{ "Event": { "analysis": "1", "date": "2026-03-31", "extends_uuid": "", "info": "[Threat Intel] Operation DualScript: Multi-Stage PowerShell Malware Targets Crypto", "protected": false, "publish_timestamp": "1775907151", "published": true, "threat_level_id": "3", "timestamp": "1775907150", "uuid": "9144cc28-3fa6-4ac6-9ae3-0b38f862c50e", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#57356b", "local": false, "name": "misp-galaxy:producer=\"Seqrite\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#98f3da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Retro\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775012408", "to_ids": false, "type": "link", "uuid": "23833e5b-f099-4690-b866-178b81aa4bcb", "value": "https://www.seqrite.com/blog/operation-dualscript-powershell-malware-retrorat-analysis/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775012408", "to_ids": false, "type": "text", "uuid": "5d219d5c-17e3-4411-833f-0eaba0a0746d", "value": "Operation DualScript is a sophisticated multi-stage malware campaign targeting cryptocurrency and financial activities. It utilizes Windows Scheduled Tasks, VBScript launchers, and PowerShell execution to maintain persistence while minimizing disk artifacts. The attack operates through two parallel chains: a web-based PowerShell loader deploying a cryptocurrency clipboard hijacker, and a secondary chain executing the RetroRAT implant in memory. RetroRAT monitors user activity, captures keystrokes, and tracks interactions with financial services to harvest sensitive information. The malware employs various anti-analysis techniques and establishes a command-and-control channel for remote access and data exfiltration. This campaign highlights the growing abuse of trusted system utilities and in-memory execution techniques to evade traditional detection mechanisms." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775012408", "to_ids": false, "type": "text", "uuid": "4d29b2b1-c8f4-4e87-869f-61a8d6bae38b", "value": "Name: Operation DualScript: Multi-Stage PowerShell Malware Targets Crypto\nAuthor: AlienVault\nAdversary: \nTags: [\"cryptocurrency\", \"retrorat\", \"multi-stage\", \"powershell\", \"financial theft\", \"clipboard hijacking\", \"in-memory execution\", \"evasion techniques\"]\nTgtd countries: [\"United States of America\"]\nMlwr families: [\"RetroRAT\"]\nAttack_ids: [\"T1053.005\", \"T1113\", \"T1056.001\", \"T1115\", \"T1071\", \"T1057\", \"T1041\", \"T1059.001\", \"T1562.001\", \"T1027\", \"T1056\", \"T1059.005\"]\nIndustries: [\"Finance\"]" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902631", "to_ids": true, "type": "md5", "uuid": "b580a1b9-8e78-41e6-b93c-4878bd0d4b91", "value": "163c38bd7ff7dd27e88eaef1a7a4819f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902632", "to_ids": true, "type": "md5", "uuid": "0dc331f9-c17d-4cda-943e-a0b708c66126", "value": "173b27e7541427929da72ebf37c6db8e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902633", "to_ids": true, "type": "md5", "uuid": "077d6643-0dbc-4ef2-acf4-72c6a7681ee1", "value": "1dc82fd02a0db3e338128b6f587d7122", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904180", "to_ids": true, "type": "domain", "uuid": "0767c8a1-13ff-4c13-a6c7-8c663d681846", "value": "anycourse.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904201", "to_ids": true, "type": "domain", "uuid": "9f481687-59c1-435e-8de6-f4981aefb1fe", "value": "thewpiratebay.st", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904222", "to_ids": true, "type": "hostname", "uuid": "f5f0be77-fa9b-4c53-b7ef-ae5f2fd3266e", "value": "floatsdk.1cooldns.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904243", "to_ids": true, "type": "hostname", "uuid": "3a55a572-04e9-4105-95ea-a5babdcba6d6", "value": "info.1cooldns.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775904264", "uuid": "fb8acc5d-a8ab-4176-b6c7-d96e55e1a3f0", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775904264", "to_ids": true, "type": "md5", "uuid": "e2792248-12ae-43bd-8376-9ead761d87f2", "value": "243af69d85550232da45f5a30703a4a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902628", "to_ids": true, "type": "sha1", "uuid": "b0e8efb4-62db-4f31-88e4-9987ea3cdd74", "value": "eb1179a6f45bfc60dbb8bf777fa3c09ec5b785de", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902628", "to_ids": true, "type": "sha256", "uuid": "d81e9f2e-0d2d-4bc6-8e63-efa03347c7f2", "value": "c4ae544275819ff1a5513c9c52b0bb6b05e9c081ab31713afe2f39fd65b2c712", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901669", "to_ids": true, "type": "ssdeep", "uuid": "cc406f79-a45d-4e7e-aa2a-ef51a29c2ba4", "value": "6:9cNAWdgUGW5yiqsO0cQNpjAus23bY03soLP/j4/lFFoA:9vWd+WMspc0JAOLx3JLz4/iA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901669", "to_ids": false, "type": "size-in-bytes", "uuid": "7cc09088-ce59-48a8-9cd3-21b1baf323c8", "value": "283" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775901669", "to_ids": true, "type": "vhash", "uuid": "2ac0cc88-2e6e-4a1c-a661-b9b626bb28d8", "value": "2ca7e3f1544c483dca9047973ab13adc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901669", "to_ids": true, "type": "filename", "uuid": "b5386028-095c-4d2d-97dd-d0c15a9557c8", "value": "243af69d85550232da45f5a30703a4a3.vbs" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901669", "to_ids": false, "type": "text", "uuid": "7a9338ac-5414-4067-8fb9-d4fa244a9f86", "value": "Type Description: VBA\nMicrosoft: Trojan:PowerShell/Runner.PGRN!MTB\nVT Total Detection:16/62\nFirst Submission:2026-03-24T14:58:02.000000+00:00\nLast Submission:2026-03-25T08:17:57.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775904285", "uuid": "704b3b33-4add-422d-b2dd-7bef481bd250", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775904285", "to_ids": true, "type": "md5", "uuid": "fe512a28-ba54-4ec3-984c-d1b84728bac3", "value": "43cac07a501e7a717023e0fa8f6111e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902629", "to_ids": true, "type": "sha1", "uuid": "349cb875-b37b-41d8-9266-18e274d1718e", "value": "51f12e45e1a9fa9d71b9245b82a6eeea603bcd20", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902630", "to_ids": true, "type": "sha256", "uuid": "9a7f417c-697c-4d4f-86e1-4fb164bc0179", "value": "73cc9b90f7aafe8ec9f7fe525d6a17b51420f85f72913ba42710332c6d6af29b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901691", "to_ids": true, "type": "ssdeep", "uuid": "65a151d2-ea4d-4683-accb-cac67e04140d", "value": "24:z0kq0HQB7CJMY5fgcI5cARlWgHLxGM4Z+FBNDEE+G4Ml:ze0Au7fgcURlWgH1GdZ0BNDEs4k" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901691", "to_ids": false, "type": "size-in-bytes", "uuid": "922a0f50-5af7-48bd-9ff8-d0e15df19cc0", "value": "1161" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775901691", "to_ids": true, "type": "vhash", "uuid": "5d50aa87-292b-4570-9d94-9561d9bbaa55", "value": "137ba1f0930b1133ba80de56cd144d58" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901691", "to_ids": true, "type": "filename", "uuid": "58ac878f-e3f1-41af-b0bf-d3483c23d71f", "value": "ppamproPicsArtWAL.ps1" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901691", "to_ids": false, "type": "text", "uuid": "e327e4ed-8453-4cc3-a387-c362d19f0ac9", "value": "Type Description: Powershell\nMicrosoft: Trojan:PowerShell/ClipBanker.CV!AMTB\nVT Total Detection:18/63\nFirst Submission:2025-06-14T04:40:52.000000+00:00\nLast Submission:2026-04-09T07:11:51.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775904307", "uuid": "49a4ffa9-b56b-442a-ace6-f9444e1d64c3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775904307", "to_ids": true, "type": "md5", "uuid": "d7285478-8d1c-4ab4-857b-84d550139a68", "value": "7546ada1e3144371724db209ba4c5f37", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902630", "to_ids": true, "type": "sha1", "uuid": "33da262d-9fb1-49ff-a66b-98bfb0f9d959", "value": "36c29d4238061ddfdd41735b4590c2239f019679", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902630", "to_ids": true, "type": "sha256", "uuid": "72f85589-c177-4197-9c42-760d6edd8ec1", "value": "582eeb086e1e50f036a243e1ceb8837803c64ce4aa7208b3946c4b68b35fab10", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901713", "to_ids": true, "type": "ssdeep", "uuid": "28cf829e-18c1-4999-be5c-f007c46d9dbd", "value": "12288:zcI2b3FMYrF3P0d54c86yJHsiYA+V6GhMsU4DOQ3gHc9mrcMorWrnhkdZBdwMsr6:zJ2b3FMY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901713", "to_ids": false, "type": "size-in-bytes", "uuid": "f3dccaaf-fcca-4fbf-bb3c-8be6c85d98e5", "value": "472576" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775901713", "to_ids": true, "type": "vhash", "uuid": "3238982e-5a2c-4410-b5b8-03f87c964a9a", "value": "245036551512109e5f141090" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901713", "to_ids": true, "type": "filename", "uuid": "c13e0c15-b7b8-45a6-9a0f-37a51df5bb39", "value": "clay_Client.exe" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901713", "to_ids": false, "type": "text", "uuid": "08be2b17-6ce7-4fb8-b7e4-9f8c023a318d", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/RetroRAT!AMTB\nVT Total Detection:46/72\nFirst Submission:2025-11-30T22:17:43.000000+00:00\nLast Submission:2025-12-13T13:13:45.000000+00:00" } ] } ] } }