{ "Event": { "analysis": "1", "date": "2026-03-25", "extends_uuid": "", "info": "[Threat Intel] EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons", "protected": false, "publish_timestamp": "1775900425", "published": true, "threat_level_id": "2", "timestamp": "1775900424", "uuid": "acc1f507-719e-40a5-b9d6-cf346c5d4a8a", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#4d62fa", "local": false, "name": "misp-galaxy:producer=\"eSentire\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#50bcaa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Discovery - T1518\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"EtherRAT\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774609220", "to_ids": false, "type": "link", "uuid": "e923a43c-ff90-456d-a7b6-57f845c23857", "value": "https://www.esentire.com/blog/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774609220", "to_ids": false, "type": "text", "uuid": "030088a9-cc75-4aa5-9570-6c4bc922df8b", "value": "EtherRAT, a Node.js-based backdoor linked to a North Korean APT group, was detected in a retail customer's environment. It allows arbitrary command execution, extensive system information gathering, and asset theft. The malware uses 'EtherHiding' to store C2 addresses in Ethereum smart contracts, making infrastructure resilient to takedowns. It communicates using CDN-like beaconing to blend with normal traffic. Initial access varied, including ClickFix and IT Support scams via Microsoft Teams. A SYS_INFO module performs comprehensive host fingerprinting for target selection. The malware checks for CIS languages and self-destructs if found. It collects detailed system information, including hardware, software, and network details." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774609220", "to_ids": false, "type": "text", "uuid": "181fb25f-1219-4817-9c2a-e36cc9c7cb35", "value": "Name: EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons\nAuthor: AlienVault\nAdversary: North Korean APT group\nTags: [\"sys_info module\", \"backdoor\", \"cdn-like beaconing\", \"ethereum\", \"host fingerprinting\", \"cis language check\", \"etherhiding\", \"node.js\", \"it support scams\", \"etherrat\"]\nTgtd countries: []\nMlwr families: [\"EtherRAT\"]\nAttack_ids: [\"T1033\", \"T1133\", \"T1204.002\", \"T1497.001\", \"T1082\", \"T1140\", \"T1016\", \"T1059\", \"T1083\", \"T1057\", \"T1547.001\", \"T1027\", \"T1102.002\", \"T1012\", \"T1027.002\", \"T1071.001\", \"T1518\", \"T1105\"]\nIndustries: [\"Retail\", \"Business Services\", \"Software\", \"Finance\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774609220", "to_ids": false, "type": "threat-actor", "uuid": "900c842a-d8ff-400b-8d15-60ecd652a6b4", "value": "North Korean APT group" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885186", "to_ids": true, "type": "ip-dst", "uuid": "f4390e17-50dd-4527-a070-b521748fe7b9", "value": "185.218.19.162", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885208", "to_ids": true, "type": "domain", "uuid": "e15707e6-57e2-49a8-852d-1a6ca98f10d0", "value": "aurineuroth.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885230", "to_ids": true, "type": "domain", "uuid": "8996765b-8072-4913-9489-74f29f006008", "value": "euclidrent.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885251", "to_ids": true, "type": "domain", "uuid": "7c391668-b674-453b-b2ac-1623b6cc617a", "value": "hayesmed.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885272", "to_ids": true, "type": "domain", "uuid": "7bff7674-603e-494e-b7c5-3ef9324ddc38", "value": "jariosos.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885293", "to_ids": true, "type": "domain", "uuid": "a49ebb28-20ed-4b09-accf-634f86e8cd66", "value": "justtalken.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885315", "to_ids": true, "type": "domain", "uuid": "887293d6-ea4f-4df9-9025-e4e4bffdfbe1", "value": "mebeliotmasiv.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885336", "to_ids": true, "type": "domain", "uuid": "94190ea4-45ce-48d6-8c8b-2fd3cc24f75f", "value": "o-parana.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885357", "to_ids": true, "type": "domain", "uuid": "70190c7d-55e4-4cd0-a32a-89f95dffa155", "value": "palshona.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885378", "to_ids": true, "type": "domain", "uuid": "6483ebc7-6df1-4826-8b49-e89f722b2f28", "value": "regancontrols.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885400", "to_ids": true, "type": "domain", "uuid": "d80de75a-75c2-4d7c-9671-efbd82d02788", "value": "salinasrent.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885421", "to_ids": true, "type": "domain", "uuid": "db3dde25-3701-4752-8d06-c7099327d047", "value": "shepherdsestates.uk", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885443", "to_ids": true, "type": "hostname", "uuid": "c2f0239e-9f3b-4af0-8af5-1afc70f3535f", "value": "rpc.payload.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775885464", "to_ids": true, "type": "hostname", "uuid": "c041028c-4141-4e47-93cb-c3e8bd36e39a", "value": "www-flow-submission-management.shepherdsestates.uk", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Node.js download URL", "deleted": false, "disable_correlation": false, "timestamp": "1775885485", "to_ids": true, "type": "url", "uuid": "518a0a48-15a6-4700-8086-aa60cc442624", "value": "https://nodejs.org/dist/v18.17.0/node-v18.17.0-win-x64.zip", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775885506", "uuid": "21be6c43-1aa4-4b8d-be06-66fae4c7130c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775885506", "to_ids": true, "type": "md5", "uuid": "3176fc0a-5564-4331-b257-7112efc87f89", "value": "2d1b18eefce3e072b33cec25168a35a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884279", "to_ids": true, "type": "sha1", "uuid": "6cba82a7-9a7b-4906-b6eb-5d20fb5bb87f", "value": "cd269e47c5bbfab242bf3ae6a33dccc08a3937fc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884280", "to_ids": true, "type": "sha256", "uuid": "f68a1664-6c0f-48e5-a582-635658f12e14", "value": "03c4e54cc775ab819752dc5d420ab2fed03bd445c3ce398d021031100b334fb4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775881902", "to_ids": true, "type": "ssdeep", "uuid": "3b843e3d-b47f-4b74-b4c2-54079947417b", "value": "192:iTyaCvkkMg05XpZCuJ/DNwWRIUgLUcykd1Km9vV9Cz5NsG1Mdpvx6q0gjALynHAb:5MVxxJS3v6z1MZAPYo" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775881902", "to_ids": false, "type": "size-in-bytes", "uuid": "c30251f8-5969-4979-b6fc-782a813f700c", "value": "13868" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775881902", "to_ids": true, "type": "vhash", "uuid": "a0aedb88-c6f0-4033-9fc2-efeea599d4b9", "value": "f628bdc8f2d6a1bfc1fb5b1a483f1d8f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775881902", "to_ids": true, "type": "filename", "uuid": "04dd18ed-9bb8-4f97-9f49-c6ba3bf1af9f", "value": "EtherRAT_Deobfuscated.js" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775881902", "to_ids": false, "type": "text", "uuid": "24dd5078-374d-44dd-9593-f18d8ce1a151", "value": "Type Description: JavaScript\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:23/62\nFirst Submission:2026-03-17T17:30:10.000000+00:00\nLast Submission:2026-03-20T23:00:18.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775885527", "uuid": "e5a75aa2-b86b-4a32-ac35-8d3a1d29ed50", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775885527", "to_ids": true, "type": "md5", "uuid": "e8584e30-2ef5-4ca5-bf7b-6c386cf42980", "value": "56b173c0b7b17839d0e38e3cce676568", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884280", "to_ids": true, "type": "sha1", "uuid": "18ba251f-df15-40db-a70c-360946435033", "value": "938f0acfea8cde3d46c249453c213011793b1ea8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884280", "to_ids": true, "type": "sha256", "uuid": "1e504013-677f-4266-b930-df755388fd18", "value": "294c597c89023093e1e175949f5104f887b89cd8e1cf1d3192ee9032739f259e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775881924", "to_ids": true, "type": "ssdeep", "uuid": "3ddcd127-8a47-444b-8125-0b4777b3e5cf", "value": "768:Lwfmvs8WVdXy5oyMaZpkW0ohbXAoAUeWMbCOBN/nq:ays8MAoyrHBXPAUobO" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775881924", "to_ids": false, "type": "size-in-bytes", "uuid": "7d0e8978-5f22-4395-a328-cc906cfb39bf", "value": "48640" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775881924", "to_ids": true, "type": "vhash", "uuid": "f812d17d-46e8-45d9-9d9b-d7835d9991be", "value": "c0898bab35bfdb4cf79d4dc80efd6624" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775881924", "to_ids": true, "type": "filename", "uuid": "eb233921-65ca-4115-b0bf-63f2ab593573", "value": "10722.msi" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 07/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775881924", "to_ids": false, "type": "text", "uuid": "1c8ffc4f-7e62-4468-a317-91a6ab47160e", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:24/62\nFirst Submission:2026-03-11T11:57:58.000000+00:00\nLast Submission:2026-03-11T11:57:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775885548", "uuid": "4d35bcda-aa6f-470a-b941-d8dda25943f8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775885548", "to_ids": true, "type": "md5", "uuid": "3c47c131-4c47-4178-bd9c-3108049b49a0", "value": "e8d933c3e5129d98a3068162f4fd49a8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884282", "to_ids": true, "type": "sha1", "uuid": "02c5ee38-2114-4049-bdcb-15f94421901e", "value": "7d52102923c61d7d5b8fbffb8eeb1d198850cc12", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884282", "to_ids": true, "type": "sha256", "uuid": "a328723a-89ed-49d3-bef0-6fe4f38f6472", "value": "2edf1ab615b489e228a89c617d24f66d1e780a6d5e30f6886608dfe79325acf8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775881946", "to_ids": true, "type": "ssdeep", "uuid": "b05983ad-35e4-460a-a6f4-e7d3d7d3d998", "value": "12:BrcQPMaCI+6DrnYFRHBrhSrhSrhSrhI9FEEzzgSAgnDldEzG6md4Nbjb:LMaCoPYFRHBggg+96EgSAMDDEfq4Nz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775881946", "to_ids": false, "type": "size-in-bytes", "uuid": "acfe698a-9b1d-4fb3-8e21-5d24341f53f5", "value": "527" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775881946", "to_ids": true, "type": "vhash", "uuid": "2dbdde6d-9704-4607-9428-6007a3bcf05c", "value": "d1f491a404d6854880943e5c3cd9ca25" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775881946", "to_ids": true, "type": "filename", "uuid": "3345984c-65c5-4e4e-98d7-06fd34ca2a79", "value": "shep.hta" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 07/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775881946", "to_ids": false, "type": "text", "uuid": "bcb1c93b-91af-480e-8a20-fdd1490122a9", "value": "Type Description: HTML\nMicrosoft: None\nVT Total Detection:2/62\nFirst Submission:2026-03-11T11:56:55.000000+00:00\nLast Submission:2026-03-12T00:35:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775885570", "uuid": "66c87e11-86a5-407b-8d2d-1d03ea74ebb4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775885570", "to_ids": true, "type": "md5", "uuid": "7020102d-b9ac-4c31-b129-55bf1a867aec", "value": "d36df910594e50746ed191728b79fa83", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884283", "to_ids": true, "type": "sha1", "uuid": "12d442a4-3a32-4373-bcd4-9586d2d0550c", "value": "83741ef87f15ec48cbd0388e5fd5616cd854e46c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884283", "to_ids": true, "type": "sha256", "uuid": "6cfa06c4-08de-4244-b70c-e783dbb05bab", "value": "47f74749cfcd55c8dacde2cc9b4c45282bec7a93ee19b7b81b452c99758d3370", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775881967", "to_ids": true, "type": "ssdeep", "uuid": "01be523a-ed0b-4b7a-8a49-ec5899537176", "value": "96:K7WwzG8LjLbjUx6jDyj05cTVWVFONClPaULT1YDWHwZoJe54bl5DYlBZ:K7WwzjLPUxuDG052sOI4aK0e2u" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775881967", "to_ids": false, "type": "size-in-bytes", "uuid": "a58ae3e9-070e-4914-a013-91e7f670e142", "value": "5685" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775881967", "to_ids": true, "type": "vhash", "uuid": "6b64e026-3939-486b-9398-2cbf95938f9d", "value": "4571afab3a8c76fa1477c18ebcf32d95" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775881967", "to_ids": true, "type": "filename", "uuid": "b06d0a40-5582-4787-b297-47b04b95f559", "value": "2.js" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 07/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775881967", "to_ids": false, "type": "text", "uuid": "fab63d9d-0267-4cf1-964c-fe3fcddaaaec", "value": "Type Description: JavaScript\nMicrosoft: None\nVT Total Detection:2/62\nFirst Submission:2026-03-17T17:35:04.000000+00:00\nLast Submission:2026-03-17T17:35:04.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775885592", "uuid": "4957754c-31db-432e-b0a3-b3b765ff9ecd", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775885592", "to_ids": true, "type": "md5", "uuid": "1856005f-304e-49be-8ea4-c5b9852e6048", "value": "95f614f679de019ec02cdaec8f9792f6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884284", "to_ids": true, "type": "sha1", "uuid": "ab9e22d3-8b54-43a0-bdd0-c20cb4cc171e", "value": "17297277cbdb9c6f535408067c0e5bf8c386c515", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884284", "to_ids": true, "type": "sha256", "uuid": "637bfcf1-cc78-4612-84c4-ba1fab518dfc", "value": "5623f4f8942872b2b7cb6d2674c126a42bdf6ed5d1f37c1afc348529e4697d73", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775881989", "to_ids": true, "type": "ssdeep", "uuid": "23a0a47e-bf00-4dbc-9f77-8994383c1b4b", "value": "12:bcyRfXGeU+cTxEOdx0xMwpvGrRwcQWLNePH2OomB:bcofXGeU+yuO/0b+rRw8LNL9mB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775881989", "to_ids": false, "type": "size-in-bytes", "uuid": "cf2e18bf-d6f2-484f-b110-29a2f49a32f4", "value": "436" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775881989", "to_ids": true, "type": "vhash", "uuid": "a93e6635-e5f7-4360-b732-9e789bc25651", "value": "475dc6717a8720a0dd4d18701cd0b6ea" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775881989", "to_ids": true, "type": "filename", "uuid": "dce058a9-d141-4082-9f2a-e97039ff5828", "value": "RkKbfV3yUp1q" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775881989", "to_ids": false, "type": "text", "uuid": "ca169029-7426-42e3-903f-a516b7faefb5", "value": "Type Description: JavaScript\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:17/63\nFirst Submission:2026-03-11T12:05:30.000000+00:00\nLast Submission:2026-03-17T17:31:53.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775885613", "uuid": "53f26ee3-2e2a-46b8-b9bc-cf04184a31fa", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775885613", "to_ids": true, "type": "md5", "uuid": "f1b9a18f-28fa-450a-ae52-f04ecbf9d308", "value": "8b304465b85232527962838d6e273ff5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884286", "to_ids": true, "type": "sha1", "uuid": "4fb8c2b5-5342-4158-8384-72a2fa359a0e", "value": "a22ee46a163e9c6aa94061bb6dcb7c0e29b2dfa0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884286", "to_ids": true, "type": "sha256", "uuid": "77373fcf-9b6b-436f-8461-150ca8019498", "value": "7dd1bf7a58774a081062f5c8f183d24f95c433805e0bf73280c0adba1c71390d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775882011", "to_ids": true, "type": "ssdeep", "uuid": "7fa75165-f284-4970-a98c-342cda425cd8", "value": "384:XnDTqgSMF/OnmcoJdkDE08UllqgAlrZk6WXirJDtHPwbopa+R8lfG8fEWmLFVQFs:XDTXF/OMdkDE08UrqgAJy6WXirJDtHPH" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775882011", "to_ids": false, "type": "size-in-bytes", "uuid": "5ea622b5-605c-4c7c-bad8-110f21ca9eeb", "value": "22751" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775882011", "to_ids": true, "type": "vhash", "uuid": "177b5823-e403-4d01-a710-542a293fd260", "value": "9364066a5558e9780e1579313bb9bf7e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775882011", "to_ids": true, "type": "filename", "uuid": "20447a77-0a88-47eb-93de-3c431d252203", "value": "v114l.exe" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 07/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775882011", "to_ids": false, "type": "text", "uuid": "1d4aa3f8-468d-4d5a-8646-539c315b99cb", "value": "Type Description: JavaScript\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:21/62\nFirst Submission:2026-03-11T12:05:33.000000+00:00\nLast Submission:2026-03-17T17:34:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775885634", "uuid": "6ef1982e-8bb6-460d-aa69-1b4d2d06a23e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775885634", "to_ids": true, "type": "md5", "uuid": "355431ae-51d4-41b7-b641-d6a9c15340d3", "value": "5cbabb4dd614f04f43b041b8f2389b2c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884286", "to_ids": true, "type": "sha1", "uuid": "b9a9cba7-a4af-40e3-a63c-58953d634b38", "value": "22c46905bb64d5c15fd2eb06e30d84525d6c5123", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884287", "to_ids": true, "type": "sha256", "uuid": "4df9ac3c-e3ae-4ec3-9042-2688243bb2ec", "value": "83b1f11c6a0bd267e415136440559131d2d4ace9a65dc221ea3b144fe0e7199b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775882033", "to_ids": true, "type": "ssdeep", "uuid": "eec0639f-7cb2-4e5b-97ea-ec5ad7a13e33", "value": "192:+AXw5zXIo0iou9V9BMG6B98ffcfp/BiEgjvIf14fpC5ev8/BuYePOetklXvTSv83:XXY7pH9V9LkkEEvWCCeyeCU8sI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775882033", "to_ids": false, "type": "size-in-bytes", "uuid": "86b8046d-d07a-469a-8594-df69960793bc", "value": "14639" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775882033", "to_ids": true, "type": "filename", "uuid": "acd77ffd-802a-44af-8715-34821478464e", "value": "SYS_INFO.js" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775882033", "to_ids": false, "type": "text", "uuid": "0557342c-ae38-4cf2-8e4d-2ea491eb2655", "value": "Type Description: JavaScript\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:22/62\nFirst Submission:2026-03-17T17:28:39.000000+00:00\nLast Submission:2026-03-17T17:28:39.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775885655", "uuid": "18e3fcd2-d08d-48fe-a8e5-b3ea453b0a68", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775885655", "to_ids": true, "type": "md5", "uuid": "490213ed-92b0-4cf7-9f0d-888ddec0cdbc", "value": "05f1bba0810c3a999355d24187c02442", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775884288", "to_ids": true, "type": "sha1", "uuid": "fbed7be6-d768-4125-81e4-587f6fb19043", "value": "cbf40f75438890f44e63f4e3d81a7e5d0118111b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775884288", "to_ids": true, "type": "sha256", "uuid": "989c9ac5-6caa-4873-a88d-311c203db9e2", "value": "b1ee812e7c786c8696f913595658e57706d97a66ca7b7634f421f5c552e7002b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775882054", "to_ids": true, "type": "ssdeep", "uuid": "a45bde42-d645-4ee3-98a2-9583e63751a6", "value": "48:mkgbX7GGyup2gaEU1UH9WAOrlm2S7AjwaXk0iZC2O5QOq97/R4VVFV9/Hkc7:mJX7Gnup29EAFmdA0aXKO5q47zec7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775882054", "to_ids": false, "type": "size-in-bytes", "uuid": "a4160f6b-b5a7-466c-85ef-d533fd9b9a0d", "value": "2534" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775882054", "to_ids": true, "type": "vhash", "uuid": "b11590e8-34ca-40b7-8086-ca78cbc1e85c", "value": "6c6733d7e29f116b67468f15f1952ea3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775882054", "to_ids": true, "type": "filename", "uuid": "683e1b96-717d-4fad-9853-feac4cc976d7", "value": "2-deobfuscated.js" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 09/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775882054", "to_ids": false, "type": "text", "uuid": "e31dd1cb-5dcb-40b0-9f8d-43e450951ef0", "value": "Type Description: JavaScript\nMicrosoft: None\nVT Total Detection:1/62\nFirst Submission:2026-03-17T17:30:58.000000+00:00\nLast Submission:2026-03-17T17:30:58.000000+00:00" } ] } ] } }