{ "Event": { "analysis": "1", "date": "2026-05-06", "extends_uuid": "", "info": "[Threat Intel] 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer", "protected": false, "publish_timestamp": "1779546694", "published": true, "threat_level_id": "3", "timestamp": "1779546693", "uuid": "fd4d5ee1-41ff-493f-bb7b-8f5a25b1c947", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive Collected Data - T1560\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#e74146", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Doppelg\u00e4nging - T1055.013\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238014", "to_ids": false, "type": "link", "uuid": "06134bd9-1346-4dec-bb55-d52e0b6e5e81", "value": "https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778238014", "to_ids": false, "type": "text", "uuid": "1ecdb25e-3373-4733-bd2f-aa6cb2dd7128", "value": "Five malicious NuGet packages published under account bmrxntfj impersonate Chinese .NET libraries to deploy an infostealer targeting browser credentials, cryptocurrency wallets, SSH keys, and local files. The packages typosquat legitimate Chinese UI and infrastructure libraries, grafting .NET Reactor-protected payloads onto decompiled legitimate code. The campaign uses version rotation to evade hash-based detection, with 219 of 224 total versions unlisted but fetchable. The stealer targets 12 browsers, 8 desktop crypto wallets, and 5 browser wallet extensions, exfiltrating data to a newly-registered C2 domain. With approximately 65,000 downloads across all versions, the campaign puts tens of thousands of developer workstations and CI/CD build servers at risk. The payload executes through .NET module initializers, hooks the CLR JIT compiler, and supports cross-platform infection including Linux and macOS infrastructure." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778238014", "to_ids": false, "type": "text", "uuid": "f8179a13-06ec-4dc8-96ec-787458df5fea", "value": "Name: 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer\nAuthor: AlienVault\nAdversary: \nTags: [\"nuget\", \"browser credential theft\", \"arrowrat\", \"quantum\", \"lumma\", \"supply chain attack\"]\nTgtd countries: []\nMlwr families: [\"Lumma\", \"Quantum\", \"AgentRacoon\", \"ArrowRAT\"]\nAttack_ids: [\"T1056.001\", \"T1539\", \"T1204.002\", \"T1497.001\", \"T1082\", \"T1106\", \"T1005\", \"T1140\", \"T1055\", \"T1560\", \"T1555.003\", \"T1055.013\", \"T1059\", \"T1083\", \"T1552.001\", \"T1041\", \"T1027\", \"T1195.002\", \"T1071.001\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946274", "to_ids": true, "type": "domain", "uuid": "da842697-d85f-4d2d-a13d-792bf1f6e1e1", "value": "dns-providersa2.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946295", "to_ids": true, "type": "url", "uuid": "df80ab7e-e1de-4fda-a0cc-0b8367679808", "value": "https://dns-providersa2.com/upload", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946316", "to_ids": true, "type": "url", "uuid": "28ff415b-1247-4edd-a531-a62a867ccdc4", "value": "https://dns-providersa2.com/check", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946337", "to_ids": true, "type": "hostname", "uuid": "59fc9920-f04d-4caa-944f-adda2357cfdc", "value": "git.justdotrip.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:16/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546691", "to_ids": true, "type": "sha1", "uuid": "e7096b2c-1f90-452a-b3ab-2d5e17472dd0", "value": "efb675de4b3af3dac3c9cae91075fd7cc2f4f98e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:16/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546693", "to_ids": true, "type": "sha256", "uuid": "4992d668-eee9-4c21-92bd-571f94486678", "value": "8f7aa15c77bde94087bb74dfc072e25212797b313731b4cad0ded3e152268dcf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946358", "to_ids": true, "type": "domain", "uuid": "0f7884ca-a1c5-43d1-b992-c78eb7266432", "value": "justdotrip.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946380", "to_ids": true, "type": "ip-dst", "uuid": "0844283e-613c-4643-8c3f-dfe37dd9a287", "value": "62.84.102.85", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946401", "to_ids": true, "type": "ip-dst", "uuid": "88fd83a2-ffcd-4327-a6fb-d91faeaad024", "value": "47.100.60.237", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946423", "to_ids": true, "type": "hostname", "uuid": "059cd724-006d-4c36-a075-31dae8e886fc", "value": "1-you.njalla.no", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946444", "to_ids": true, "type": "hostname", "uuid": "3a13a8b3-65a5-4d70-944c-af8ce94d6ef7", "value": "2-can.njalla.in", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946465", "to_ids": true, "type": "hostname", "uuid": "b45ed19e-87b4-43ef-9326-0842eb7c36db", "value": "3-get.njalla.fo", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MetaMask", "deleted": false, "disable_correlation": false, "timestamp": "1778941073", "to_ids": true, "type": "chrome-extension-id", "uuid": "00c24cb6-58a6-47c3-a136-97e930b51b57", "value": "nkbihfbeogaeaoehlefnkodbefgpgknn" }, { "category": "Payload delivery", "comment": "TronLink", "deleted": false, "disable_correlation": false, "timestamp": "1778941073", "to_ids": true, "type": "chrome-extension-id", "uuid": "4cdf7f92-b708-4d3c-98a7-876d95d9594a", "value": "ibnejdfjmmkpcnlpebklmnkoeoihofec" }, { "category": "Payload delivery", "comment": "Phantom", "deleted": false, "disable_correlation": false, "timestamp": "1778941073", "to_ids": true, "type": "chrome-extension-id", "uuid": "7594f1c0-d564-4bb9-bfb8-9469d0b45f16", "value": "bfnaelmomeimhlpmgjnjophhpkkoljpa" }, { "category": "Payload delivery", "comment": "Trust Wallet", "deleted": false, "disable_correlation": false, "timestamp": "1778941073", "to_ids": true, "type": "chrome-extension-id", "uuid": "b509ff54-85ca-42b6-968b-b3769d277f2f", "value": "egjidjbpglichdcondbcbdnbeeppgdph" }, { "category": "Payload delivery", "comment": "Coinbase Wallet", "deleted": false, "disable_correlation": false, "timestamp": "1778941073", "to_ids": true, "type": "chrome-extension-id", "uuid": "ad0eff72-992d-4655-9357-57c3ef1acd69", "value": "hnfanknocfeofbddgcijnmhnfnkdnaad" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546676", "uuid": "141db1dd-9949-4aef-8d43-3b56e2500c61", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546675", "to_ids": true, "type": "md5", "uuid": "0f9d6992-35fe-4a1c-a5e3-1b5e2d5704ae", "value": "51392451d339c1a0c5bbf9191dd38a3f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546676", "to_ids": true, "type": "sha1", "uuid": "818c40e3-e383-4644-b760-8dfb909dd31a", "value": "652567cc18022c90f5254436d32bad6151c11019", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546676", "to_ids": true, "type": "sha256", "uuid": "5c9385dc-c9ac-4fe9-ac9c-826b2837d20d", "value": "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944018", "to_ids": true, "type": "ssdeep", "uuid": "223da047-4f67-4704-993e-da119df6c2fe", "value": "6144:yd+3d/jwfIYq0O/8nu5CEL3Pjrc/CpCEL/+ctJGKgDx1256vGskiWWGsgwUz+V:yCd78pqx8nu5CEL/0alJrgDn2cG1iys/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944018", "to_ids": false, "type": "size-in-bytes", "uuid": "31ed0699-8513-4397-bc87-63815fe02d17", "value": "303407" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944018", "to_ids": true, "type": "filename", "uuid": "8b3f06f7-0a72-40a5-85ab-83990174fb09", "value": "x0vn4egtaGl9AYjUtRN8.bHNI8egt119sVoYN7sWX" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 11/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944018", "to_ids": false, "type": "text", "uuid": "7698009f-ab02-4a6a-9507-fca51a792663", "value": "Type Description: unknown\nMicrosoft: None\nVT Total Detection:0/62\nFirst Submission:2026-04-20T08:17:23.000000+00:00\nLast Submission:2026-04-20T08:17:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546679", "uuid": "8f0300a7-38e4-4df4-98eb-5592e0a7f501", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546678", "to_ids": true, "type": "md5", "uuid": "953ed37d-b791-4fc3-be66-7ad5cb2ff382", "value": "5a60bf4231d9b8fe698ff5371d48609a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546678", "to_ids": true, "type": "sha1", "uuid": "e2006355-69fa-4837-965f-b2aeb7b063d2", "value": "ed96fd8efba8b9941fe1f71b78ce0bd2ba7fa240", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546679", "to_ids": true, "type": "sha256", "uuid": "46a18b4b-334a-427e-8706-3d4937ea5e76", "value": "34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944040", "to_ids": true, "type": "ssdeep", "uuid": "311c6a9c-349a-4ee5-a872-f82b25697ff9", "value": "98304:QQg4Gr9U0j4ex3kMCcymZpNp1S4ugM0FrmOvTmOKLkeCPAnJ/P:PHS9BcjMXlBnTMLk38Jn" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944040", "to_ids": false, "type": "size-in-bytes", "uuid": "0ece1b28-2c1a-4495-a56e-8e13ec5fc478", "value": "3733136" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944040", "to_ids": true, "type": "filename", "uuid": "039d67e8-3f15-4a90-9c5e-7e5396172fbf", "value": "PrsRp9MCnrIrByA1Cfqx.ESt08OMCkwnydJbvO78l" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 11/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944040", "to_ids": false, "type": "text", "uuid": "e25a7319-0ccb-444c-b880-8f723a033620", "value": "Type Description: unknown\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2026-04-20T08:11:49.000000+00:00\nLast Submission:2026-04-20T08:11:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546681", "uuid": "7ab0a924-fa19-42b1-982f-93799bf50297", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546681", "to_ids": true, "type": "md5", "uuid": "067b2701-b65d-4234-b48f-a8a9b645c2ef", "value": "160c633efa584840bc81c9433cc9d582", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546681", "to_ids": true, "type": "sha1", "uuid": "a4d28781-201d-4f47-8d3d-954b3975770f", "value": "730c8b9362eb50030e67c44ad648cfbe3915ad78", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546681", "to_ids": true, "type": "sha256", "uuid": "83acfa93-622e-4d53-81da-d11e5a248649", "value": "596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944062", "to_ids": true, "type": "ssdeep", "uuid": "94e09f0c-6205-45be-b329-12f45e7d3f14", "value": "6144:fbO3eRJm5gk0Wo1ndB4S+YnLjrwSjn0fzlJlRzNO4bPAWitR62B+j3MMlLdAP:fbmisgk0WwnX+YnLj1jn07lRxHPAWit9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944062", "to_ids": false, "type": "size-in-bytes", "uuid": "7c9a590b-f0d9-4e7f-a338-640d658972d1", "value": "268520" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944062", "to_ids": true, "type": "filename", "uuid": "d3acd9ba-8afd-45c1-aa73-8dcdc7facc55", "value": "655FiHoqrn8YCwOsHert.mOt567oq5JLf9dYm9x7l" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 11/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944062", "to_ids": false, "type": "text", "uuid": "3cd979a2-0780-4a57-bdeb-3e3677221d08", "value": "Type Description: unknown\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2026-04-20T08:18:01.000000+00:00\nLast Submission:2026-04-20T08:18:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546684", "uuid": "bdd1e5fb-eab3-449a-8543-b933656a299d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546684", "to_ids": true, "type": "md5", "uuid": "597b27f5-e4bc-4f31-8b49-64a95f86cf3d", "value": "b341108a426c28493f83a861e8129edc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546684", "to_ids": true, "type": "sha1", "uuid": "a7b759a4-98bc-43f8-9561-77c4c45c30d3", "value": "6bff40e1358e54dc750876709d4efe7040a208c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546684", "to_ids": true, "type": "sha256", "uuid": "8ad61d67-7e30-49e3-9487-d4d73f6bb83f", "value": "b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944105", "to_ids": true, "type": "ssdeep", "uuid": "b9998707-77a3-443a-9679-6d92c05bce18", "value": "24576:4H1D2+p9iepfq13WzMMN4b5XTSZHcr66wODv6u3SWLP/ivtDRjsqD02tN21os8BA:Gl2s0q+3HPdTjhP/iFxsqoP1tkGSI5jT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944105", "to_ids": false, "type": "size-in-bytes", "uuid": "fe7184f7-f26b-42ca-8c2f-cbae9f86e26d", "value": "1479511" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944105", "to_ids": true, "type": "filename", "uuid": "984f6759-5588-4e97-8d23-c5760bb4844e", "value": "qrf5HuCUxyPJhoo9ax.BvS3kM9px3ZBDXrJPH" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 11/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944105", "to_ids": false, "type": "text", "uuid": "c9813828-6a0f-4951-b3d8-1a0dcb28f70f", "value": "Type Description: unknown\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2026-04-20T08:14:48.000000+00:00\nLast Submission:2026-04-20T08:14:48.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546687", "uuid": "ab540998-6675-41ac-82fa-76a1f30a787e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546686", "to_ids": true, "type": "md5", "uuid": "8fd6daf2-59fd-4737-89e0-81f1a8d3a937", "value": "7461b57ea04b82bcc746863dac3ab43c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546687", "to_ids": true, "type": "sha1", "uuid": "de5f3f29-ce53-4cbe-8854-2d510c715a56", "value": "bfbd0a6d406652a85d31ce52f7b428bef617b237", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546687", "to_ids": true, "type": "sha256", "uuid": "beb2c1e7-f8f7-4a8b-a8e4-ca3e970c0489", "value": "b8fa1b2fade45304c003909e375d2519ea447b498b7d93fe7c50db014d30f4fa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944127", "to_ids": true, "type": "ssdeep", "uuid": "c3face54-ec8a-4600-8554-4666b643ca04", "value": "12288:xfNKt+JyjURnqLlxnxMT9o+AHIFFsJ+0uasYX:utj1nS9oHIF+3HsYX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944127", "to_ids": false, "type": "size-in-bytes", "uuid": "e63bcb6a-091e-4570-8cd5-910965a43fcd", "value": "472523" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944127", "to_ids": true, "type": "filename", "uuid": "6384ad05-5027-44d6-a128-750e5c01f96f", "value": "HbAMpUKnIYHtRDJt24Xy.eCptlqKnSsf9h9dlO0AT" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 11/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944127", "to_ids": false, "type": "text", "uuid": "70857b60-71d0-4321-980b-8a218d181fd5", "value": "Type Description: unknown\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2026-04-20T08:15:26.000000+00:00\nLast Submission:2026-04-20T08:15:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546689", "uuid": "028b55cd-a5a5-4792-8095-5cc604e3bd88", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546689", "to_ids": true, "type": "md5", "uuid": "86f99ffb-a713-4e65-9126-07c1915cb8d4", "value": "77665f06b8a480632884728913f1f257", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546689", "to_ids": true, "type": "sha1", "uuid": "e5be2f93-0560-432d-8662-19f6e64bc895", "value": "c00923c80240335a04e68eeeb2ff9edfd38df84f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546689", "to_ids": true, "type": "sha256", "uuid": "968a1bb5-acbb-4de0-be70-d29ddb8f214a", "value": "e1869d6571894f058dd4ab2b66f060628dc364ee8e29afbd2323c95e5002fb8e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944149", "to_ids": true, "type": "ssdeep", "uuid": "0a1af1e0-fcaa-4acd-b11c-a9700af08f81", "value": "393216:VfLYo5wWtPFrh3CD3m0yHO2Ehdc+qA6NEACIFAl6R62I1M7fuGk5Xav4D6VplS7f:eo57y2A/15IyM2qvW73QQ2ujt7Ma3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944149", "to_ids": false, "type": "size-in-bytes", "uuid": "ec82f327-5ab8-4309-92f4-2a5f4b013210", "value": "102617088" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944149", "to_ids": true, "type": "vhash", "uuid": "709d0086-ad40-4ae2-beb3-431234970878", "value": "0180267d5\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944149", "to_ids": true, "type": "filename", "uuid": "a47762fc-d00b-4eca-8598-ec72d857d561", "value": "s4.exe.bin_2026-04-04_18-02-1401~Rip.bin" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944149", "to_ids": false, "type": "text", "uuid": "102a00d4-6e69-48f4-89a7-a7c7d826fd4c", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:18/69\nFirst Submission:2026-04-04T23:51:19.000000+00:00\nLast Submission:2026-04-04T23:51:19.000000+00:00" } ] } ] } }