{ "Event": { "analysis": "1", "date": "2026-04-12", "extends_uuid": "", "info": "[Threat Intel] REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation", "protected": false, "publish_timestamp": "1776462978", "published": true, "threat_level_id": "3", "timestamp": "1776462978", "uuid": "983e7e7b-8cc1-401e-a670-62636550a727", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#98f3da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#3500cd", "local": false, "name": "rectifyq:detection-rules=\"sigma-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776135620", "to_ids": false, "type": "link", "uuid": "12aee428-229f-4aa4-adcc-14071469a171", "value": "https://intel.breakglass.tech/post/refundonex-shadow-panel-phaas" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776135620", "to_ids": false, "type": "text", "uuid": "4d69c2ad-515a-4baa-a15d-97de57c1c999", "value": "An open directory discovery at refundonex[.]com exposed a complete Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese-speaking victims. The investigation uncovered 3,788 files including weaponized LNK, VBS, and AES-encrypted PowerShell payloads delivering a remote access trojan. The platform, called Shadow Panel, operates from Bulgarian infrastructure and offers capabilities including remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel's frontend JavaScript was publicly accessible, revealing 29 API endpoints and the complete architecture. Infrastructure analysis linked the operation to nikola4010@proton[.]me through WHOIS data and historical malicious domain associations dating back to 2021, indicating a long-running cybercriminal operation with minimal detection coverage." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776135620", "to_ids": false, "type": "text", "uuid": "fad9aa0b-8e70-4ec5-8ca3-cbd66af18d58", "value": "Name: REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation\nAuthor: AlienVault\nAdversary: \nTags: [\"phishing-as-a-service\", \"refundee\", \"webdav\", \"bulgarian-infrastructure\", \"shadow panel\", \"shadow-panel\", \"powershell\", \"cryptocurrency-theft\", \"rat-as-a-service\", \"spanish-portuguese-targeting\"]\nTgtd countries: []\nMlwr families: [\"REFUNDEE\", \"Shadow Panel\"]\nAttack_ids: [\"T1053.005\", \"T1113\", \"T1056.001\", \"T1539\", \"T1115\", \"T1005\", \"T1140\", \"T1567\", \"T1555.003\", \"T1204\", \"T1041\", \"T1059.001\", \"T1547.001\", \"T1566\", \"T1027\", \"T1132\", \"T1027.002\", \"T1071.001\", \"T1059.005\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400410", "to_ids": true, "type": "ip-dst", "uuid": "76958049-f0cf-41b6-a000-9a608fb3f74b", "value": "87.121.52.71", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400431", "to_ids": true, "type": "ip-dst", "uuid": "50a950f4-33ad-4f14-b09f-53a688aa775c", "value": "87.121.52.72", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400453", "to_ids": true, "type": "url", "uuid": "3ef0c29d-de79-4491-858d-b0d8aeb71b06", "value": "http://refundonex.com/cloud/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400474", "to_ids": true, "type": "url", "uuid": "5ee013d3-6d91-4839-9932-49b3546c4740", "value": "https://refundonex.com/admin/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400495", "to_ids": true, "type": "url", "uuid": "1b5ab039-4dda-47ea-a5db-dddd3ddf7fd1", "value": "https://refundonex.com/cloud/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400516", "to_ids": true, "type": "url", "uuid": "37f7e09f-2bd4-484b-8437-abe239f3b7bc", "value": "https://winup.su/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400537", "to_ids": true, "type": "url", "uuid": "bd2d4148-5a33-43bd-8978-52a48e2133b4", "value": "https://winup.su/api/client/poll/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400558", "to_ids": true, "type": "url", "uuid": "2bb92620-8ca9-44d6-8ea3-610fc50471da", "value": "https://winup.su/dashboard.html", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776135621", "to_ids": true, "type": "yara", "uuid": "9db510f8-abe1-4efb-9b13-cfd4aefcdbd7", "value": "c9223704fd2f8be6fccb0b8b75826f4c1b8e66ee" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776135621", "to_ids": true, "type": "yara", "uuid": "96c4842d-e67f-4849-b638-c80dfc453d0e", "value": "d74dfa84e2ab6f290e46a9ffd9a5393b39317a41" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400579", "to_ids": true, "type": "domain", "uuid": "d94be990-9687-45c3-9f64-31c724c9f3b0", "value": "carweap.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400600", "to_ids": true, "type": "domain", "uuid": "0dfe5719-719d-4bca-8fe3-773c4cacd220", "value": "febystm.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400621", "to_ids": true, "type": "domain", "uuid": "de9aca85-85b6-4b99-82f4-fb6b91e8f22d", "value": "hchdko.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400642", "to_ids": true, "type": "domain", "uuid": "015cb218-73fd-43cb-815b-30c6b3a888c1", "value": "mrchexp.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400663", "to_ids": true, "type": "domain", "uuid": "f2549408-6424-488e-b899-2715f94ec40d", "value": "refundonex.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400684", "to_ids": true, "type": "domain", "uuid": "d88df155-c9d4-49d8-96ca-94145b1ec144", "value": "sifr-infso.club", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400706", "to_ids": true, "type": "domain", "uuid": "c1fd70c7-2a1c-4eeb-ad27-4d76e6ff90d5", "value": "winup.su", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776135621", "to_ids": true, "type": "email-src", "uuid": "429c1f3c-790e-4b4f-91f0-14c72efc6dd3", "value": "nikola4010@proton.me" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776400727", "to_ids": true, "type": "hostname", "uuid": "415a7efd-7090-40af-b1e1-04edf2a18f52", "value": "inst.refundonex.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776351497", "to_ids": false, "type": "sigma", "uuid": "6c0a202e-0a10-4908-8be9-f992e74e3add", "value": "title: Shadow Panel RAT Scheduled Task status: experimental description: > Detects creation of WindowsUpdateCheck scheduled task used by Shadow Panel RAT for persistence author: GHOST - Breakglass Intelligence date: 2026-04-12 logsource: category: process_creation product: windows detection: selection: CommandLine|contains|all: - 'WindowsUpdateCheck' - 'WinUpdate' - 'launcher.vbs' condition: selection falsepositives: - Unlikely level: high" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776351512", "to_ids": false, "type": "sigma", "uuid": "6a7ff0a3-9e44-496b-9410-eb3ae5bc7f32", "value": "title: Shadow Panel RAT C2 Beacon status: experimental description: > Detects HTTP beacon traffic to Shadow Panel C2 author: GHOST - Breakglass Intelligence date: 2026-04-12 logsource: category: proxy detection: selection: c-uri|contains: - '/api/client/poll/' c-uri|contains|all: - 'key=' - 'host=' - 'user=' - 'os=' condition: selection falsepositives: - Unlikely level: high" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1776351390", "uuid": "b870de80-b3c1-4e3f-8a13-bc93a33ca414", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1776351390", "to_ids": false, "type": "text", "uuid": "6ea7d1e9-b47a-4334-a99d-94bd1481a328", "value": "Shadow_Panel_RAT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1776351390", "to_ids": false, "type": "comment", "uuid": "0b6e2017-51e5-48b4-87be-d11fa6b64d94", "value": "Detects Shadow Panel RAT PS1 payload" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1776351390", "to_ids": true, "type": "yara", "uuid": "8bcb69ba-5661-4cc2-be12-36b68b383dd0", "value": "rule Shadow_Panel_RAT \r\n{\r\n\tmeta: \r\n\t\tdescription = \"Detects Shadow Panel RAT PS1 payload\" \r\n\t\tauthor = \"GHOST - Breakglass Intelligence\" \r\n\t\tdate = \"2026-04-12\" \r\n\tstrings: \r\n\t\t$s1 = \"WinUpdate\" ascii wide \r\n\t\t$s2 = \"WindowsUpdateCheck\" ascii wide \r\n\t\t$s3 = \"/api/client/poll/\" ascii wide \r\n\t\t$s4 = \"/api/client/response\" ascii wide \r\n\t\t$s5 = \"Decrypt-AES\" ascii wide \r\n\t\t$s6 = \"defaultServers\" ascii wide \r\n\t\t$s7 = \"launcher.vbs\" ascii wide \r\n\t\t$s8 = \"update.ps1\" ascii wide \r\n\tcondition: \r\n\t\t3 of them \r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1776351462", "uuid": "28d056f0-949d-46bf-a22b-2454ff4e07f2", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1776351462", "to_ids": false, "type": "text", "uuid": "cb312134-2418-4b08-8732-ef9bcf61650b", "value": "Refundee_LNK_Phish" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1776351462", "to_ids": false, "type": "comment", "uuid": "2a3668b7-2890-4900-82ca-80b1181797be", "value": "Detects Refundee/FileSwitch LNK phishing lure" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1776351462", "to_ids": true, "type": "yara", "uuid": "bf240b64-f791-40b3-a881-809375251002", "value": "rule Refundee_LNK_Phish \r\n{\r\n\tmeta: \r\n\t\tdescription = \"Detects Refundee/FileSwitch LNK phishing lure\" \r\n\t\tauthor = \"GHOST - Breakglass Intelligence\" \r\n\t\tdate = \"2026-04-12\" \r\n\tstrings: \r\n\t\t$s1 = \"refundonex.com\" ascii wide \r\n\t\t$s2 = \"wscript.exe\" ascii wide \r\n\t\t$s3 = \".pdf.vbs\" ascii wide \r\n\tcondition: \r\n\t\tall of them \r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing one or more Suricata rule(s) along with version and contextual information.", "meta-category": "network", "name": "suricata", "template_uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a", "template_version": "2", "timestamp": "1776351545", "uuid": "2f2ee9a2-8a57-4be9-be75-2f05bc64a162", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1776351545", "to_ids": false, "type": "comment", "uuid": "45a87768-f1db-4fc4-bf98-ba3b6d818b31", "value": "GHOST Shadow Panel RAT C2 Beacon" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "suricata", "timestamp": "1776351545", "to_ids": true, "type": "snort", "uuid": "18a54f0b-0d85-4c5c-b7a3-3eb3bde8555e", "value": "alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:\"GHOST Shadow Panel RAT C2 Beacon\"; flow:established,to_server; content:\"/api/client/poll/\"; http_uri; content:\"key=\"; http_uri; content:\"host=\"; http_uri; reference:url,intel.breakglass.tech; classtype:trojan-activity; sid:2026041201; rev:1; )" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776400748", "uuid": "898b1977-5995-42c6-835b-fa2b2dfd706b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776400748", "to_ids": true, "type": "md5", "uuid": "7d62ce20-104a-47a1-9548-9ca69242eabf", "value": "1009fac37240f16e01e552cf87e61dde", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399298", "to_ids": true, "type": "sha1", "uuid": "8e7f56c4-c663-42ae-9332-91ff8e511389", "value": "5fe202ed78618d14675cbdac6fd176848f74cc30", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399298", "to_ids": true, "type": "sha256", "uuid": "000ac1c0-2af6-4e8f-a2a5-269a46a0a198", "value": "a23bd8eab005a0c7759ffa344b55a3e1fd83a871817d51621c97eee0b511b3da", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776397928", "to_ids": true, "type": "ssdeep", "uuid": "81b0e33c-321a-471a-9991-76d11a0b9929", "value": "768:5AUTIkUeSiLBLwMdA9twUuvJZBw9xwdgs5nNjII3jsR0HPUtQqp4wRquFg3Ku4Cy:6UT+5AeIABxwqQNcI3jsR0vU+S4wRquj" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776397928", "to_ids": false, "type": "size-in-bytes", "uuid": "684b77d1-8786-4410-90ed-da5472e34f4f", "value": "37438" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776397928", "to_ids": true, "type": "vhash", "uuid": "8db5abf9-e2db-4dab-8266-4d015305ef57", "value": "90190eba21aac0cac6b625459f9c504ef" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776397928", "to_ids": true, "type": "filename", "uuid": "27f3062f-c4b2-4571-81ab-9e0b7950c97a", "value": "a23bd8eab005a0c7759ffa344b55a3e1fd83a871817d51621c97eee0b511b3da.pdf" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776397928", "to_ids": false, "type": "text", "uuid": "8a56f0b6-ee27-41f8-a90d-91b9fdac7020", "value": "Type Description: PDF\nMicrosoft: None\nVT Total Detection:8/64\nFirst Submission:2026-04-11T14:45:04.000000+00:00\nLast Submission:2026-04-15T15:24:25.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776400770", "uuid": "9646252d-fbdf-4add-b4f6-2c55b743524b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776400770", "to_ids": true, "type": "md5", "uuid": "cf16e725-2ca1-4f80-8f47-2a7d89df806b", "value": "4fd2128e4b4549c46e2c112e7dc34096", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399299", "to_ids": true, "type": "sha1", "uuid": "5bd9e1fe-68b2-415c-9604-bfe5d28c0d34", "value": "f243b93714ae55372bb849f7193044e17d6b146f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399299", "to_ids": true, "type": "sha256", "uuid": "ea889310-eaad-4e26-a8b6-09937cb33abc", "value": "010601e408a090be561e10c23ae17342d8d82ca65b2b280215bb9268bae8381a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776397950", "to_ids": true, "type": "ssdeep", "uuid": "3dbc2fd0-3268-4889-b843-93dff652b772", "value": "3:4xtllvptkldQ3kNP9Kklw7BJizl//Lr1UYrlllALFSHxIuFhFyC6PJSHKuLLGPer:4xtJCUOblw7BJYXHp2LgquFTsuLQebRJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776397950", "to_ids": false, "type": "size-in-bytes", "uuid": "51f92199-3023-4d65-b82a-f69517a5280f", "value": "305" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776397950", "to_ids": true, "type": "filename", "uuid": "cbf2ca91-9514-43e8-be27-34e746d21ec1", "value": "010601e408a090be561e10c23ae17342d8d82ca65b2b280215bb9268bae8381a.lnk" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776397950", "to_ids": false, "type": "text", "uuid": "8c1a392b-a646-4aea-8f0b-7859030a57ec", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:5/63\nFirst Submission:2026-04-11T20:25:21.000000+00:00\nLast Submission:2026-04-11T20:25:21.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776400791", "uuid": "934b0af5-9171-4373-bbae-3fdf461027fb", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776400791", "to_ids": true, "type": "md5", "uuid": "e72b6b25-26c7-45be-b0c7-0f8cfe8430f4", "value": "88e5c48cd7d0ba596c136967b28803aa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399300", "to_ids": true, "type": "sha1", "uuid": "35aa2bcd-7aa6-4fb3-9963-1a715a898281", "value": "ff6f3b93df69a7960cd9b20448dc522c5f715dd5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399301", "to_ids": true, "type": "sha256", "uuid": "ab0eccf7-3d7c-4406-af8d-69147c6ee6d0", "value": "439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776397972", "to_ids": true, "type": "ssdeep", "uuid": "0e6bfe06-8ee0-4ba5-b716-160c9bbcff46", "value": "48:w2QkMAqHP43J0dS5uTgD/A3Nnsk6Afo8/uS:KkUP4ZkS56kUf6qo8mS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776397972", "to_ids": false, "type": "size-in-bytes", "uuid": "2cd5755d-e3ab-4bd6-85e3-690f8491e386", "value": "2273" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776397972", "to_ids": true, "type": "vhash", "uuid": "6c3210fc-ddf9-4f2f-8118-cedfd608f887", "value": "30b12941e0e823da1d6c675954eb2d04" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776397972", "to_ids": true, "type": "filename", "uuid": "a1b73152-0f67-4c1d-9d4b-a54fccf377ec", "value": "439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965.vbs" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776397972", "to_ids": false, "type": "text", "uuid": "4c1d1877-e90e-4f8d-beb3-0d8cc79bdfd8", "value": "Type Description: VBA\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:23/62\nFirst Submission:2026-04-11T20:37:46.000000+00:00\nLast Submission:2026-04-11T20:37:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776400812", "uuid": "8cf01f04-1cf1-44d8-a34d-ed5d247c5d71", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776400812", "to_ids": true, "type": "md5", "uuid": "ccd6b01e-038d-4330-8a0b-477556a485c9", "value": "db2fefe7fa768504ac64b8ef6942738b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399301", "to_ids": true, "type": "sha1", "uuid": "6970bfe9-4826-4f41-a516-6d62def6a719", "value": "8c7048e8df52ecbd4d3af59de3d37cf6a2a19e10", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399302", "to_ids": true, "type": "sha256", "uuid": "812a38b6-bdd7-4369-abe3-76cb1c3a8808", "value": "3a352caa662ec74a150e03ccc637eb347f4a0423f976837637ac1f2484f0d329", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776397994", "to_ids": true, "type": "ssdeep", "uuid": "b4746190-2bb9-495d-8542-66227b0c66ce", "value": "3:4xtllvptkldQ3kNP9Kklw7BJizl//Lr1UYrll8wWXX+FyC6w5fJWX3oGPebRJ:4xtJCUOblw7BJYXHpQtXX6eZebRJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776397994", "to_ids": false, "type": "size-in-bytes", "uuid": "4ce7e6a1-5b1c-4d72-985e-6ef760783e94", "value": "307" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776397994", "to_ids": true, "type": "filename", "uuid": "666c344c-efeb-4f65-8e67-91b2557f14d9", "value": "payload_1.lnk" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776397994", "to_ids": false, "type": "text", "uuid": "12b0c5f6-f915-4bdb-9602-7671b07e1581", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:8/63\nFirst Submission:2026-04-13T15:58:09.000000+00:00\nLast Submission:2026-04-13T15:58:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776400833", "uuid": "8b22ac1f-186e-4321-a5a5-7ef1e555a004", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776400833", "to_ids": true, "type": "md5", "uuid": "f12b2c12-f6fe-4849-abd0-cfe9fc6566b1", "value": "f5847ed553b087a7a684de6d4dee3df1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399303", "to_ids": true, "type": "sha1", "uuid": "1db4139f-781e-4776-82b2-ee817a4c29da", "value": "d06a579b6f79350104e5c0db253d24626f9991b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399303", "to_ids": true, "type": "sha256", "uuid": "fef1c4bb-0cb5-4efa-9f2c-df26835f8524", "value": "e47b9382d9ac1ba3992308d75993b69255b1e4f4fe47c2e2b6cf6a7ec266da73", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398015", "to_ids": true, "type": "ssdeep", "uuid": "97bfcd5b-64e0-47c0-970d-5832cd16ab08", "value": "384:j3CCmd4S3p5Y+ugCM0Y2FBAmOiaq0rJxmru83pN:WCY4ovY1gCM0YWMA0qxN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398015", "to_ids": false, "type": "size-in-bytes", "uuid": "ef1b9e62-2253-4e4b-be46-9da62165971b", "value": "27193" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398015", "to_ids": true, "type": "filename", "uuid": "58ed3c67-6c7a-4af7-944c-fc14315e40f6", "value": "e47b9382d9ac1ba3992308d75993b69255b1e4f4fe47c2e2b6cf6a7ec266da73.ps1" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398015", "to_ids": false, "type": "text", "uuid": "0184c960-3c31-4696-b28c-5dca7399208d", "value": "Type Description: Powershell\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:20/63\nFirst Submission:2026-04-11T20:25:16.000000+00:00\nLast Submission:2026-04-13T13:38:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776400854", "uuid": "465c5927-61fe-4541-9cbf-646c54b02aa3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776400854", "to_ids": true, "type": "md5", "uuid": "f971bd40-55da-4092-aa5a-3d3a004f54b8", "value": "4caad276e3b3181e3b1b6f86a2ad47c7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399303", "to_ids": true, "type": "sha1", "uuid": "027a3161-9c39-406c-8290-c3ee4d956b03", "value": "0cb685347014692905022a931d24973213766833", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399304", "to_ids": true, "type": "sha256", "uuid": "b831c913-d2be-4382-a3bc-3116adee094a", "value": "5a011813db8497a4db303c90cb5f1948fcf4fcdd8bbe16c0e029195e6734d4f2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398037", "to_ids": true, "type": "ssdeep", "uuid": "506dbde3-4f3e-4af2-ae2a-a7e52e70cbb5", "value": "48:w2ukMAqHP43J0dS5uTgD/A3Nnsk6Afo8/uS:AkUP4ZkS56kUf6qo8mS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398037", "to_ids": false, "type": "size-in-bytes", "uuid": "334cc4a2-d016-4bfc-8025-5be2e8f165ed", "value": "2275" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776398037", "to_ids": true, "type": "vhash", "uuid": "415b2711-97b2-4dbf-81f7-06db5fd3f1cf", "value": "30b12941e0e823da1d6c675954eb2d04" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398037", "to_ids": true, "type": "filename", "uuid": "5e7efe79-914b-4e91-b2d4-a263e92e61a0", "value": "form_00007.pdf.vbs" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398037", "to_ids": false, "type": "text", "uuid": "ac9c3794-b241-4894-afcd-8d138624acd1", "value": "Type Description: VBA\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:15/62\nFirst Submission:2026-04-13T17:42:09.000000+00:00\nLast Submission:2026-04-13T17:42:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776400875", "uuid": "f72200e1-5e73-4fb9-96b4-5cba7a90cf30", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776400875", "to_ids": true, "type": "md5", "uuid": "4f155319-b34c-427f-b702-1a2bc7b6772b", "value": "cbce4874c77dbc33a2b21bb0bcc24b86", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399304", "to_ids": true, "type": "sha1", "uuid": "2c6182c5-474f-4805-8a7e-9f1354943bda", "value": "d2de3ed3f527e27adc19bc881c33bdc4a27481ba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399304", "to_ids": true, "type": "sha256", "uuid": "22ad34e4-96c7-4ec7-a7b9-8b643c43f9d2", "value": "ee5b302161c9a29defd0a9d3be674e831775099475dbf02d10949e4a4e8ae265", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398059", "to_ids": true, "type": "ssdeep", "uuid": "587e7e77-d227-487e-b985-1113fd972633", "value": "384:43CVXd5ugka9Ns3lJRUK9teLKkzK9PZWxS66IiyHtEp8syEyF:nBjHvcJNWLGhwWIiyN5ES" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398059", "to_ids": false, "type": "size-in-bytes", "uuid": "68d1901c-1c7e-45b8-9e75-71cf2dafcafe", "value": "27193" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398059", "to_ids": true, "type": "filename", "uuid": "4529688f-1a79-489b-84c0-e72dde66a043", "value": "407551050" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398059", "to_ids": false, "type": "text", "uuid": "cbe37fe7-4065-41b1-a914-4b0c29e1b9fe", "value": "Type Description: Powershell\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:14/63\nFirst Submission:2026-04-13T13:32:35.000000+00:00\nLast Submission:2026-04-13T13:32:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776400897", "uuid": "db876735-a577-4b2b-8d73-c15ea32d4b49", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776400897", "to_ids": true, "type": "md5", "uuid": "59bd4f77-6508-47c4-aa91-b4ac2152a272", "value": "cbab4a91fff85beaf9096736d33c110e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399305", "to_ids": true, "type": "sha1", "uuid": "1171e3cb-177d-43d1-998a-d94bff9a5c1b", "value": "3fb78394fa51f227f903ab63618f01e7344d501a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399305", "to_ids": true, "type": "sha256", "uuid": "32086be5-7c4c-41a5-943f-6f8ab55f6723", "value": "f74128de852336b27069a677eebbf7e4ee751c294b96b17c1200cbd65a90793d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398081", "to_ids": true, "type": "ssdeep", "uuid": "3e4b4731-33b5-47db-91c0-5a63ee8e6899", "value": "384:P3C1UiosAm+rfd5CZsmYOLs+JqLKsFKHhdg5zJ4:61UiosN+7XOwix4K8z2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398081", "to_ids": false, "type": "size-in-bytes", "uuid": "4180c5c8-c6b1-455e-9b62-547ff9bac341", "value": "27173" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398081", "to_ids": true, "type": "filename", "uuid": "7dfe00c4-29b1-46c3-8e9b-4fed72bff3e6", "value": "f74128de852336b27069a677eebbf7e4ee751c294b96b17c1200cbd65a90793d.ps1" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398081", "to_ids": false, "type": "text", "uuid": "6938d011-f8fb-43e7-b34e-6187177d342a", "value": "Type Description: Powershell\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:27/63\nFirst Submission:2026-04-13T14:54:13.000000+00:00\nLast Submission:2026-04-13T17:27:45.000000+00:00" } ] } ] } }