{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] New Malware Targets Users of Cobra DocGuard Software", "protected": false, "publish_timestamp": "1775231572", "published": true, "threat_level_id": "3", "timestamp": "1775231572", "uuid": "92897def-45b7-4f43-bbf4-2c0457d0b45b", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#892644", "local": false, "name": "misp-galaxy:producer=\"Symantec\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#77a4ec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#cfba47", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#6fe7f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#f5055a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Network Shared Drive - T1039\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#50bcaa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Discovery - T1518\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#52d590", "local": false, "name": "misp-galaxy:target-information=\"China\"", "relationship_type": "" }, { "colour": "#e459c3", "local": false, "name": "misp-galaxy:target-information=\"Hong Kong\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773975610", "to_ids": false, "type": "link", "uuid": "6a05ffb3-021b-4ab2-9e5f-07271b34ac10", "value": "https://www.security.com/blog-post/speagle-cobradocguard-infostealer" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773975610", "to_ids": false, "type": "text", "uuid": "9472dac2-0b84-49d9-b24c-97ed806b731d", "value": "A novel and stealthy threat called Infostealer.Speagle has been discovered, hijacking the functionality of Cobra DocGuard, a legitimate security software. This malware collects sensitive information from infected computers and transmits it to a compromised Cobra DocGuard server, masking the data exfiltration as legitimate communications. Speagle specifically targets computers with Cobra DocGuard installed and has shown capabilities to search for documents related to Chinese ballistic missiles. The infection vector remains unknown, but there are indications of a possible supply chain attack. The malware collects system information, file listings, and browser data in multiple phases, using sophisticated techniques to evade detection and self-delete after completing its tasks." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773975610", "to_ids": false, "type": "text", "uuid": "0f4ada85-1bab-4f3f-855f-5f5188cd0783", "value": "Name: New Malware Targets Users of Cobra DocGuard Software\nAuthor: AlienVault\nAdversary: Runningcrab\nTags: [\"infostealer.speagle\", \"plugx\", \"cobra docguard\", \"korplug\", \"supply chain attack\", \"ballistic missiles\", \"evasion techniques\", \"data exfiltration\"]\nTgtd countries: [\"China\", \"Hong Kong\"]\nMlwr families: [\"Infostealer.Speagle\", \"PlugX - S0013\", \"Thoper\", \"TVT\", \"DestroyRAT\", \"Sogu\", \"Kaba\", \"Korplug\", \"PlugX - S0013\", \"Thoper\", \"TVT\", \"DestroyRAT\", \"Sogu\", \"Kaba\", \"Korplug\"]\nAttack_ids: [\"T1132.001\", \"T1056.001\", \"T1114\", \"T1573.001\", \"T1082\", \"T1005\", \"T1140\", \"T1112\", \"T1020\", \"T1083\", \"T1059.001\", \"T1588.002\", \"T1039\", \"T1027\", \"T1012\", \"T1070.004\", \"T1071.001\", \"T1518\", \"T1574.002\", \"T1105\"]\nIndustries: [\"Defense\", \"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773975610", "to_ids": false, "type": "threat-actor", "uuid": "c84f867a-672e-4d1e-b57c-6ef2c307d5c7", "value": "Runningcrab" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230087", "to_ids": true, "type": "ip-dst", "uuid": "2e833b72-6d49-4db2-86d2-3297cd0aaebe", "value": "60.30.147.18", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230109", "to_ids": true, "type": "url", "uuid": "be9553a3-3b14-401c-898d-872a1fa46d2d", "value": "http://222.222.254.165:8090/CDGServer3/CDGClientDiagnostics?flag=syn_user_policy", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230130", "to_ids": true, "type": "url", "uuid": "889642b2-c506-41d3-98e8-e2b18259c0fa", "value": "http://60.30.147.18:8091/CDGServer3/CDGClientDiagnostics?flag=syn_user_policy", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230152", "uuid": "479f8276-6e97-49ad-b2d8-dc11fedae244", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230152", "to_ids": true, "type": "md5", "uuid": "973057b6-a2da-41bc-8758-b0ca2e4b3d31", "value": "17d2a18514107a6949d7c33860044709", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227062", "to_ids": true, "type": "sha1", "uuid": "6585d7bf-aee8-4582-a41e-f5df842aa6bf", "value": "ec6ddc270bfbf2d6acf97571e8157bba0dc59d1f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227062", "to_ids": true, "type": "sha256", "uuid": "251684ca-ce02-4b6e-8a64-96aaaca80d3a", "value": "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226230", "to_ids": true, "type": "ssdeep", "uuid": "d2d997c8-c825-49d5-b5fc-61204d51d676", "value": "12288:zTFsl6I3+G3Rrp2aubcCEy/+PJ0WT6F6ncVserIfu:l23+Ghrp2zbc5yCmtF6c+G" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226230", "to_ids": false, "type": "size-in-bytes", "uuid": "a63809fd-64d1-48a0-b851-9c3a4464fd6e", "value": "785408" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226230", "to_ids": true, "type": "vhash", "uuid": "b82acaf3-2b4b-4553-8055-10058bf40f61", "value": "275036551511e0041773c22f6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226230", "to_ids": true, "type": "filename", "uuid": "6e725d43-334b-4f59-8c92-40af96a3f3d3", "value": "F.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226230", "to_ids": false, "type": "text", "uuid": "4131132c-182c-4a70-8315-334a92535b1e", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:47/71\nFirst Submission:2024-11-03T03:58:49.000000+00:00\nLast Submission:2026-03-21T13:47:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230173", "uuid": "6b58ddf1-ff2e-426d-84fd-07227d0bdd4b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230173", "to_ids": true, "type": "md5", "uuid": "dcfd40bf-0e19-4440-a325-7f5785ed2c1d", "value": "1c9ea99a4eeef05fac62fced58f3875b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227062", "to_ids": true, "type": "sha1", "uuid": "70ed34c4-e821-4942-955e-bfebafbfe56e", "value": "6849d6c63bb69374f3d6fe1c8e3a80c7544f35fe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227063", "to_ids": true, "type": "sha256", "uuid": "2f99ad33-ca9a-44bb-9846-cdcfacc7dffc", "value": "d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226251", "to_ids": true, "type": "ssdeep", "uuid": "c59741fb-d627-4322-8cc4-9d70c3ae6125", "value": "12288:0FiwX7lYGXQ0c2BQ7BEE8RLfaIgERQJPJ0TT6F6nBp63gA4+Z9rKcFN6lr4jt:QpYGXQWBY0RLfab1mKF6/st" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226251", "to_ids": false, "type": "size-in-bytes", "uuid": "28a3c0df-ac3c-4b9e-95c9-ef0c85b13dab", "value": "785408" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226251", "to_ids": true, "type": "vhash", "uuid": "f87338ef-b4dd-4ee8-850e-16db81f3a5ac", "value": "275036551511e0041773c22f6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226251", "to_ids": true, "type": "filename", "uuid": "423b8e1e-5024-46a1-8d8a-8fbc82c4154d", "value": "E.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226251", "to_ids": false, "type": "text", "uuid": "ef9dafd8-86db-4231-8b6c-88faad7dc3ad", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:55/71\nFirst Submission:2024-09-24T06:02:22.000000+00:00\nLast Submission:2026-03-21T13:46:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230194", "uuid": "d9e6fb5e-0433-45fb-84ed-c045db36b993", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230194", "to_ids": true, "type": "md5", "uuid": "bc033286-899b-4a1f-9907-8a766be8e7ee", "value": "9411b5b8c025edc897d23f4fa6b38f2d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227064", "to_ids": true, "type": "sha1", "uuid": "db86a1fe-a804-4dd9-b1ac-0e034ed5de5d", "value": "df926c55bdad0722517bbb631f81069ba209d072", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227065", "to_ids": true, "type": "sha256", "uuid": "223c0362-aae4-47dd-9009-11e8a10eca84", "value": "dcd3f06093bf34d81837d837c5a5935beb859ba6258e5a80c3a5f95638a13d4d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226273", "to_ids": true, "type": "ssdeep", "uuid": "c5a94e5d-8625-4cef-ae90-b47fd9aa90c8", "value": "12288:+VlZmX2X1ZxVD/HydYVandNGZ38J8Xf+EfJ8QfAmFTKaCx8UYH8swtNnFrgR:4SU1ZxPVOdNGdY87abmFVH0/FrgR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226273", "to_ids": false, "type": "size-in-bytes", "uuid": "11f6665b-0c6e-45b0-bc0c-c26c40eeed59", "value": "791552" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226273", "to_ids": true, "type": "vhash", "uuid": "97728107-2cd6-4cb7-9b13-89f47f954160", "value": "275036551511e0045783c22f6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226273", "to_ids": true, "type": "filename", "uuid": "d1fb111a-a0f6-4221-81d6-196c5d5fd70c", "value": "H.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226273", "to_ids": false, "type": "text", "uuid": "66b62f6b-9459-4636-b916-029adc8b5972", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:51/71\nFirst Submission:2024-11-03T07:23:48.000000+00:00\nLast Submission:2026-03-21T13:47:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230216", "uuid": "6e62aa95-be75-4cf0-85d6-47d4cd3f0f7d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230216", "to_ids": true, "type": "md5", "uuid": "7555c41b-d59a-4473-a586-e28aae19e17f", "value": "4158559f4b2940754a381ba38523bd60", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227066", "to_ids": true, "type": "sha1", "uuid": "0a58bfb9-e995-4c68-96cb-5b62f8dd6c8d", "value": "cf85e4b3ace7641adb350079b9e974f5f14d0c4f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227066", "to_ids": true, "type": "sha256", "uuid": "cb50d6ae-caf5-4b47-a7c8-0aa870055640", "value": "fad8d0307db5328c8b9f283a2cc6f7e4f4333001623fef5bd5c32a1c094bf890", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226295", "to_ids": true, "type": "ssdeep", "uuid": "78c13c11-fcc7-4b6f-a31e-4b9ec5f9a75a", "value": "12288:XxTFn4THI2Dl6gskdrr2vR9P8JpBSt+mfJ8DfAmFT5NAd8FjnFrgR:hirI2DBqvR9PYpwja8mFFecFrgR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226295", "to_ids": false, "type": "size-in-bytes", "uuid": "ed745761-84ab-453c-94c9-9405049e7e7e", "value": "790016" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226295", "to_ids": true, "type": "vhash", "uuid": "c498f2e7-3840-4ae4-92e8-5543c7e29f54", "value": "275036551511e0045783c22f6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226295", "to_ids": true, "type": "filename", "uuid": "022e0555-4b25-44d7-b3ea-3b5a6ae0a5c0", "value": "U.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226295", "to_ids": false, "type": "text", "uuid": "c62c1406-0819-4162-8584-0b0ef7a8b156", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:47/71\nFirst Submission:2024-11-13T06:23:50.000000+00:00\nLast Submission:2026-03-21T13:47:16.000000+00:00" } ] } ] } }