{ "Event": { "analysis": "1", "date": "2026-02-26", "extends_uuid": "", "info": "[Threat Intel] PlugX Meeting Invitation via MSBuild and GDATA", "protected": false, "publish_timestamp": "1772807239", "published": true, "threat_level_id": "2", "timestamp": "1772807239", "uuid": "ca907acf-f5a7-4b26-8c2f-66200682ffaf", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#4e4e0a", "local": false, "name": "misp-galaxy:producer=\"Lab52\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#241a62", "local": false, "name": "misp-galaxy:target-information=\"Iceland\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"PlugX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT29\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"OilRig\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772506815", "to_ids": false, "type": "link", "uuid": "a7f8aeac-243d-4663-a77e-7a72dbcc7a15", "value": "https://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772506815", "to_ids": false, "type": "text", "uuid": "c60737cf-1eee-47b6-9ffe-ee47844b1825", "value": "A recent PlugX campaign utilized phishing emails with a 'Meeting Invitation' lure to deploy malware through DLL side-loading. The infection chain begins with a zip file containing a malicious .csproj file and MSBuild executable. The .csproj file downloads three components: a legitimate G DATA Antivirus executable, a malicious Avk.dll (PlugX variant), and an encrypted AVKTray.dat file. The malware uses DLL side-loading, API hashing, and XOR encryption for obfuscation. It establishes persistence via the Run registry key and communicates with a command and control server. The campaign showcases PlugX's continued evolution while maintaining its core characteristics, highlighting its ongoing relevance in cyber-espionage operations." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772506815", "to_ids": false, "type": "text", "uuid": "5398eec7-70cb-45e8-90bf-be7271823c6e", "value": "Name: PlugX Meeting Invitation via MSBuild and GDATA\nAuthor: AlienVault\nAdversary: \nTags: [\"dll side-loading\", \"xor encryption\", \"api hashing\", \"rat\", \"g data antivirus\", \"plugx\", \"korplug\", \"phishing\"]\nTgtd countries: [\"Iceland\"]\nMlwr families: [\"PlugX - S0013\", \"Thoper\", \"TVT\", \"DestroyRAT\", \"Sogu\", \"Kaba\", \"Korplug\", \"PlugX - S0013\", \"Thoper\", \"TVT\", \"DestroyRAT\", \"Sogu\", \"Kaba\", \"Korplug\"]\nAttack_ids: [\"T1140\", \"T1055\", \"T1547.001\", \"T1566\", \"T1027\", \"T1102.002\", \"T1573.002\", \"T1059.003\", \"T1574.002\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772574442", "to_ids": true, "type": "sha256", "uuid": "9d5d0d24-72b4-43c3-9b56-aa122cff7b70", "value": "6df8649bf4e233ee86a896ee8e5a3b3179c168ef927ac9283b945186f8629ee7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772574443", "to_ids": true, "type": "sha256", "uuid": "c88b8baf-05eb-4662-989e-3552a7ac4e42", "value": "d293ded5a63679b81556d2c622c78be6253f500b6751d4eeb271e6500a23b21e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772574444", "to_ids": true, "type": "sha256", "uuid": "fe662d86-f4c3-46cd-a0e4-a67829f84b3c", "value": "e7ed0cd4115f3ff35c38d36cc50c6a13eba2d845554439a36108789cd1e05b17", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575590", "to_ids": true, "type": "domain", "uuid": "cbd71934-a53c-441c-9d57-c4d4ff87f40c", "value": "decoorat.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575611", "to_ids": true, "type": "domain", "uuid": "3422acb3-198a-4ffe-bc11-d44d2096db6a", "value": "decoraat.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575633", "to_ids": true, "type": "hostname", "uuid": "297071a1-86bf-457e-aa3c-7707edeade94", "value": "onedow.gesecole.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575656", "to_ids": true, "type": "url", "uuid": "a801c22e-1a0b-4def-b8b5-421adbbd9a3d", "value": "https://onedow.gesecole.net/download", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1772575676", "to_ids": true, "type": "url", "uuid": "823c1d85-dbe9-4118-91d2-40c3c9fc18cf", "value": "https://decoraat.net", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772575698", "uuid": "0ddf5fb7-1831-4f43-9ec7-c5faca0f3407", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772575698", "to_ids": true, "type": "md5", "uuid": "7b051ef1-957d-4f4d-b9c0-615e90a3ba4b", "value": "381247c1d4c68a406237d7d3aa030930", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772574437", "to_ids": true, "type": "sha1", "uuid": "7741294d-a5b6-495c-8de6-7ed80d2d42f8", "value": "1151100a0aa1ed88f7897709444fd3b3b1044c10", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772574437", "to_ids": true, "type": "sha256", "uuid": "18e4d215-8f9d-4e9e-85fe-3221cc0ebf18", "value": "29cd44aa2a51a200d82cca578d97dc13241bc906ea6a33b132c6ca567dc8f3ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772574177", "to_ids": true, "type": "ssdeep", "uuid": "62feecd2-d173-4e9d-800a-553f063559fb", "value": "3072:H2dP4WlUaFT7U4cy9YA4GvB8R+mFZipuqK358LWh5BA:WZxldRl8RzZQup2v" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772574177", "to_ids": false, "type": "size-in-bytes", "uuid": "b6f0d6e1-3f1f-4eef-935a-229e3c1f3ad9", "value": "113212" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772574177", "to_ids": true, "type": "vhash", "uuid": "9659b967-7e3a-4eab-8dd5-312810b2f73b", "value": "1ce69ebbf5b51caae861f26f26ff2f23" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772574177", "to_ids": true, "type": "filename", "uuid": "2c9945ab-a148-4e38-995f-29984065b689", "value": "Invitation_Letter_No.02_2026.zip" }, { "category": "Other", "comment": "Checked: 04/03/2026\nLast-scan\t: 27/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772574177", "to_ids": false, "type": "text", "uuid": "63a694b6-f499-4700-a4cf-be6a337c08b1", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:4/68\nFirst Submission:2026-02-06T07:59:12.000000+00:00\nLast Submission:2026-02-06T09:38:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772575720", "uuid": "68a3b642-2a35-4857-bdb9-3b687916df9f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772575720", "to_ids": true, "type": "md5", "uuid": "a9c9ac87-dcfe-4b0a-87be-5aa1bd28544e", "value": "769687f93869a70511aac1ef7c752455", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772574438", "to_ids": true, "type": "sha1", "uuid": "2972af8a-f8be-43c1-b6f9-ab33af308fbe", "value": "ad833604d230b241e180950980ea462b3812f82a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772574438", "to_ids": true, "type": "sha256", "uuid": "9b563cbc-d7e6-40c8-9d43-15679f239cea", "value": "46314092c8d00ab93cbbdc824b9fc39dec9303169163b9625bae3b1717d70ebc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772574200", "to_ids": true, "type": "ssdeep", "uuid": "45635bd1-7d44-4e9c-ac41-8d9cfde7d09f", "value": "48:vpgdn5Vnzk+0DPzdCH4iz40dMtvEAJ5B6NDGEhw0njK:Bz+iB0ZdmtMy5B6NDGgX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772574200", "to_ids": false, "type": "size-in-bytes", "uuid": "e6d2e0f6-f8aa-421c-b650-34709b069017", "value": "5120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772574200", "to_ids": true, "type": "vhash", "uuid": "580c90d8-4610-4b7d-9341-1d5f4a97ea56", "value": "15306665151d1d051.z9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772574200", "to_ids": true, "type": "filename", "uuid": "6b486374-7907-4d55-8225-bacf36d0300c", "value": "46314092c8d00ab93cbbdc824b9fc39dec9303169163b9625bae3b1717d70ebc.dll" }, { "category": "Other", "comment": "Checked: 04/03/2026\nLast-scan\t: 03/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772574200", "to_ids": false, "type": "text", "uuid": "e88a7a29-abda-4c3e-8703-f8f539f826fd", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:46/72\nFirst Submission:2026-02-06T11:32:29.000000+00:00\nLast Submission:2026-02-06T14:20:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772575741", "uuid": "6fc13615-301e-498d-a507-2b3a47d9e1ac", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772575741", "to_ids": true, "type": "md5", "uuid": "d95adaa5-7ed5-414c-a8eb-dcaaa00bbe4b", "value": "7a75e713db41c28378e823322fdea0fd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772574439", "to_ids": true, "type": "sha1", "uuid": "411f9d33-abe4-4f8f-84ef-d6b7787aed0c", "value": "d1a86ed06b18efef5ce724d2129cf1583b779b44", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772574439", "to_ids": true, "type": "sha256", "uuid": "7efaec45-890d-4679-bcaa-becb573da42e", "value": "de8ddc2451fb1305d76ab20661725d11c77625aeeaa1447faf3fbf56706c87f1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772574221", "to_ids": true, "type": "ssdeep", "uuid": "6f7d3471-34ed-4699-a487-ed09e9f8237c", "value": "96:9dztoUFOCpI5ENw7vnNU9i8OhVVOv8GZvFx:m5EuTB88VOLx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772574221", "to_ids": false, "type": "size-in-bytes", "uuid": "3d5e570e-cbfd-478f-b80e-23269238f3aa", "value": "3249" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772574221", "to_ids": true, "type": "filename", "uuid": "f556300f-59ed-4114-a843-1e04374ec24a", "value": "Invitation_Letter_No.02_2026.csproj" }, { "category": "Other", "comment": "Checked: 04/03/2026\nLast-scan\t: 01/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772574221", "to_ids": false, "type": "text", "uuid": "e34add93-db5a-494b-8201-96221af02fd4", "value": "Type Description: Text\nMicrosoft: Trojan:Script/Wacatac.C!ml\nVT Total Detection:7/62\nFirst Submission:2026-02-27T11:49:03.000000+00:00\nLast Submission:2026-02-27T11:49:03.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772575763", "uuid": "115196f6-3c08-4400-8fef-2ef950994732", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772575763", "to_ids": true, "type": "md5", "uuid": "b9c28a5c-83ce-4a64-b178-3498da066180", "value": "9f331a11a054f33664fe86543fc34cf0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772574440", "to_ids": true, "type": "sha1", "uuid": "db44e97c-922b-453d-828c-1fb592e83367", "value": "2336c9a20ecd53ec1be468282bae94c8160eb93a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772574440", "to_ids": true, "type": "sha256", "uuid": "5358e924-e6e6-42eb-b288-ea7b719483ab", "value": "5f9af68db10b029453264cfc9b8eee4265549a2855bb79668ccfc571fb11f5fc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772574243", "to_ids": true, "type": "ssdeep", "uuid": "0d98aec0-dee0-4ed9-86aa-066abee7db82", "value": "3072:/DEKKwBWmSEoRooC7GvORoQYiY35e8w2XpFU4rwOePZbZEmf02RFidFufl88:7HK2W0u1tvORstRXfzQ02bimtV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772574243", "to_ids": false, "type": "size-in-bytes", "uuid": "fab6cb64-cb54-47ed-badf-a754c29ea205", "value": "255920" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772574243", "to_ids": true, "type": "vhash", "uuid": "81ae47ee-911b-4ceb-b8f4-6fcec72d4812", "value": "225036556514202443d72b635c1b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772574243", "to_ids": true, "type": "filename", "uuid": "de87b4e4-8505-4dcc-9f0f-42a8454fad85", "value": "MSBuild.exe" }, { "category": "Other", "comment": "Checked: 04/03/2026\nLast-scan\t: 01/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772574243", "to_ids": false, "type": "text", "uuid": "8b99f025-c69c-4d3a-849b-05b65c123d08", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2022-08-09T22:33:47.000000+00:00\nLast Submission:2026-03-03T13:19:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772575784", "uuid": "3ee81358-4b61-4210-a7d5-5ebc48ce982d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772575784", "to_ids": true, "type": "md5", "uuid": "bcca98d3-eed4-4035-bf37-31beb55418e3", "value": "e7cb954f4bbdbadbd2c0206577621683", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772574441", "to_ids": true, "type": "sha1", "uuid": "c515823b-c696-473a-ad3d-380bb303d8de", "value": "f06da8e29c3f0fafabfc3a524ae8b21730b57ed3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772574441", "to_ids": true, "type": "sha256", "uuid": "a50d9cb5-92d7-4145-b63b-e288b35a31b9", "value": "8421e7995778faf1f2a902fb2c51d85ae39481f443b7b3186068d5c33c472d99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772574265", "to_ids": true, "type": "ssdeep", "uuid": "9028c450-f51e-499d-b98c-45f6f6fbaebd", "value": "12288:4PIk8PsSPsHPj+aREi6AcE9sOrePwzbRTdUqRbu/jvt3yOMe1+X4C65H6vr:iEM/sOrePOdecu/zt3cZX3wu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772574265", "to_ids": false, "type": "size-in-bytes", "uuid": "bc532751-014b-4216-ba86-88d27fbc7f4a", "value": "943696" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772574265", "to_ids": true, "type": "vhash", "uuid": "5eda2127-742b-4d24-888d-88f4b0f5bc3a", "value": "095056655d55156188z887zb09013z102001gz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772574265", "to_ids": true, "type": "filename", "uuid": "1f0eb218-1139-471f-b486-a14ccd1934b1", "value": "AVK.exe" }, { "category": "Other", "comment": "Checked: 04/03/2026\nLast-scan\t: 04/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772574265", "to_ids": false, "type": "text", "uuid": "22a7493e-6d60-4a1f-8592-9b4cc59ca6d4", "value": "Type Description: Win32 EXE\nFile distributed by: ['G DATA CyberDefense AG', 'G DATA']\nData sources: ['gdata', 'monitor_gdata']\nVerdict filename: ['AVK.exe']\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2025-07-01T15:30:50.000000+00:00\nLast Submission:2026-03-03T16:57:31.000000+00:00" } ] } ] } }