{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] Copyright Lures Mask a Multi-Stage PureLog Stealer Attack on Key Industries", "protected": false, "publish_timestamp": "1775231583", "published": true, "threat_level_id": "3", "timestamp": "1775231582", "uuid": "ca463ae1-41b2-4825-86f2-2d100a64c41a", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#717bc3", "local": false, "name": "misp-galaxy:producer=\"Trend Micro\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#177fb7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1218.011\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#3bc6ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Code Signing - T1553.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#3f00e6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compile After Delivery - T1027.004\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#b990dd", "local": false, "name": "misp-galaxy:target-information=\"Australia\"", "relationship_type": "" }, { "colour": "#1faf16", "local": false, "name": "misp-galaxy:target-information=\"Canada\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004413", "to_ids": false, "type": "link", "uuid": "fb7b47d5-3c8a-4b57-b511-ea001bb34db2", "value": "https://www.trendmicro.com/en_us/research/26/c/copyright-lures-mask-a-multistage-purelog-stealer-attack.html" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774004413", "to_ids": false, "type": "text", "uuid": "2311e787-ee4c-4c4a-9bd1-cdadfec8b71c", "value": "A sophisticated malware campaign delivering PureLog Stealer has been identified, targeting healthcare, government, hospitality, and education sectors in multiple countries. The attack uses localized copyright violation lures to trick victims into executing a multi-stage infection chain. The malware employs encrypted payloads, remote key retrieval, and fileless execution techniques to evade detection. It utilizes a Python-based loader and dual .NET loaders to run PureLog Stealer entirely in memory. The campaign incorporates AMSI bypass, registry persistence, screenshot capture, and victim fingerprinting for stealth and intelligence gathering. Evidence confirms communication with PureLog-associated infrastructure." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774004413", "to_ids": false, "type": "text", "uuid": "b8595505-63c7-4045-a0de-ed4d7ce2279c", "value": "Name: Copyright Lures Mask a Multi-Stage PureLog Stealer Attack on Key Industries\nAuthor: AlienVault\nAdversary: \nTags: [\"copyright lure\", \"fileless execution\", \"targeted campaign\", \"purelog stealer\", \"information theft\", \"evasion techniques\", \"multi-stage attack\"]\nTgtd countries: [\"United States of America\", \"Australia\", \"Canada\", \"Germany\"]\nMlwr families: [\"PureLog Stealer\"]\nAttack_ids: [\"T1113\", \"T1218.011\", \"T1056.001\", \"T1036.005\", \"T1553.002\", \"T1082\", \"T1140\", \"T1055\", \"T1112\", \"T1497\", \"T1057\", \"T1059.001\", \"T1547.001\", \"T1027\", \"T1012\", \"T1027.004\", \"T1027.002\", \"T1071.001\"]\nIndustries: [\"Healthcare\", \"Government\", \"Hospitality\", \"Education\"]" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227104", "to_ids": true, "type": "sha1", "uuid": "d5f8d371-3393-4596-995d-a85559253ec2", "value": "d2e8d615e7c1a810993088a8c9291e0a4a7ed4c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227105", "to_ids": true, "type": "sha1", "uuid": "4c2e7ede-adda-425b-a682-cdbb11ba32ea", "value": "d874c3654bfb4fbf0c7c069f6e5b7ebd930415d0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230796", "to_ids": true, "type": "ip-dst", "uuid": "0d577576-dc65-410f-be35-23e1effcc00a", "value": "166.0.184.127", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230817", "to_ids": true, "type": "ip-dst", "uuid": "fcd3bd81-b997-4012-a040-84292324a88e", "value": "64.40.154.96", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230839", "to_ids": true, "type": "url", "uuid": "16ae9261-65a8-43c5-b528-ed7939c85e05", "value": "https://cdn.eideasrl.it/Notice%20of%20Alleged%20Violation%20of%20Intellectual%20Property%20Rights_1770380091603.zip", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230860", "to_ids": true, "type": "url", "uuid": "701646cd-25a6-4928-921a-ce6d1dd70a16", "value": "https://quickdocshare.com/DQ", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230881", "to_ids": true, "type": "url", "uuid": "5b76f2de-c779-4eff-9c88-0438d0a57771", "value": "https://quickdocshare.com/DQ/key", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230902", "to_ids": true, "type": "url", "uuid": "b5e3521d-27df-4f96-bc34-0171079a10c6", "value": "https://transfer.af-k.de:443/webdownload?deliveryUuid=a43da640-777f-40c0-95de-64987150c869", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230923", "to_ids": true, "type": "domain", "uuid": "c3c705ed-e219-46e7-ab37-3766afaebf56", "value": "quickdocshare.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230945", "to_ids": true, "type": "hostname", "uuid": "a7f4b169-fb49-4bef-aff3-14a3fc966c25", "value": "cdn.eideasrl.it", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230966", "to_ids": true, "type": "hostname", "uuid": "f590e2fc-6a06-4bef-adbf-70ac07b08c47", "value": "dq.bestshoppingday.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775230987", "to_ids": true, "type": "hostname", "uuid": "5382ea0b-cb7a-409a-8d48-39fab9959491", "value": "logs.bestsaleshoppingday.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775231008", "to_ids": true, "type": "hostname", "uuid": "012a9544-85d3-4c2e-aeb2-d7e44ee8eb7f", "value": "logs.bestshopingday.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775231029", "to_ids": true, "type": "hostname", "uuid": "0ea6d6f3-9863-4910-8720-6522c801f70f", "value": "mh.bestshopingday.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775231051", "to_ids": true, "type": "hostname", "uuid": "eae3ebaa-4eaf-40d2-b9f0-8d71a6129219", "value": "transfer.af-k.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227108", "to_ids": true, "type": "md5", "uuid": "41581df1-4aad-44d5-9332-4657062fdea7", "value": "fd16fecedab57b025ab53ad9ca4c882f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227109", "to_ids": true, "type": "sha256", "uuid": "27455f2e-0f16-4867-a7a5-0a29df5e628b", "value": "35efc4b75a1d70c38513b4dfe549da417aaa476bf7e9ebd00265aaa8c7295870", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775231072", "to_ids": true, "type": "url", "uuid": "4624fb09-a1a0-495c-acd0-c794ec348f95", "value": "http://quickdocshare.com/DQ", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775231093", "to_ids": true, "type": "ip-dst", "uuid": "5279c35b-32b4-40be-8533-7e50d02d31b0", "value": "172.64.80.1", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775231115", "uuid": "f4a45281-d681-4677-8721-c2d23a01b713", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775231115", "to_ids": true, "type": "md5", "uuid": "ba43ecaf-4140-4c67-a2d9-5271742042d1", "value": "bed2daedb43b0e5044edbabe6d1d27e8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227097", "to_ids": true, "type": "sha1", "uuid": "e4b79322-8386-4414-8f0a-ab0e5ff3ed3a", "value": "f4532fc1e5d53a732fcc883f7125ceb06b985048", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227097", "to_ids": true, "type": "sha256", "uuid": "fd07bf35-65f2-4a0d-bcf2-b123f5dd5ee0", "value": "68c926af0d796a80fcaee24774b1ca0a2c393c3a0e30650c4d2d7965736043ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226774", "to_ids": true, "type": "ssdeep", "uuid": "37c9f494-6124-4edc-9897-43eff78f7d3c", "value": "1536:2o2k6CIxHHWMpdPa5wiE21M8kJIGFvb1CwH//4stWycA89LBfIbH0v:oBwMpdCq/IM8uIGft//4sRT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226774", "to_ids": false, "type": "size-in-bytes", "uuid": "05a5c51c-b66c-4471-8e8e-5182d403d252", "value": "103256" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226774", "to_ids": true, "type": "vhash", "uuid": "0c753130-dd60-4478-8069-1e3ca6334725", "value": "015056551d15655bzd!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226774", "to_ids": true, "type": "filename", "uuid": "4dbd87cf-a128-4365-8813-344190c4661c", "value": "pythonw.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226774", "to_ids": false, "type": "text", "uuid": "c54d3803-8be4-4281-8d0a-56429cb58188", "value": "Type Description: Win32 EXE\nFile distributed by: ['Python Software Foundation']\nData sources: ['National Software Reference Library (NSRL)']\nVerdict filename: ['pythonw.exe']\nMicrosoft: None\nVT Total Detection:1/71\nFirst Submission:2025-12-05T21:42:17.000000+00:00\nLast Submission:2026-04-02T18:18:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775231137", "uuid": "61bc911b-ca87-4b43-97d0-5f54d250bee6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775231137", "to_ids": true, "type": "md5", "uuid": "78eea2ea-a570-41dd-867b-9a0452e3e78a", "value": "f143c8fba478046700c8da0d5025b31a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227098", "to_ids": true, "type": "sha1", "uuid": "637938b1-6530-4d4e-980a-a971a60db448", "value": "551e62437edab9e496ed3339f10a15cd35e3e819", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227098", "to_ids": true, "type": "sha256", "uuid": "d2f92e38-9be3-4214-9fe8-60bbaf7b0d28", "value": "e675bc054481bdca6f8cd1d561869e18712dc05a42e5c24b9add7679efc7faf6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226797", "to_ids": true, "type": "ssdeep", "uuid": "4e84197b-02db-4068-bef4-4435da0c1f08", "value": "24576:ff0dDq6IQMuzq/2qyUaRF6INTXNSqz8Huwkjjh:KQB4JtSqOlkjjh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226797", "to_ids": false, "type": "size-in-bytes", "uuid": "d5c0bcbc-b6db-44a0-926a-55733092bddd", "value": "1235198" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226797", "to_ids": true, "type": "filename", "uuid": "a4d42e32-2d17-4f42-9c0a-a89a90a4e8a9", "value": "instructions.pdf" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 31/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226797", "to_ids": false, "type": "text", "uuid": "25801677-3257-4012-9b8a-c2773626285c", "value": "Type Description: Python\nMicrosoft: Trojan:Python/PureRat.AE!MTB\nVT Total Detection:8/63\nFirst Submission:2026-01-19T21:03:03.000000+00:00\nLast Submission:2026-01-19T21:03:03.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775231158", "uuid": "eb187a47-632e-461a-8091-9f00dffe9f7b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775231158", "to_ids": true, "type": "md5", "uuid": "93e9ba69-518d-4093-ace0-67c41acf10f7", "value": "a19f69539225238c6c44ea5fa5a2f701", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227099", "to_ids": true, "type": "sha1", "uuid": "cf8971b0-e01f-4df6-8985-66cfbac05a21", "value": "0dfb8dd8fc3f194461af5b17779dd31eff70fccc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227099", "to_ids": true, "type": "sha256", "uuid": "332c2628-2f67-47f4-a63e-51a72e29b50e", "value": "ac591adea9a2305f9be6ae430996afd9b7432116f381b638014a0886a99c6287", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226860", "to_ids": true, "type": "ssdeep", "uuid": "351b6962-ab6a-48b3-8d10-efbcfb81654e", "value": "1572864:kCi5ywiEzxdrNWhgvdxIf4R3rgwYPHvDfiBWws14TWhLttaTX9c0pORseK:1lwb3rNRR3r6Om4TWhLttajDp6seK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226860", "to_ids": false, "type": "size-in-bytes", "uuid": "f59fd858-4b42-40a8-998c-8d9db5685c9a", "value": "106190336" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226860", "to_ids": true, "type": "vhash", "uuid": "9e4acca3-14c8-4003-8648-9cad7e8aad2d", "value": "118076655d155d05555az45&zb5b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226860", "to_ids": true, "type": "filename", "uuid": "0dbb1e6d-8e51-4b20-b3da-2a224a41b241", "value": "urlmon.dll" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 31/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226860", "to_ids": false, "type": "text", "uuid": "51a45949-e08c-4e05-8afe-684d328abeec", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win64/ShellCodeRunner.AB!MTB\nVT Total Detection:35/69\nFirst Submission:2026-02-06T08:21:07.000000+00:00\nLast Submission:2026-02-06T08:21:07.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775231179", "uuid": "8d0ecc29-caa5-429b-b16d-7223c2873811", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775231179", "to_ids": true, "type": "md5", "uuid": "a579093c-dd8d-4a5e-9c40-10d9f0ca1045", "value": "af470dc806e59bd1079151674ac1128f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227102", "to_ids": true, "type": "sha1", "uuid": "7f78a118-3f45-438a-b9cb-855984638b59", "value": "54c72a92f6251fe44bc03f928c6d6e31cc1a646f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227102", "to_ids": true, "type": "sha256", "uuid": "7fab4fe3-a192-47ef-a3b5-a9ff01b44888", "value": "1539dab6099d860add8330bf2a008a4b6dc05c71f7b4439aebf431e034e5b6ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226925", "to_ids": true, "type": "ssdeep", "uuid": "762941d9-4882-4700-9e3d-9e6920a40290", "value": "6144:HtAtK+u4x4ggEih1eLnSFzhEmINp7naBn2F/:NUdx4gPzSFzbI/7GnS/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226925", "to_ids": false, "type": "size-in-bytes", "uuid": "32c6248c-527e-4e6e-9283-a38f7bec3139", "value": "545752" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226925", "to_ids": true, "type": "vhash", "uuid": "b7c8ce41-cde6-4e13-95d2-8b3695fb488e", "value": "055066551d1555155178z48z6055z41z1126z245z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226925", "to_ids": true, "type": "filename", "uuid": "a8c57750-fd31-4ac3-9aa9-9389e9de6e6a", "value": "ADNotificationManager.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226925", "to_ids": false, "type": "text", "uuid": "ef694a38-6508-4768-8cd1-b828cb22aa97", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:1/72\nFirst Submission:2025-11-03T18:02:34.000000+00:00\nLast Submission:2026-03-31T18:50:53.000000+00:00" } ] } ] } }