{ "Event": { "analysis": "1", "date": "2026-01-27", "extends_uuid": "", "info": "[Threat Intel] HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "protected": false, "publish_timestamp": "1780041987", "published": true, "threat_level_id": "2", "timestamp": "1780041987", "uuid": "033d1a45-804d-43ad-b916-a942ecf806fa", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#1ebce4", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"MUSTANG PANDA\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#7f009f", "local": false, "name": "ms-caro-malware:malware-platform=\"WinNT\"", "relationship_type": "" }, { "colour": "#03bdda", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1073\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"035 - South-eastern Asia\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#d9dfae", "local": false, "name": "misp-galaxy:target-information=\"Mongolia\"", "relationship_type": "" }, { "colour": "#b03f2c", "local": false, "name": "misp-galaxy:target-information=\"Myanmar\"", "relationship_type": "" }, { "colour": "#670cf4", "local": false, "name": "misp-galaxy:target-information=\"Pakistan\"", "relationship_type": "" }, { "colour": "#15cd0b", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1088\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#8196ba", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#b24806", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1769518217", "to_ids": false, "type": "link", "uuid": "77595e26-6528-4c56-a145-3cd97b72a6b0", "value": "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" }, { "category": "Payload delivery", "comment": "CoolClient - libngs.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779534224", "to_ids": true, "type": "md5", "uuid": "50af69e8-eada-44fa-adf4-c32013953dee", "value": "f518d8e5fe70d9090f6280c68a95998f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CoolClient - time.dat No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779534225", "to_ids": true, "type": "md5", "uuid": "620d19ee-2537-45f1-94ee-a5e3281915b2", "value": "6b7300a8b3f4aac40eeecfd7bc47ee7c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CoolClient plugins - ServiceMgrS.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779534227", "to_ids": true, "type": "md5", "uuid": "e30f7250-f3da-4323-af79-2af8de369c4f", "value": "7aa53ba3e3f8b0453ffcfba06347ab34", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CoolClient plugins - FileMgrS.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779534229", "to_ids": true, "type": "md5", "uuid": "5b8c627b-16d5-46c4-87cd-0038486eeec2", "value": "a1cd59f769e9e5f6a040429847ca6eae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CoolClient plugins - RemoteShellS.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779534231", "to_ids": true, "type": "md5", "uuid": "f22b170d-9139-4df1-b0e8-c5fee046b806", "value": "1bc5329969e6bf8ef2e9e49aab003f0b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Browser login data stealer - Variant A No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779534232", "to_ids": true, "type": "md5", "uuid": "45c17572-f3a4-4e91-b33c-754c40de7138", "value": "1a5a9c013ce1b65abc75d809a25d36a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Browser login data stealer - Variant C No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779534234", "to_ids": true, "type": "md5", "uuid": "9cc0118b-6495-43d8-92ad-60a0cf4c1cae", "value": "da6f89f15094fd3f74ba186954be6b05", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Scripts - 1.bat No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779534236", "to_ids": true, "type": "md5", "uuid": "eaf6ce35-6030-4d21-86a0-f24060038cbd", "value": "c19bd9e6f649df1df385deef94e0e8c4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Scripts - Ttraazcs32.ps1 No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779534238", "to_ids": true, "type": "md5", "uuid": "5226de2d-dcd6-4963-b33a-565d2570110f", "value": "838b591722512368f81298c313e37412", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Scripts - t.ps1 No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779534239", "to_ids": true, "type": "md5", "uuid": "8eaa673d-701d-4167-aceb-f24690be4647", "value": "a4d7147f0b1ca737bfc133349841aaba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CoolClient C2", "deleted": false, "disable_correlation": false, "timestamp": "1769528287", "to_ids": true, "type": "hostname", "uuid": "1202220e-86fe-4ecf-bc9c-8b17af2fc497", "value": "account.hamsterxnxx.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CoolClient C2", "deleted": false, "disable_correlation": false, "timestamp": "1769528309", "to_ids": true, "type": "domain", "uuid": "2a4ca240-19a9-4f34-aa59-087e12fad6ba", "value": "popnike-share.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CoolClient C2", "deleted": false, "disable_correlation": false, "timestamp": "1769528330", "to_ids": true, "type": "hostname", "uuid": "e7d52d53-1b97-407c-b389-35dc1167510b", "value": "japan.lenovoappstore.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "FTP server", "deleted": false, "disable_correlation": false, "timestamp": "1780041987", "to_ids": true, "type": "ip-dst", "uuid": "77e4444e-7304-4e47-a66b-7dea1dde4819", "value": "113.23.212.15", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#48ba09", "local": false, "name": "asn:asn=\"38182\"", "relationship_type": "" }, { "colour": "#d28c12", "local": false, "name": "asn:as-owner=\"EXTREMEBB-AS-MY Extreme Broadband - Total Broadband Experience\"", "relationship_type": "" }, { "colour": "#12ee4d", "local": false, "name": "asn:as-country=\"MY\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"malaysia\"", "relationship_type": "" } ] }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778105089", "to_ids": false, "type": "threat-actor", "uuid": "d59a6e16-6a4d-46dc-84df-cb3ab336c22d", "value": "HoneyMyte", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"MUSTANG PANDA\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779534216", "uuid": "3214be52-32e8-461d-86bd-29c4fb11e9cc", "Attribute": [ { "category": "Payload delivery", "comment": "CoolClient - loader.dat", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779534216", "to_ids": true, "type": "md5", "uuid": "1bfdbb4d-8d9e-428a-873f-46eaeee8421a", "value": "1a61564841bbbb8e7774cbbeb3c68d5d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CoolClient - loader.dat", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779534216", "to_ids": true, "type": "sha1", "uuid": "ceb8e4e0-d269-4b46-acd3-6ee3b932aa0d", "value": "83162af628c523c7800f28e6d0ec2a2405ea1c1c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CoolClient - loader.dat", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779534216", "to_ids": true, "type": "sha256", "uuid": "b8509467-3c8b-4a55-a72d-7cf2c668d757", "value": "8c410fc956149cb88d3a7a1bf92d065bf916296ff63065785a1dc1b8045af40a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1769518945", "to_ids": true, "type": "ssdeep", "uuid": "673fcdfa-071b-42c9-a6ef-ce4a53742472", "value": "6144:3CBQCS5AuV5WWCEbmeVH2EKRnssUmeC65+Fl40x:3CQFbmeVH21RnCAI+IS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1769518945", "to_ids": false, "type": "size-in-bytes", "uuid": "58c5b362-c902-4c9d-97aa-1f895a2cb257", "value": "203013" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1769518945", "to_ids": true, "type": "filename", "uuid": "9ea5ff72-7771-4615-8cc8-427ce3f0d354", "value": "loader.dat" }, { "category": "Other", "comment": "Checked: 27/01/2026\nLast-scan\t: 16/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1769518945", "to_ids": false, "type": "text", "uuid": "49ee05f3-191d-41e8-9149-d8118e4dbd2d", "value": "CoolClient - loader.dat\r\nType Description: unknown\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2025-03-28T05:45:32.000000+00:00\nLast Submission:2025-03-28T05:45:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779534219", "uuid": "e11648e6-addf-4e77-90f8-6b8c2f094e80", "Attribute": [ { "category": "Payload delivery", "comment": "CoolClient - main.dat", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779534218", "to_ids": true, "type": "md5", "uuid": "0fe078ce-63e5-4959-a181-ae3211f1e116", "value": "aeb25c9a286ee4c25ca55b72a42efa2c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CoolClient - main.dat", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779534219", "to_ids": true, "type": "sha1", "uuid": "98549081-df1e-4b74-871b-78a3613bd468", "value": "dfa6f86f2646b202e4d5ff64d5843a44a0662414", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CoolClient - main.dat", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779534219", "to_ids": true, "type": "sha256", "uuid": "d5348ae9-90f1-43db-8697-34aeb6d121a4", "value": "04c8584fdf34ad59192809c8934c6aef0617fef4faf5ad918da68576d9733af9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1769518967", "to_ids": true, "type": "ssdeep", "uuid": "d1000ba2-fa66-423f-9051-10fd3426337d", "value": "6144:i8Zi0RiXIp6RMqaWuNNEITBlL/CmgwtcacYa9dUnVq7UNxqTAXMsMMxGeMFLdaho:i880RiS+aXNhLjrUYw8+uMDaFhTTNS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1769518967", "to_ids": false, "type": "size-in-bytes", "uuid": "d77fa44f-0ae7-4a90-9bb5-ece787cdb1f3", "value": "493829" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1769518967", "to_ids": true, "type": "filename", "uuid": "40cbb07f-1419-4872-baba-9f4082ee085d", "value": "main.dat" }, { "category": "Other", "comment": "Checked: 27/01/2026\nLast-scan\t: 16/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1769518967", "to_ids": false, "type": "text", "uuid": "bfa34bcf-367e-4e56-850c-181fadd41a77", "value": "CoolClient - main.dat\r\nType Description: unknown\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2025-03-28T05:46:11.000000+00:00\nLast Submission:2025-03-28T05:46:11.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779534222", "uuid": "bc9df6b7-3fef-4fb1-ac1f-6722c5949f2f", "Attribute": [ { "category": "Payload delivery", "comment": "Browser login data stealer - Variant B", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779534221", "to_ids": true, "type": "md5", "uuid": "c4011e9a-9ed8-4a20-a00a-bc40ea25c817", "value": "e1b7ef0f3ac0a0a64f86e220f362b149", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Browser login data stealer - Variant B", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779534221", "to_ids": true, "type": "sha1", "uuid": "4f608557-c243-4191-80f1-9aef54c252c8", "value": "78cee623d06696ee31b25aa4e1b07c5724b1f7b7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Browser login data stealer - Variant B", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779534222", "to_ids": true, "type": "sha256", "uuid": "b6a9b6c7-3738-444c-a5a5-b268350c255e", "value": "941993f885957176d75f24ef3f8935ecb589bb9b445bb0d71fb18b65e61b6ee4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1769519095", "to_ids": true, "type": "ssdeep", "uuid": "920ed55a-63ef-46c4-91a6-b2dd5ff47429", "value": "24576:WytIVIJDUbGiq6l2SVrPmYsSHypYBU184TAn7NuuIwOrRu:ztcafv42SpPw84AoHA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1769519095", "to_ids": false, "type": "size-in-bytes", "uuid": "562c60ae-5121-4875-8075-19696c2c54db", "value": "833024" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1769519095", "to_ids": true, "type": "vhash", "uuid": "d3877200-70f9-4710-bc05-692813d24cb6", "value": "085046655d1565z12z85jz1jz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1769519095", "to_ids": true, "type": "filename", "uuid": "300a4ee4-540d-450e-9969-fcfec6217943", "value": "e1b7ef0f3ac0a0a64f86e220f362b149.virus" }, { "category": "Other", "comment": "Checked: 27/01/2026\nLast-scan\t: 27/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1769519095", "to_ids": false, "type": "text", "uuid": "d7a5c2d3-b517-4e28-8e37-f8ea52a5581e", "value": "Browser login data stealer - Variant B\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:25/72\nFirst Submission:2024-03-27T17:15:18.000000+00:00\nLast Submission:2024-03-27T17:15:18.000000+00:00" } ] } ] } }