", "uuid": "da66fefc-5f0e-4441-8740-e4b18128eb1f", "value": "7fd19c564761e2c8c9b583cf30db810e313417c7d3572f637f8cedf4d2cc1e91", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777609690", "to_ids": true, "type": "ssdeep", "uuid": "8bb8eac2-9af6-495d-aff5-58c93dbdbc33", "value": "6144:0ujB8gltIeTM5/S8g6zRh5gDVLU2GIt/KJAsJRrydM147u/lhDlEqH96lm:vhltVM/g61sNUWsSdG7R" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777609690", "to_ids": false, "type": "size-in-bytes", "uuid": "7ee78bce-c355-4cd9-835c-8efa7c55167c", "value": "656642" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777609690", "to_ids": true, "type": "vhash", "uuid": "bb747f01-96c2-40fb-906b-b1b96718a27e", "value": "831135f1d26adb9cc5b8b32628d8f5dc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777609690", "to_ids": true, "type": "filename", "uuid": "97782be7-558f-4c65-ba69-6ecf8bd84cb7", "value": "7fd19c564761e2c8c9b583cf30db810e313417c7d3572f637f8cedf4d2cc1e91.js" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 28/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777609690", "to_ids": false, "type": "text", "uuid": "afea2865-5454-4d02-842b-43d23466b898", "value": "IOC-title:compromised_site_redirector_fromcharcode\r\nType Description: JavaScript\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2026-01-07T19:42:38.000000+00:00\nLast Submission:2026-03-18T06:58:54.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545604", "uuid": "0477d618-7a7e-4c6d-bdeb-32d8d72809ed", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545603", "to_ids": true, "type": "md5", "uuid": "ff1f08e7-fa0f-44f8-aa7e-5ea1f189fd27", "value": "e87185643e0c0d08229703d9bb1b7bd5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545604", "to_ids": true, "type": "sha1", "uuid": "6fa76913-b61d-4c14-b1df-519ee274b9b4", "value": "f6e50b107182fd73585043fc777ea0c052be5137", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545604", "to_ids": true, "type": "sha256", "uuid": "6c906fba-7a25-48e2-a9bd-fada4342f3c6", "value": "6c958397294c279dcbe806c1403c229fdb5ca3ffe030d4d8ce1533e9e7810af4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777609755", "to_ids": true, "type": "ssdeep", "uuid": "47af373f-2fdf-4bb1-a39b-f8b8d44e3f8b", "value": "768:fmKb/Lch2+14fiXlW4Ti48xf6m9NOgau/va2QBlGJRyxtgU/5eEMcY3fhlic+:OAT3KXlW4TiZxSFuHa2UlQyrgcY/O" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777609755", "to_ids": false, "type": "size-in-bytes", "uuid": "7fcc3dae-7456-43dd-b295-bf996253ce85", "value": "32807" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777609755", "to_ids": true, "type": "vhash", "uuid": "b38059c7-dba3-4fa4-94a4-6ca283318fd2", "value": "b702d418e9bb4c6d337bf8e1a10f7234" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777609755", "to_ids": true, "type": "filename", "uuid": "aeedfa3b-8254-42c7-b299-0ddf7afc0b9e", "value": "MDHL9sstLd.dat" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777609755", "to_ids": false, "type": "text", "uuid": "95e518ec-d178-4de9-ac6a-a48377ce2076", "value": "Type Description: JavaScript\nMicrosoft: None\nVT Total Detection:1/61\nFirst Submission:2026-03-23T18:47:25.000000+00:00\nLast Submission:2026-03-23T18:47:25.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545607", "uuid": "83a97ec3-7b76-40fd-b649-497dbbdbc2c0", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545606", "to_ids": true, "type": "md5", "uuid": "947124b3-f7c8-4967-8e59-3567f7ae8af8", "value": "2f967662dcf518ccf2612f46a1450408", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545606", "to_ids": true, "type": "sha1", "uuid": "93476c83-bd5b-46c3-b58d-26eaf91ecf61", "value": "33f984ab30b087609ad7562b3f1c32c14143d4b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545607", "to_ids": true, "type": "sha256", "uuid": "c3c6cc8a-a0f3-4d8f-b198-b1fbf459cc0d", "value": "73b1d65c05da79b43f5dbddf4736d37b722a8fa6ea649d0ed5089b2bdb2c9e67", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777609777", "to_ids": true, "type": "ssdeep", "uuid": "73e57bb5-ad20-4bb6-8625-9120a862a5d9", "value": "12:uvomBDMwS35AGHOAaRMO/nFZ0ZYpRT2OKVGkPlc8eXwvN0eSRJgN0eY:uvomcuAe/nFsYpYTTeX2SRJIY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777609777", "to_ids": false, "type": "size-in-bytes", "uuid": "90640f36-4ded-42f0-a088-b66130de1aea", "value": "535" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777609777", "to_ids": true, "type": "vhash", "uuid": "b917eef6-8061-49b4-8773-f80902d003de", "value": "84a69ac671920455794fa72ce4cfbb55" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777609777", "to_ids": true, "type": "filename", "uuid": "2583cf62-db5b-42a2-abd2-6f9759b03478", "value": "owoXz7eoSnbrvkZ.dat" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777609777", "to_ids": false, "type": "text", "uuid": "eb61207e-2aa1-4067-9571-2ff20bf847f9", "value": "Type Description: JavaScript\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:25/61\nFirst Submission:2026-03-23T18:40:43.000000+00:00\nLast Submission:2026-03-23T18:40:43.000000+00:00" } ] } ] } }