{ "Event": { "analysis": "1", "date": "2024-08-02", "extends_uuid": "", "info": "[Threat Intel] ICS Malware \u2018FrostyGoop/BUSTLEBERM\u2019: Insights Others Missed", "protected": false, "publish_timestamp": "1772407323", "published": true, "threat_level_id": "2", "timestamp": "1772407321", "uuid": "97a6d6ae-e891-40d8-8f67-c9065ead4c51", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"FrostyGoop\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772363173", "to_ids": false, "type": "link", "uuid": "5af80554-e2ba-417e-ba0a-52af74fd69df", "value": "https://www.forescout.com/blog/ics-malware-frostygoopbustleberm-insights-others-missed/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772363255", "to_ids": false, "type": "link", "uuid": "aaf28d89-8acb-41dd-9494-0c96e2019ddc", "value": "https://x.com/cyb3rops/status/1815771782051237998" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368844", "uuid": "667b660c-4a7d-4e89-8321-1d3fb34ec21a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368844", "to_ids": true, "type": "md5", "uuid": "982317ce-a560-4e19-87cf-8d0f9e9f97c2", "value": "0f302500bf0565737f09e75cd56b8088", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367773", "to_ids": true, "type": "sha1", "uuid": "5d3a42f7-8763-4b1b-94a1-78a044ecd79c", "value": "6a572f0395439e3ba00e1b32c3dfb729d7a197cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367773", "to_ids": true, "type": "sha256", "uuid": "35c2c82e-f269-4bca-a655-ffc20676eb53", "value": "5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367138", "to_ids": true, "type": "ssdeep", "uuid": "6daf9140-b949-4ded-a040-489684f2a6dd", "value": "49152:zZ02M3iGhwlrb/TlvO90d7HjmAFd4A64nsfJ2tDgsAwe9kSPgaS7r/a++lD1H54b:Whka4uNoPy5stb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367138", "to_ids": false, "type": "size-in-bytes", "uuid": "4e76c6cb-e659-4f78-bb7a-01f388e8d3d9", "value": "3699200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772367138", "to_ids": true, "type": "vhash", "uuid": "4997a343-39fb-4139-b62d-11d352e88f56", "value": "0360d6655d15557575157az28!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772367138", "to_ids": true, "type": "filename", "uuid": "2b716009-0965-4df4-af13-983f1ea46717", "value": "5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb (2).exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 27/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367138", "to_ids": false, "type": "text", "uuid": "9f4e66d4-254f-4e34-861a-4176180cdf2b", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/FrostyGoop.A!MTB\nVT Total Detection:54/72\nFirst Submission:2023-10-30T16:13:12.000000+00:00\nLast Submission:2026-02-27T08:27:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368865", "uuid": "152fb219-2dbe-494c-b165-44e1d803c740", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368865", "to_ids": true, "type": "md5", "uuid": "4034a47a-f0d6-4f02-86ea-db6309ef1013", "value": "db210c39721c58c4c3fbf0c8d6cb3d0e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367773", "to_ids": true, "type": "sha1", "uuid": "4e3668d4-4b85-439c-8123-f76561c722a3", "value": "a469583ded8d2cc7c5388a10c5f7a10331f38c16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367773", "to_ids": true, "type": "sha256", "uuid": "327a7ada-2ed2-403c-b8c6-744daf302b46", "value": "a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367160", "to_ids": true, "type": "ssdeep", "uuid": "a1b43cc4-36bb-4c17-9484-af8946ad6ad9", "value": "49152:0TpI9F/cfr6XcJrb/TkvO90d7HjmAFd4A64nsfJyhrQRhdyg1a5SJZpIMgD1:BU6qHQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367160", "to_ids": false, "type": "size-in-bytes", "uuid": "14e1687a-97e2-4291-8e24-742fc0c93de4", "value": "2439680" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772367160", "to_ids": true, "type": "vhash", "uuid": "2e120edb-2aca-4701-a105-1550720c00ab", "value": "026066655d1d15541az27!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772367160", "to_ids": true, "type": "filename", "uuid": "9dc2e955-d66d-46cc-8d34-39bb5e8ed46c", "value": "a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 09/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367160", "to_ids": false, "type": "text", "uuid": "2adccc5c-d01e-4e55-a4af-237ca47f6091", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CryptInject!MSR\nVT Total Detection:48/70\nFirst Submission:2023-10-30T09:27:04.000000+00:00\nLast Submission:2026-02-27T08:36:13.000000+00:00" } ] } ] } }