{ "Event": { "analysis": "1", "date": "2026-04-30", "extends_uuid": "", "info": "[Threat Intel] Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw", "protected": false, "publish_timestamp": "1779547124", "published": true, "threat_level_id": "2", "timestamp": "1779547124", "uuid": "d687c053-f835-4b54-b42e-236245f54439", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#177fb7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1218.011\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#4bc785", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"AMOS\"", "relationship_type": "" }, { "colour": "#680082", "local": false, "name": "ms-caro-malware:malware-platform=\"MacOS\"", "relationship_type": "" }, { "colour": "#7f009f", "local": false, "name": "ms-caro-malware:malware-platform=\"WinNT\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778583620", "to_ids": false, "type": "link", "uuid": "d9c0e854-69fe-47d8-802a-d9e44d4aa860", "value": "https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778583620", "to_ids": false, "type": "text", "uuid": "2ad6efc9-2c79-486b-9887-863b267adba9", "value": "Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tools while instructing users to execute encoded commands or install hidden malicious dependencies. On Hugging Face, repositories host payloads within multistep infection chains disguised as legitimate applications. These campaigns employ social engineering, obfuscation, encryption, in-memory execution, process injection, and persistence techniques to evade detection while establishing covert command-and-control communica..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778583620", "to_ids": false, "type": "text", "uuid": "f0d178b8-9401-4e22-b28c-bbd382729429", "value": "Name: Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw\nAuthor: AlienVault\nAdversary: \nTags: [\"amos stealer\", \"clawhub\", \"openclaw\", \"hugging face\", \"trojanized skills\", \"cryptominer\", \"ai supply chain\", \"indirect prompt injection\"]\nTgtd countries: []\nMlwr families: [\"AMOS Stealer\"]\nAttack_ids: [\"T1053.005\", \"T1218.011\", \"T1082\", \"T1106\", \"T1140\", \"T1036\", \"T1055\", \"T1112\", \"T1497\", \"T1204\", \"T1059.001\", \"T1547.001\", \"T1566\", \"T1562.001\", \"T1055.012\", \"T1027\", \"T1573\", \"T1070.004\", \"T1071.001\", \"T1564.001\"]\nIndustries: [\"Finance\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778978999", "to_ids": true, "type": "ip-dst", "uuid": "86fcff39-33d8-4947-b7b2-9a8d689eae21", "value": "91.92.242.30", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979020", "to_ids": true, "type": "url", "uuid": "a48cf695-f8d5-4b12-b21a-55441d43251b", "value": "https://install.app-distribution.net/setup/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979041", "to_ids": true, "type": "url", "uuid": "aba66f9c-5709-42e4-9134-8355d5e4943d", "value": "http://91.92.242.30/1v07y9e1m6v7thl6", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979063", "to_ids": true, "type": "url", "uuid": "8163f051-ee29-41ad-980e-9cc6f3299b3f", "value": "http://91.92.242.30/6wioz8285kcbax6v", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979084", "to_ids": true, "type": "domain", "uuid": "5490ad5a-e979-464c-b871-6de21a140119", "value": "velvet-parrot.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779547124", "to_ids": true, "type": "sha256", "uuid": "1f14777a-1adf-4597-9e62-1726fb9dc2bf", "value": "fd3d52c2bb3764aabfe4da301967bfbc18e1c062d5dad2e9f4c3b6b6cf0ec9f8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979105", "to_ids": true, "type": "url", "uuid": "cca47ab3-dc8d-4459-858c-b37da3b9f353", "value": "https://glot.io/snippets/hfd3x9ueu5", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979126", "to_ids": true, "type": "url", "uuid": "6ee4ff5b-3edd-4725-b116-854ddc9ca0dd", "value": "https://glot.io/snippets/hfdxv8uyaf", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979147", "to_ids": true, "type": "url", "uuid": "29d1a19f-8752-4486-86c9-bf3bfa7705cc", "value": "https://velvet-parrot.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979168", "to_ids": true, "type": "url", "uuid": "e921f78d-abad-4351-ae2b-8e1ff7475a1d", "value": "https://velvet-parrot.com:443", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979189", "to_ids": true, "type": "url", "uuid": "1d986042-a805-4892-ad9e-3e02b42116e8", "value": "https://rentry.co/openclaw-core", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979210", "to_ids": true, "type": "url", "uuid": "e7cdeefb-5a71-409c-bce0-e2db890c3697", "value": "github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979231", "to_ids": true, "type": "url", "uuid": "52555b5c-652f-4446-bffe-44358fae8d88", "value": "github.com/Ddoy233/openclawcli/releases/download/latest/openclawcli.zip", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979252", "to_ids": true, "type": "url", "uuid": "ae6605bf-3ddc-41c7-bfe8-04914cefada2", "value": "github.com/denboss99/openclaw-core/releases/download/latest/openclaw-core.zip", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979273", "to_ids": true, "type": "url", "uuid": "74393fef-40ca-46c9-8c9e-b95b224d6c54", "value": "github.com/denboss99/openclaw-core/releases/download/v3/openclawcore-1.0.3.zip", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979294", "to_ids": true, "type": "url", "uuid": "ef0dce75-dc3e-4506-87b2-9f1ef0a0e124", "value": "https://github.com/toolitletolate/openclaw_windriver/releases/download/exe/openclaw_windriver.zip", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778979315", "to_ids": true, "type": "url", "uuid": "c707368a-d969-419d-9a26-8f7b54a69e68", "value": "https://t.me/dusty_vintage", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547096", "uuid": "1e28e8a7-772a-418b-a576-e041fa46dec5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547095", "to_ids": true, "type": "md5", "uuid": "7c9ed0fa-0ae5-4a94-ba21-5ce48ce6e5c5", "value": "a37f6403fbf28fa0b48863287f4c5a5d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547096", "to_ids": true, "type": "sha1", "uuid": "9a5e1b2a-7bbb-4ec9-a106-0163491367d4", "value": "a396ec79d8e33ca984c7ffc7ee4d7d2caa8412ee", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547096", "to_ids": true, "type": "sha256", "uuid": "2ee66e82-e495-4694-90c0-e33101881ccb", "value": "f0a54f2b44e557854b0a5001c4e10185884af945814786f78b86539014f78a16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971651", "to_ids": true, "type": "ssdeep", "uuid": "ed875450-a542-40d0-926a-e15293a4ba45", "value": "12288:HaOLNaXUoyWecdCiLkZVFRmocmXQtWdmHJxXOTT////wpy8PBS/iSxgNSG:HaOLUESdWdmHlNS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971651", "to_ids": false, "type": "size-in-bytes", "uuid": "68ba8831-ff0f-46f3-a405-5911dfd09940", "value": "521440" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971651", "to_ids": true, "type": "vhash", "uuid": "9af6047a-7a04-442b-9135-07ef4dc6df1a", "value": "0252dc858045d41516d6efd67b758612" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971651", "to_ids": true, "type": "filename", "uuid": "44b3e42c-f99f-4b28-9389-6738a70e0aa5", "value": "ffyahlorfy.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971651", "to_ids": false, "type": "text", "uuid": "0bc9e5c2-aef2-4d25-8c43-147ce49b195c", "value": "Type Description: Mach-O\nMicrosoft: Trojan:MacOS/Multiverze!rfn\nVT Total Detection:35/63\nFirst Submission:2026-02-04T18:00:37.000000+00:00\nLast Submission:2026-02-26T01:12:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547099", "uuid": "fa5e5776-bcdc-42e1-981c-2002edab8b01", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547098", "to_ids": true, "type": "md5", "uuid": "349910de-bb59-468c-b43c-200bc1fd86e0", "value": "b488d8d0cb6ee18af9e5800b66ff1ed9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547098", "to_ids": true, "type": "sha1", "uuid": "4e6adf8c-0533-4aaf-ad24-46378092209a", "value": "93b3d3925ccc201ab0f16017153a79ef05b8f5c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547099", "to_ids": true, "type": "sha256", "uuid": "92f8a008-1395-41eb-843c-d09740af0804", "value": "d781d5cabaf5f305bbb8afcd9a54d7ba616bfa7aef5c4d16f6bce3d2bf3b4073", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971673", "to_ids": true, "type": "ssdeep", "uuid": "886d3531-35c6-416c-9f1a-b2561c1baeb0", "value": "3:ns3FV39C5K6AZAdEFiZpZAGNIaFOd4xZALKUTRcAZE:WFV39CK6AfmpRNIa97KRcA6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971673", "to_ids": false, "type": "size-in-bytes", "uuid": "6d391be2-4f29-4f31-8ee0-b504ab838c3f", "value": "138" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971673", "to_ids": true, "type": "filename", "uuid": "e340451e-5804-4c27-826e-8c3c7fdb80f9", "value": "6wioz8285kcbax6v" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971673", "to_ids": false, "type": "text", "uuid": "8d4231fb-a556-423d-9626-b6930cf2eb72", "value": "Type Description: Shell script\nMicrosoft: Trojan:MacOS/ClawHavoc.DA!ams\nVT Total Detection:26/61\nFirst Submission:2026-02-05T04:10:45.000000+00:00\nLast Submission:2026-02-05T04:10:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547101", "uuid": "c371dcf0-3dd3-42af-9ebe-499282ce3861", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547101", "to_ids": true, "type": "md5", "uuid": "887f4ba0-1853-4b3f-b4fb-4154f963e43e", "value": "69315b7a1c4bf5ee56cba1de29d1761e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547101", "to_ids": true, "type": "sha1", "uuid": "d5611163-d835-40ad-9c32-c225cb9d7d98", "value": "0d2bb0876cc58d8b9c91686c019c131584f1b970", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547101", "to_ids": true, "type": "sha256", "uuid": "4bfccf1c-783d-44de-b6a3-9ac5fca3a2e1", "value": "c7b93b6facfc23f49e35e81dc9c30cc69401b8245eeb7c032fc13656cd7e101f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971695", "to_ids": true, "type": "ssdeep", "uuid": "da1ff125-4fb9-4f50-8220-4bdeeb2c322d", "value": "98304:7QiFytO1s/YLceSxJAyJh3ETWvR/2uWujfoTcBqNUK:7zFytO1s/ihSxJAyJh3E5uBO" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971695", "to_ids": false, "type": "size-in-bytes", "uuid": "eba1cf35-0895-43b8-b774-984ecec08614", "value": "6264832" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971695", "to_ids": true, "type": "vhash", "uuid": "5c896edc-d1d8-4e46-848c-6765c3178496", "value": "066076655d155d05755093z32z88hz13z7fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971695", "to_ids": true, "type": "filename", "uuid": "4710744e-0cbe-4e37-bb77-8aac6132eb8e", "value": "svchost.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971695", "to_ids": false, "type": "text", "uuid": "1955e012-2e34-4751-81a3-398489c9d6dc", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Malex.gen!E\nVT Total Detection:57/71\nFirst Submission:2026-01-09T03:33:37.000000+00:00\nLast Submission:2026-05-14T02:03:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547104", "uuid": "d84365a1-333f-4e69-ba64-22d2ee853bee", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547103", "to_ids": true, "type": "md5", "uuid": "02ed9b97-86d9-48f2-803d-86716d4e6b02", "value": "bd46890121106b43f0c01ab82629400c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547104", "to_ids": true, "type": "sha1", "uuid": "0ff5d281-5307-42c8-b520-171f88db01c7", "value": "8bd284bfb607d5e970c88a69ca9422b44b1148a9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547104", "to_ids": true, "type": "sha256", "uuid": "0b4e65bb-90db-43d2-98c5-c168f12e3db2", "value": "122bea967f4c194fd5820123d13b7b71422c31f92b9fc0b0fa05aac3ff03dfaa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971716", "to_ids": true, "type": "ssdeep", "uuid": "8a6141f7-7f84-4a98-8211-30dd05c00e47", "value": "48:9o7YFBOp4fSFePapWzNB7hb3C1nC1XM69qUtqft0vnIOB41:C7YFkp4oePvzX7hTxcjwqFsnIK41" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971716", "to_ids": false, "type": "size-in-bytes", "uuid": "bbb80eaa-7c6e-4198-b8e3-95431edb7c58", "value": "1884" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971716", "to_ids": true, "type": "vhash", "uuid": "6ea0a63b-e821-4204-994a-708b948509f7", "value": "4acc216d041de7e9e6d26cfcc6bad8e6" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971716", "to_ids": false, "type": "text", "uuid": "7806f6aa-7c5a-4427-9719-39db4323d659", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:0/65\nFirst Submission:2026-02-09T18:26:13.000000+00:00\nLast Submission:2026-02-09T18:26:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547107", "uuid": "2780cf40-2623-47e3-88eb-35ba25d7ec08", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547106", "to_ids": true, "type": "md5", "uuid": "16218077-3c5c-49f6-a85a-b08ce2644fdb", "value": "41f581f7d2c09ab0edfea850b9db506f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547106", "to_ids": true, "type": "sha1", "uuid": "ad8e0ae4-e5ea-42b3-8a80-acb16b1a673a", "value": "5d253cc263851ec68c0a988bf86afbb3e9f0b491", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547107", "to_ids": true, "type": "sha256", "uuid": "ef6b82dc-bec5-47f5-9355-2e00f754a11d", "value": "462af0a3a9094d44c30cc65544ec1171a62365cff09e67f5e87e061a3d604bd0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971738", "to_ids": true, "type": "ssdeep", "uuid": "99ae5ba7-f76c-4054-8f0b-ed7619373e41", "value": "3072:4V3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPm8u:Vt5hBPi0BW69hd1MMdxPe9N9uA069TBi" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971738", "to_ids": false, "type": "size-in-bytes", "uuid": "f4e0073d-b7e8-429c-b642-c652cc931196", "value": "128512" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971738", "to_ids": true, "type": "vhash", "uuid": "84250be5-2eba-4c72-9ce2-b49b8c42016d", "value": "0150665665655d1561z13z1004216z27z30500213z19z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971738", "to_ids": true, "type": "filename", "uuid": "fa609e52-e8b6-43d1-92ce-c84982846118", "value": "Windows Security" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971738", "to_ids": false, "type": "text", "uuid": "81be2379-cd1d-49ca-8cdf-d6c4dea34ab6", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:48/71\nFirst Submission:2026-01-07T22:01:43.000000+00:00\nLast Submission:2026-01-07T22:01:43.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547109", "uuid": "de7a8786-726a-449c-bd65-f806fa2ac1f1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547108", "to_ids": true, "type": "md5", "uuid": "3a5d258d-593c-409e-929e-1bac6a6cd426", "value": "50eda29bfbeeb8b0429718447725016a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547109", "to_ids": true, "type": "sha1", "uuid": "7c715a08-5536-4df2-bf5e-b2d6ae4e30dd", "value": "92149d122dedb4e507e3a9cf6e43c53836e16fbe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547109", "to_ids": true, "type": "sha256", "uuid": "77f7dada-ea40-4a77-b7d2-a898217029c4", "value": "579a82dde4425d95e20a22171be0a37702c833fdca6e5e04f69099a025863136", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971760", "to_ids": true, "type": "ssdeep", "uuid": "0acc5868-7027-447e-9142-3633763bc5b9", "value": "192:/j99mD99mT99mu9mJkT19mQkTMZ9t9mJkFdFtvHFmZRmiE8j35:/j9kD9kT9kukqkQ5kMzgRI235" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971760", "to_ids": false, "type": "size-in-bytes", "uuid": "f8f0e7d9-333e-45d1-aa04-c7ebd70e2225", "value": "6198" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971760", "to_ids": true, "type": "filename", "uuid": "93173d2b-1ed1-4095-b6d1-54ddeaf34dce", "value": "StartGD22OR21.bat" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971760", "to_ids": false, "type": "text", "uuid": "4e96fff9-57f2-4c29-b298-e436b92da0d4", "value": "Type Description: DOS batch file\nMicrosoft: None\nVT Total Detection:18/61\nFirst Submission:2025-07-11T05:14:11.000000+00:00\nLast Submission:2026-02-16T20:13:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547112", "uuid": "248a81c0-978b-44f8-a98f-22cf51c95ca8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547111", "to_ids": true, "type": "md5", "uuid": "dda01fb6-6445-4f76-a1a4-76f7b5c42c50", "value": "ce62d1b6116f34f9ba815db1e2016d2a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547111", "to_ids": true, "type": "sha1", "uuid": "34718bc5-e397-498f-b778-f0fa1b61ea62", "value": "1fc5e6458316277fae8272cbe9f3dfc86b681635", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547112", "to_ids": true, "type": "sha256", "uuid": "059f17da-3a41-404a-8cbc-8c81d62391b3", "value": "89930bd18e0f9c9c98dfb1662cb87aa98348e87164ab62b1f39e86ebf2ce24cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971782", "to_ids": true, "type": "ssdeep", "uuid": "78dd04fc-09d0-44b5-80a0-be05d2a83532", "value": "98304:E8xwxz+BNSFpUIpUJ69B4RFEgpvbhXj3PNBXGuu5/+s8Af4jNGEeCKdg9+uTUah1:E5JpUtUyFBpb9PNRRul+szf4Jtej23TP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971782", "to_ids": false, "type": "size-in-bytes", "uuid": "a2112866-358d-46ab-b0e2-c33dca8343e9", "value": "5984840" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971782", "to_ids": true, "type": "vhash", "uuid": "7cb6ecc3-bc36-4620-9d66-6c1674ce0733", "value": "0560a65d1565151c051d0018z3c17lz7fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971782", "to_ids": true, "type": "filename", "uuid": "4a38ffdb-8b07-4cff-8d3d-479b59de26e4", "value": "warehouse3" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971782", "to_ids": false, "type": "text", "uuid": "9c78b45a-696d-4e9e-95bc-7357e0f73135", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:48/71\nFirst Submission:2026-02-27T06:27:02.000000+00:00\nLast Submission:2026-02-27T06:27:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547114", "uuid": "3ce93a22-c381-4602-9bc9-9382fa4f8a56", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547113", "to_ids": true, "type": "md5", "uuid": "379bae70-e5fe-4c0b-a772-41333659f74a", "value": "abae0f42f695e55714d362a088acc780", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547114", "to_ids": true, "type": "sha1", "uuid": "893a2d0f-991d-4213-9674-c7322979d53f", "value": "a7c4407a7039102a8769bd51bfa64efc17943847", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547114", "to_ids": true, "type": "sha256", "uuid": "a7a0f41f-c7d5-48c8-bc76-09d0a0239645", "value": "9db18aa394f554aa455f3039ce734b1653cc999089889c551fe263bd4bdc39fc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971804", "to_ids": true, "type": "ssdeep", "uuid": "58bdb621-4d30-4b40-bfad-e3b632c36fa6", "value": "24:9fEDorJpsnXFLZtpZNwyASMROTtK2/DKG7PpN/A0DQ7+ge9aknFGLpByF/LWvtE/:9fEDCpsnZ/pFAQI2bKoPpNY0DQ7+gegi" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971804", "to_ids": false, "type": "size-in-bytes", "uuid": "a7dbe198-4382-4b05-9af7-b064d110c4da", "value": "1384" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971804", "to_ids": true, "type": "vhash", "uuid": "74c215eb-794e-4699-91f6-86e075c9d77d", "value": "48b32c66a5c57d4f84df0aca0bf2a777" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971804", "to_ids": true, "type": "filename", "uuid": "a5227129-97d3-497c-acfe-adfc74336ca2", "value": "dqqx2.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971804", "to_ids": false, "type": "text", "uuid": "58e1bff3-b29a-4351-a23c-2699b004e975", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:26/65\nFirst Submission:2026-02-05T07:44:50.000000+00:00\nLast Submission:2026-02-05T07:44:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547117", "uuid": "d5ed6c8a-308c-492f-aafa-29906c9247c5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547116", "to_ids": true, "type": "md5", "uuid": "551197bc-03b3-4cfe-b149-7d72d14187f9", "value": "c5a53c02d531c5e46f9cc2fc0afbb88d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547116", "to_ids": true, "type": "sha1", "uuid": "dd12fdab-bdcb-4fdd-a1b7-cdb8f2140fd8", "value": "a14bed1c46ba7406d5240e979251ccd394dfe3b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547117", "to_ids": true, "type": "sha256", "uuid": "75cc32f7-5547-42f4-b01c-353700b0db0c", "value": "b5da6ffa5f85aa5016fbc02a3122361c85d21192c45df9544099d13e6ff84c36", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971825", "to_ids": true, "type": "ssdeep", "uuid": "81d367cf-de97-4b97-9699-417ded22fc68", "value": "12:8//GFF2s05XVIn4Ho6CsaLXDBniDXwfauikQLZkXf86Rj7fxt3Q0MZgbLn1Il6:82FFMX5fC5ThiDerirVkPtfxtbMZgY6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971825", "to_ids": false, "type": "size-in-bytes", "uuid": "ff9c7203-68a6-48f9-9243-f9f58e4da208", "value": "981" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971825", "to_ids": true, "type": "vhash", "uuid": "b7b45f46-54a8-4ede-b6cf-d0e9c1423d45", "value": "85829f3f618c925198ac460fb5b1f1f0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971825", "to_ids": true, "type": "filename", "uuid": "3b370c1e-2011-4491-84f8-1c3a774eb36c", "value": "Bao_Cao_Tai_Chinh_2024.pdf.lnk" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971825", "to_ids": false, "type": "text", "uuid": "72fc860d-ae39-4d6b-bfcf-62d150b261fd", "value": "Type Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:Win32/Malgent\nVT Total Detection:33/62\nFirst Submission:2026-01-24T09:07:47.000000+00:00\nLast Submission:2026-01-24T09:07:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547119", "uuid": "6c8d7eed-5f09-4673-8d96-ecacc2db429b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547119", "to_ids": true, "type": "md5", "uuid": "1164c843-c42c-447f-8d05-e1653089b7f0", "value": "b6a77b7892ef22d6afd91eb980a3f3d8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547119", "to_ids": true, "type": "sha1", "uuid": "1f784e97-294e-440f-98fc-1aa99a01ecb2", "value": "9f79b3301a88348bb6f03369c239a660a8c277bc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547119", "to_ids": true, "type": "sha256", "uuid": "307fd875-0005-40af-95b4-b1a4c58eb25c", "value": "d42aecf76fb1531cd5b7139e669910b2fd82a90b7e11448128e226775bf5d42e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971847", "to_ids": true, "type": "ssdeep", "uuid": "0181db11-320b-473f-b32f-d30321a553fd", "value": "24576:mgmRYyY3wExCNGd7iI3aOpAawIvUxybgxzHyLeoMxx4go2G5n9kxhENQ/Fz0vn7m:ikHMuO5DGrbZrGZZgZcV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971847", "to_ids": false, "type": "size-in-bytes", "uuid": "1432adae-77f3-41a7-a27e-e4fc027a439c", "value": "4352973" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971847", "to_ids": true, "type": "filename", "uuid": "7731d1f0-4fc6-4def-ab9b-3140fa92d8d5", "value": "vZJY8wQTBDxEtilj.bat" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971847", "to_ids": false, "type": "text", "uuid": "a0039eff-9b96-48a6-8c18-e6b7366e5f0e", "value": "Type Description: DOS batch file\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:29/61\nFirst Submission:2025-12-26T23:32:50.000000+00:00\nLast Submission:2026-01-01T23:42:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547122", "uuid": "dd5c6e01-81bb-4480-aaec-603de0d7f760", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547121", "to_ids": true, "type": "md5", "uuid": "a7e0c8c6-8b73-496d-90f9-e477bd162b61", "value": "31d36da3d6cd96f335b14a1dd1f06cc2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547122", "to_ids": true, "type": "sha1", "uuid": "7db1d8dc-cee3-4546-812b-59ffe6d34356", "value": "197e0f42236143b60742ecbcac751617c22cfb9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547122", "to_ids": true, "type": "sha256", "uuid": "09b913f2-2747-4f1e-bf2c-a12192732693", "value": "e84b1e2c432b2394c403b524b8361ffa9923a022eb05215f1dc811bc167c3c5e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971869", "to_ids": true, "type": "ssdeep", "uuid": "31f35d60-47ce-4af0-87fc-c709bbc602c5", "value": "24:Q5GDTrSWZgC2BZ9bpX9ve7EDzDBsa+8m9/0/aUtgVDwHdt:zDKWZh2B1XTDiaZo/CttUyt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971869", "to_ids": false, "type": "size-in-bytes", "uuid": "16800f10-65e1-4380-9698-4db6489896e5", "value": "1069" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971869", "to_ids": true, "type": "filename", "uuid": "9e28b5e2-5d61-40d1-acd6-ec9aa262b531", "value": "CDC1.bat" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971869", "to_ids": false, "type": "text", "uuid": "4bfd31db-364a-45ec-b2ae-ecc8042e795d", "value": "Type Description: DOS batch file\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:21/61\nFirst Submission:2026-01-07T22:05:01.000000+00:00\nLast Submission:2026-01-07T22:05:01.000000+00:00" } ] } ] } }