{ "Event": { "analysis": "1", "date": "2024-11-19", "extends_uuid": "", "info": "[Threat Intel] FrostyGoop\u2019s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications", "protected": false, "publish_timestamp": "1772407313", "published": true, "threat_level_id": "2", "timestamp": "1772407311", "uuid": "06203046-3e11-4e44-a20c-29360013e3a7", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"FrostyGoop\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772363852", "to_ids": false, "type": "link", "uuid": "2136331f-6e08-4398-990b-2965b3f8923e", "value": "https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772363893", "to_ids": false, "type": "link", "uuid": "ad64019c-dd09-4dc2-8050-b0ca064f6d89", "value": "https://ukraine.ohchr.org/sites/default/files/2024-09/ENG%20Attacks%20on%20Ukraine%E2%80%99s%20Energy%20Infrastructure-%20%20Harm%20to%20the%20Civilian%20Population.pdf" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772394196", "uuid": "f442fe97-73ef-4efd-a7a4-ac9a51d3f7c0", "Attribute": [ { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772394196", "to_ids": true, "type": "md5", "uuid": "a9f5131c-5f6e-4678-b019-efdd4d461eb7", "value": "0f302500bf0565737f09e75cd56b8088", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394134", "to_ids": true, "type": "sha1", "uuid": "a3187aea-74dd-4077-b636-64f82b938d5d", "value": "6a572f0395439e3ba00e1b32c3dfb729d7a197cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394134", "to_ids": true, "type": "sha256", "uuid": "61d18a2c-ebeb-41b2-8ec1-2a129c633cf3", "value": "5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393062", "to_ids": true, "type": "ssdeep", "uuid": "40fc244b-fc08-478c-9989-fe0949431c9b", "value": "49152:zZ02M3iGhwlrb/TlvO90d7HjmAFd4A64nsfJ2tDgsAwe9kSPgaS7r/a++lD1H54b:Whka4uNoPy5stb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393062", "to_ids": false, "type": "size-in-bytes", "uuid": "95d295e6-8aef-4a2e-aa60-2a96fa0fa6d7", "value": "3699200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393062", "to_ids": true, "type": "vhash", "uuid": "162215cd-3b7c-4b08-9ea6-d6735b0ef513", "value": "0360d6655d15557575157az28!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393062", "to_ids": true, "type": "filename", "uuid": "390d7dd6-4706-42fb-8ed5-154989ac36a6", "value": "5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb (2).exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 27/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393062", "to_ids": false, "type": "text", "uuid": "87dde148-503c-4432-b7e4-b3e4dc7ea6f3", "value": "Windows executable file for FrostyGoop malware\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/FrostyGoop.A!MTB\nVT Total Detection:54/72\nFirst Submission:2023-10-30T16:13:12.000000+00:00\nLast Submission:2026-02-27T08:27:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772394217", "uuid": "905b4960-f4b4-4965-bfe5-a1200001ff6c", "Attribute": [ { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772394217", "to_ids": true, "type": "md5", "uuid": "4b3efd0a-ee60-463e-a847-44cf167b666f", "value": "db210c39721c58c4c3fbf0c8d6cb3d0e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394136", "to_ids": true, "type": "sha1", "uuid": "f4d9792b-7a3b-485b-b965-09a98cc38d33", "value": "a469583ded8d2cc7c5388a10c5f7a10331f38c16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394136", "to_ids": true, "type": "sha256", "uuid": "c041feef-7079-4345-b43e-7c08b2076514", "value": "a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393084", "to_ids": true, "type": "ssdeep", "uuid": "207f3da7-7e9d-45d6-99dc-7a2bcd763e51", "value": "49152:0TpI9F/cfr6XcJrb/TkvO90d7HjmAFd4A64nsfJyhrQRhdyg1a5SJZpIMgD1:BU6qHQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393084", "to_ids": false, "type": "size-in-bytes", "uuid": "fc2deff3-ec67-4bad-be36-de8a74d93442", "value": "2439680" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393084", "to_ids": true, "type": "vhash", "uuid": "84f6b07d-6ec1-4fc7-9657-8e0feec6ec58", "value": "026066655d1d15541az27!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393084", "to_ids": true, "type": "filename", "uuid": "60be04d5-6bd6-4bc1-9b1f-cc59a5919f33", "value": "a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 09/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393084", "to_ids": false, "type": "text", "uuid": "a4228b1e-2b9b-41f6-a13b-bbe19e755944", "value": "Windows executable file for FrostyGoop malware\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CryptInject!MSR\nVT Total Detection:48/70\nFirst Submission:2023-10-30T09:27:04.000000+00:00\nLast Submission:2026-02-27T08:36:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772394239", "uuid": "4cc4e55a-8dea-4d32-a4ca-884c3648a510", "Attribute": [ { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772394239", "to_ids": true, "type": "md5", "uuid": "e31565ca-097b-4d6c-90b0-1b4418973d24", "value": "9194351159ea3faba1783895c2a17293", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394137", "to_ids": true, "type": "sha1", "uuid": "145a30d2-4203-498e-b1ff-71b4e2db949e", "value": "cea3a3366d4b41c1d214e9e4d6680d5fe4e16d23", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394137", "to_ids": true, "type": "sha256", "uuid": "a12a690e-5ef3-4669-a452-51ad3232f143", "value": "2fd9cb69ef30c0d00a61851b2d96350a9be68c7f1f25a31f896082cfbf39559a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393105", "to_ids": true, "type": "ssdeep", "uuid": "e5b97efa-a0de-42a0-8e3a-928ba408734f", "value": "49152:lad5PdCdsVIrb/TIvO90d7HjmAFd4A64nsfJsV5T04UA1xg6tqjDdOuggxRYYJmC:G04TSY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393105", "to_ids": false, "type": "size-in-bytes", "uuid": "6bc4fd34-ef88-4336-8d33-f59db6c341d2", "value": "3359232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393105", "to_ids": true, "type": "vhash", "uuid": "d27bbe76-9463-40c2-a4ee-b98e910a871b", "value": "036066655d1d15541az27!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393105", "to_ids": true, "type": "filename", "uuid": "2c46c34d-d58f-4601-b1eb-009d2ab0ed06", "value": "malware.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 18/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393105", "to_ids": false, "type": "text", "uuid": "b2f76147-4ff6-4f67-a7ec-35295fa78226", "value": "Windows executable file for FrostyGoop malware\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:48/71\nFirst Submission:2023-10-30T16:09:31.000000+00:00\nLast Submission:2025-02-12T04:48:59.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772394260", "uuid": "f7a46aea-d343-41a4-abd3-7078ade77d7b", "Attribute": [ { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772394260", "to_ids": true, "type": "md5", "uuid": "e1e8a830-9731-4f25-8efe-cb24ac9cbaf8", "value": "8e552e1f1fe0aa72c04813fbcf6a23e3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394138", "to_ids": true, "type": "sha1", "uuid": "c74ea07f-881b-48ef-9675-17961b713ebc", "value": "5ec166753501b7ca53f246f28dad85db8d093e73", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394138", "to_ids": true, "type": "sha256", "uuid": "f8c27481-badd-4fc7-83c9-87e4968fe819", "value": "c64b67c116044708e282d0d1a8caea2360270a7fc679befa5e28d1ca15f6714c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393127", "to_ids": true, "type": "ssdeep", "uuid": "d1289964-77ce-408e-9767-092e961b06ae", "value": "24576:734TYQu3Lhs3lgWh8fgwIhSgFpZWZ6cD1SWkwq9GUDDGFgXpaT:j4TYQGLheCjgwIYccD1AUL/T" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393127", "to_ids": false, "type": "size-in-bytes", "uuid": "33f0fe34-692f-4eea-95a6-418a67a3eb6a", "value": "1951232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393127", "to_ids": true, "type": "vhash", "uuid": "66578c45-48d9-4073-8504-aeee72f1c4fa", "value": "0160d6655d55557575157az27!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393127", "to_ids": true, "type": "filename", "uuid": "1f90f787-be7d-4467-98a2-bd8c5f2c02dc", "value": "hello2.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 10/04/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393127", "to_ids": false, "type": "text", "uuid": "ac221327-6525-4cde-adc5-a18241fabb0c", "value": "Windows executable file for FrostyGoop malware\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CryptInject!MSR\nVT Total Detection:46/72\nFirst Submission:2023-10-30T09:59:11.000000+00:00\nLast Submission:2026-02-27T08:36:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772394281", "uuid": "bfd03ff2-01d1-4ce1-b49f-8a5d3604d993", "Attribute": [ { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772394281", "to_ids": true, "type": "md5", "uuid": "e699e125-50b7-4608-b0aa-ca9f689fc5da", "value": "a23066d12ee9c74664eccd653afa10f7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394139", "to_ids": true, "type": "sha1", "uuid": "f3601611-3b70-4c21-b37d-abcb166f319d", "value": "1319a96d59edb3c575a81d16f5a619eb00618047", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394139", "to_ids": true, "type": "sha256", "uuid": "5196bed7-a892-4804-a963-a304b2d5f615", "value": "91062ed8cc5d92a3235936fb93c1e9181b901ce6fb9d4100cc01167cdc08745f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393149", "to_ids": true, "type": "ssdeep", "uuid": "0fdf8992-b82a-43f8-8662-453d9be9b075", "value": "49152:ECjkAhvBJQturb/TLvO90d7HjmAFd4A64nsfJYoEUcjjAyg6EADNn/NPfvz1:N5jI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393149", "to_ids": false, "type": "size-in-bytes", "uuid": "bc154824-dc9a-4c84-9ae3-c94fc5b3b1b3", "value": "2516480" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393149", "to_ids": true, "type": "vhash", "uuid": "41f6a8c8-cc99-4daf-8fa4-b6f72ca053c6", "value": "026066655d5d15541az27!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393149", "to_ids": true, "type": "filename", "uuid": "0ed4bb53-3589-424d-9ca1-867316b0d696", "value": "modbus.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 04/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393149", "to_ids": false, "type": "text", "uuid": "7c78d224-8f9b-4385-bc27-bb70c9dc039f", "value": "Windows executable file for FrostyGoop malware\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CryptInject!MSR\nVT Total Detection:41/72\nFirst Submission:2023-10-30T09:00:06.000000+00:00\nLast Submission:2025-12-03T13:19:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772394302", "uuid": "0b81ae8b-6c45-413d-93db-60a10701289b", "Attribute": [ { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772394302", "to_ids": true, "type": "md5", "uuid": "34a0b85d-3b6c-4448-b767-eb9f20e18dc5", "value": "cd74b888eae5bfc4ce0d46e85d8f1cc8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394141", "to_ids": true, "type": "sha1", "uuid": "31f2e149-0e58-459a-a14a-84af82f09adc", "value": "aa7668cbc781c26917a69186315eaf5bc24189f9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for FrostyGoop malware", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394141", "to_ids": true, "type": "sha256", "uuid": "6581b88f-0c69-4ba1-b33b-8f208c39937e", "value": "a25f91b6133cb4eb3ecb3e0598bbab16b80baa40059e623e387a6b1082d6f575", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393171", "to_ids": true, "type": "ssdeep", "uuid": "a8096553-932d-4683-897f-4dce2b3c109e", "value": "49152:RF2HUGqmUUpBPrb/TLvO90d7HjmAFd4A64nsfJchhetMyg6EADNn/Nvyuz1:Vbt8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393171", "to_ids": false, "type": "size-in-bytes", "uuid": "a48ec48f-1c8d-4c5d-9c72-bf841d9d8bbe", "value": "2515968" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393171", "to_ids": true, "type": "vhash", "uuid": "eb808805-5026-45b6-937d-5f0ef20b628a", "value": "026066655d5d15541az27!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393171", "to_ids": true, "type": "filename", "uuid": "d70578ea-173f-4abd-bdf6-eb015bc3ab80", "value": "modbus.exe" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 13/10/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393171", "to_ids": false, "type": "text", "uuid": "c74031c7-78f2-405c-b213-c1fb39e01e2c", "value": "Windows executable file for FrostyGoop malware\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/CryptInject!MSR\nVT Total Detection:47/72\nFirst Submission:2023-10-30T09:33:50.000000+00:00\nLast Submission:2023-10-30T09:33:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772394325", "uuid": "9d22806f-e52f-4a87-9d4c-c5cb0cc8668e", "Attribute": [ { "category": "Payload delivery", "comment": "Windows executable file for go-encrypt.exe, likely used during previous FrostyGoop activity", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772394325", "to_ids": true, "type": "md5", "uuid": "4f742523-9f1f-42dc-bca5-4294c6c51426", "value": "568256a190a2f852a40e399405bfbe05", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for go-encrypt.exe, likely used during previous FrostyGoop activity", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394141", "to_ids": true, "type": "sha1", "uuid": "3ba9f6ac-6c6a-4c8d-8557-1bc04326e533", "value": "56a9f7853e9f4c2bb2e98b381ad1eebe065721b1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Windows executable file for go-encrypt.exe, likely used during previous FrostyGoop activity", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394141", "to_ids": true, "type": "sha256", "uuid": "7bd2a13a-70a1-4432-860f-c812af18f784", "value": "9cf30d82a86a9485f7bbd0786a5de207cf4902691a3efcfc966248cb1e87d5b7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393192", "to_ids": true, "type": "ssdeep", "uuid": "0ac4ea4b-95f7-4fce-a15c-ae028d6a66ef", "value": "49152:C5fIHP57LSyT+rb/TOvO90d7HjmAFd4A64nsfJVKHLWpgh0DtabK8z1:CISj" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393192", "to_ids": false, "type": "size-in-bytes", "uuid": "4d3b0d0d-ab3b-4886-9251-a29b55eb8ed6", "value": "1773568" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393192", "to_ids": true, "type": "vhash", "uuid": "95e232f5-cf0a-4aa8-bd95-a999516b937b", "value": "016066655d5d15541az27!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393192", "to_ids": true, "type": "filename", "uuid": "c57c5853-065f-4f2e-9220-766ad43555fe", "value": "2024-11-28_568256a190a2f852a40e399405bfbe05_frostygoop_luca-stealer_snatch" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 27/07/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393192", "to_ids": false, "type": "text", "uuid": "1a3c7d58-e424-4c98-8bb9-e3a6550b043a", "value": "Windows executable file for go-encrypt.exe, likely used during previous FrostyGoop activity\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:50/72\nFirst Submission:2023-10-30T10:16:40.000000+00:00\nLast Submission:2025-07-26T09:48:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772394346", "uuid": "937983a3-240e-4bfd-b019-470e20e6570c", "Attribute": [ { "category": "Payload delivery", "comment": "JSON file named task-test.json likely used to test go-encrypt.exe in July 2024 FrostyGoop attack", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772394346", "to_ids": true, "type": "md5", "uuid": "c655b34c-ffbe-445a-a711-8f4470c776d0", "value": "4ca30ba120df5b8332d8062934bf94ba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "JSON file named task-test.json likely used to test go-encrypt.exe in July 2024 FrostyGoop attack", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394143", "to_ids": true, "type": "sha1", "uuid": "eb19a143-a5fb-4319-9b48-aae65d7e6dd3", "value": "a3ba2aad242f54c4a1dd8cb34d0d1981c81f3001", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "JSON file named task-test.json likely used to test go-encrypt.exe in July 2024 FrostyGoop attack", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394143", "to_ids": true, "type": "sha256", "uuid": "15937cd4-fdc5-4b11-beaf-39c49438380c", "value": "06919e6651820eb7f783cea8f5bc78184f3d437bc9c6cde9bfbe1e38e5c73160", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393214", "to_ids": true, "type": "ssdeep", "uuid": "b9422d52-536b-4044-9027-802103870684", "value": "6:pCHCUQTitcRMbodF+mqYscRMSaxdF4j/iscRMvVaxdF+mqYscRMWdF4j/RS:CCULtcRMEHITcRMSSHOFcRMvYxHITcRh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393214", "to_ids": false, "type": "size-in-bytes", "uuid": "93e1db0b-96c1-4e86-8db3-edbc11f079e9", "value": "379" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393214", "to_ids": true, "type": "filename", "uuid": "86e369eb-d19d-46f8-bf48-70753ab761de", "value": "task_test.json" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 23/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393214", "to_ids": false, "type": "text", "uuid": "aff20ac9-7254-49c5-b2c5-cdd791fe8558", "value": "JSON file named task-test.json likely used to test go-encrypt.exe in July 2024 FrostyGoop attack\r\nType Description: JSON\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2023-10-30T09:31:22.000000+00:00\nLast Submission:2023-10-30T09:31:22.000000+00:00" } ] } ] } }