{ "Event": { "analysis": "1", "date": "2025-08-19", "extends_uuid": "", "info": "[Threat Intel] Gh0st RAT-based GodRAT attacks financial organizations", "protected": false, "publish_timestamp": "1780041215", "published": true, "threat_level_id": "3", "timestamp": "1780041214", "uuid": "2c0e6dda-fc2d-459a-a095-3e79ab62e4b4", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#1ebce4", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#e459c3", "local": false, "name": "misp-galaxy:target-information=\"Hong Kong\"", "relationship_type": "" }, { "colour": "#9afac6", "local": false, "name": "misp-galaxy:target-information=\"Jordan\"", "relationship_type": "" }, { "colour": "#4cebc3", "local": false, "name": "misp-galaxy:target-information=\"Lebanon\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#a24b57", "local": false, "name": "misp-galaxy:target-information=\"United Arab Emirates\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"AsyncRAT\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1755728977", "to_ids": false, "type": "link", "uuid": "866db466-5b08-41b7-8074-f293fbd571f4", "value": "https://securelist.com/godrat/117119" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1755728977", "to_ids": false, "type": "text", "uuid": "08d31f2b-5dcd-44e3-b484-951938821978", "value": "A newly identified Remote Access Trojan named GodRAT, based on the Gh0st RAT codebase, has been targeting financial firms since September 2024. The attackers distribute malicious .scr files via Skype, using steganography to embed shellcode in images. GodRAT supports plugins and is used alongside browser password stealers and AsyncRAT. The campaign, likely an evolution of the AwesomePuppet RAT connected to Winnti APT, remains active as of August 2025. Targets include organizations in Hong Kong, United Arab Emirates, Lebanon, Malaysia, and Jordan. The attackers employ various techniques to evade detection and maintain persistent access to compromised systems." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1755728977", "to_ids": false, "type": "text", "uuid": "e084e54b-acf2-4e43-84fd-7c285a0e8672", "value": "Name: Gh0st RAT-based GodRAT attacks financial organizations\nAuthor: AlienVault\nAdversary: Winnti\nTags: [\"steganography\", \"password-stealer\", \"financial-sector\", \"awesomepuppet\", \"gh0st rat\", \"ms edge password stealer\", \"skype\", \"godrat\", \"chrome password stealer\", \"asyncrat\"]\nTgtd countries: [\"Hong Kong\", \"Jordan\", \"Lebanon\", \"Malaysia\", \"United Arab Emirates\"]\nMlwr families: [\"GodRAT\", \"AsyncRAT\", \"Chrome password stealer\", \"MS Edge password stealer\"]\nAttack_ids: [\"T1113\", \"T1204.002\", \"T1115\", \"T1071\", \"T1005\", \"T1140\", \"T1036\", \"T1055\", \"T1003.001\", \"T1059\", \"T1083\", \"T1074\", \"T1547.001\", \"T1027\", \"T1573\", \"T1056\", \"T1132\", \"T1105\", \"T1021.001\"]\nIndustries: [\"Finance\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1755728977", "to_ids": false, "type": "threat-actor", "uuid": "1199e227-f82b-4996-ab23-530cf69afd42", "value": "Winnti" }, { "category": "Network activity", "comment": "GodRAT C2", "deleted": false, "disable_correlation": false, "timestamp": "1780041206", "to_ids": true, "type": "ip-dst", "uuid": "5b6f7910-8dbf-415c-9069-50fe2266def7", "value": "154.91.183.174", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#3d465e", "local": false, "name": "asn:asn=\"400619\"", "relationship_type": "" }, { "colour": "#a21a3b", "local": false, "name": "asn:as-owner=\"AROSS-AS\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1755728977", "to_ids": false, "type": "vulnerability", "uuid": "d7d3cfae-0f1e-4e55-9c91-131ef653758e", "value": "CVE-2025-29824" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429232", "to_ids": true, "type": "md5", "uuid": "26b736bd-0a8b-499a-9f15-15dfcdbdb151", "value": "084caf4df499141d404b7199aa2c2131", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Async RAT No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429253", "to_ids": true, "type": "md5", "uuid": "21772ebe-ccaa-484a-b954-c76fad3d88f7", "value": "17e71cd415272a6469386f95366d3b64", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429274", "to_ids": true, "type": "md5", "uuid": "9b0864de-ed9d-4669-86f5-820a636ac000", "value": "2750d4d40902d123a80d24f0d0acc454", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Chrome Password Stealer No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429295", "to_ids": true, "type": "md5", "uuid": "7c90de7d-b617-4809-84a3-5b71c4038d00", "value": "31385291c01bb25d635d098f91708905", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT Shellcode Injector No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429315", "to_ids": true, "type": "md5", "uuid": "c76a00bf-507d-4337-8335-b95a33856c68", "value": "318f5bf9894ac424fd4faf4ba857155e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Async RAT No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429336", "to_ids": true, "type": "md5", "uuid": "c5034d21-ac02-45cd-a501-3d4fcbf4b15e", "value": "4ecd2cf02bdf19cdbc5507e85a32c657", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT Shellcode Injector No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429357", "to_ids": true, "type": "md5", "uuid": "7d9bc67f-e6c2-4920-b83f-c360fe2ecbc9", "value": "512778f0de31fcce281d87f00affa4a8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT Shellcode Injector No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429378", "to_ids": true, "type": "md5", "uuid": "44afe02b-66e5-4155-9ebd-3b0686bf4049", "value": "58f54b88f2009864db7e7a5d1610d27d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Async RAT Injector (n) No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429398", "to_ids": true, "type": "md5", "uuid": "1a145e6e-9816-4586-8e94-95e141da72fc", "value": "605f25606bb925d61ccc47f0150db674", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT FileManager Plugin(n) No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429419", "to_ids": true, "type": "md5", "uuid": "0f092dc2-c17f-4063-8577-4269597ee808", "value": "64dfcdd8f511f4c71d19f5a58139f2c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429440", "to_ids": true, "type": "md5", "uuid": "6935af74-66b6-4e95-b7ef-d36e85cc1724", "value": "6c12ec3795b082ec8d5e294e6a5d6d01", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT Shellcode Injector No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429461", "to_ids": true, "type": "md5", "uuid": "26c5085f-260a-4547-866c-0772d1f63043", "value": "6cad01ca86e8cd5339ff1e8fff4c8558", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429482", "to_ids": true, "type": "md5", "uuid": "d32c8afd-7b5b-4d32-b41a-e9700fc87bb0", "value": "8008375eec7550d6d8e0eaf24389cf81", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429502", "to_ids": true, "type": "md5", "uuid": "231620dd-75e0-4113-b6cd-b0ee7465437a", "value": "a6352b2c4a3e00de9e84295c8d505dad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MSEdge Password Stealer No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429523", "to_ids": true, "type": "md5", "uuid": "f247c83c-c0c2-43ae-97c4-c630e0731d3b", "value": "cdd5c08b43238c47087a5d914d61c943", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429544", "to_ids": true, "type": "md5", "uuid": "d7f5660b-8162-47ee-9c45-8d2100bf0d2b", "value": "cf7100bbb5ceb587f04a1f42939e24ab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT Shellcode Injector No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429565", "to_ids": true, "type": "md5", "uuid": "3cd24d7f-30be-43f5-9b0a-ef6bb9c8f61e", "value": "d09fd377d8566b9d7a5880649a0192b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429585", "to_ids": true, "type": "md5", "uuid": "bb21f4c3-cb68-4047-887c-58b1955537cd", "value": "e055aa2b77890647bdf5878b534fba2c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT Self Extracting Executable No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429606", "to_ids": true, "type": "md5", "uuid": "bb8a321f-ddc2-45c0-9b4b-89e9c2d53976", "value": "e723258b75fee6fbd8095f0a2ae7e53c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/08/2025 No sample in VT\r\nLast check:29/08/2025", "deleted": false, "disable_correlation": false, "timestamp": "1756429627", "to_ids": true, "type": "md5", "uuid": "d4fc69d0-c483-48a6-873d-94c9a56b3ef4", "value": "eb8d53f9276d67afafb393a5b16e7c61", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GodRAT \u04212", "deleted": false, "disable_correlation": false, "timestamp": "1780041208", "to_ids": true, "type": "ip-dst", "uuid": "9e58d563-4538-4685-ab50-75f6092ac6a9", "value": "118.107.46.174", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#dd0399", "local": false, "name": "asn:asn=\"152194\"", "relationship_type": "" }, { "colour": "#8c0628", "local": false, "name": "asn:as-owner=\"CTGSERVERLIMITED-AS-AP CTG Server Limited\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GodRAT \u04212", "deleted": false, "disable_correlation": false, "timestamp": "1780041209", "to_ids": true, "type": "ip-dst", "uuid": "78176f31-8203-4b32-ba02-7fb79c78091d", "value": "118.99.3.33", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#08f1fb", "local": false, "name": "asn:asn=\"38186\"", "relationship_type": "" }, { "colour": "#5f718b", "local": false, "name": "asn:as-owner=\"FTG-AS-AP Forewin Telecom Group Limited, ISP at\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "AsyncRAT C2", "deleted": false, "disable_correlation": false, "timestamp": "1780041211", "to_ids": true, "type": "ip-dst", "uuid": "04a4f47d-e33a-4539-bc64-e29c32ef1f96", "value": "156.241.134.49", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#3d465e", "local": false, "name": "asn:asn=\"400619\"", "relationship_type": "" }, { "colour": "#a21a3b", "local": false, "name": "asn:as-owner=\"AROSS-AS\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "AsyncRAT C2", "deleted": false, "disable_correlation": false, "timestamp": "1755914001", "to_ids": true, "type": "domain", "uuid": "28d6a43c-0283-4041-849c-040a625ff858", "value": "wuwu6.cfd", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GodRAT C2", "deleted": false, "disable_correlation": false, "timestamp": "1780041212", "to_ids": true, "type": "ip-dst", "uuid": "1fe9e6a9-3170-42e7-817f-3043bf8caf73", "value": "103.237.92.191", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#89180a", "local": false, "name": "asn:asn=\"55933\"", "relationship_type": "" }, { "colour": "#8d5bf4", "local": false, "name": "asn:as-owner=\"CLOUDIE-AS-AP Cloudie Limited\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "URL containing AsyncRAT C2 address bytes", "deleted": false, "disable_correlation": false, "timestamp": "1755914045", "to_ids": true, "type": "url", "uuid": "a2886511-71cb-4c9e-963a-7c35ce26eabb", "value": "https://holoohg.oss-cn-hongkong.aliyuncs.com/HG.txt", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "AsyncRAT C2", "deleted": false, "disable_correlation": false, "timestamp": "1780041214", "to_ids": true, "type": "ip-dst", "uuid": "d38daa46-48f2-4858-a071-ecc987936441", "value": "47.238.124.68", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1756429085", "uuid": "304e4450-199d-4299-a891-f5274eba7034", "Attribute": [ { "category": "Payload delivery", "comment": "GodRAT source code", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1755914087", "to_ids": true, "type": "md5", "uuid": "2b6a6c9e-1fbc-4494-981d-4cc0abaf8581", "value": "04bf56c6491c5a455efea7dbf94145f1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT source code", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1755913867", "to_ids": true, "type": "sha1", "uuid": "179459b5-2804-4aca-8f07-928972408805", "value": "693ad89e7810f411c828b09a2bb87e41d275f78d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT source code", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1755913867", "to_ids": true, "type": "sha256", "uuid": "2d71aae2-3979-411c-92dc-1fb7a51bb7d6", "value": "67c713a44186315d7cbfec4745b7dd199d86711f48c5f0778a71871ac3b02624", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1755913073", "to_ids": true, "type": "ssdeep", "uuid": "cdacb162-7a7a-404c-a666-f5a20e681d33", "value": "393216:nF+hkwRz+hk/v3xrAr3kOePkO8wWY3YaSba4a:FMh5M4OnHYIXar" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1755913073", "to_ids": false, "type": "size-in-bytes", "uuid": "985d562a-49d3-4451-a985-bc7e728945a6", "value": "16409426" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1755913073", "to_ids": true, "type": "filename", "uuid": "4ca241e3-bbde-49d1-841e-54140878003c", "value": "GodRAT V3.5_______dll.rar" }, { "category": "Other", "comment": "Checked: 23/08/2025\nLast-scan\t: 22/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1755913073", "to_ids": false, "type": "text", "uuid": "f3d2e9de-d756-4c3f-a7ed-d7beef920417", "value": "GodRAT source code\r\nType Description: RAR\nMicrosoft: None\nVT Total Detection:44/65\nFirst Submission:2024-07-08T11:17:38.000000+00:00\nLast Submission:2024-07-08T11:17:38.000000+00:00" }, { "category": "Other", "comment": "Checked: 29/08/2025\nLast-scan\t: 29/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1756429085", "to_ids": false, "type": "text", "uuid": "909de542-4824-4082-8f95-1fb926f0b555", "value": "Type Description: RAR\nMicrosoft: None\nVT Total Detection:43/65" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1756429085", "to_ids": true, "type": "ssdeep", "uuid": "0430ae87-b1db-4bec-abdf-fba19bc1f5ec", "value": "393216:nF+hkwRz+hk/v3xrAr3kOePkO8wWY3YaSba4a:FMh5M4OnHYIXar" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1756429085", "to_ids": false, "type": "size-in-bytes", "uuid": "85d44f1e-6147-4979-a60a-04cf90464287", "value": "16409426" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1756429085", "to_ids": true, "type": "filename", "uuid": "496c087a-b69a-417d-9389-d7a632893ef6", "value": "GodRAT V3.5_______dll.rar" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1756429107", "uuid": "60b935fd-ce3f-4445-86b9-d949c52ba76c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1755914109", "to_ids": true, "type": "md5", "uuid": "3dde50bf-34a1-445c-a87c-ce423eaa0f23", "value": "160a80a754fd14679e5a7b5fc4aed672", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1755913868", "to_ids": true, "type": "sha1", "uuid": "ed4fab96-caa1-45da-bfaf-da1a019c3c40", "value": "1611bd37a9726a2ecff17de499f6f2b2af16a988", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1755913868", "to_ids": true, "type": "sha256", "uuid": "44c329d7-d0af-4ee2-a2c3-bc9b3d0a9482", "value": "e26efc253a47bf311abff125f53f860c0cabaa58592b3407de1380a6d3170265", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1755913117", "to_ids": true, "type": "ssdeep", "uuid": "e8559751-e98f-415a-a8c7-8c9f222016a5", "value": "49152:uDr9FtzWK5brAK6qn+0QuKnIqjZuD+CPS1xzMHtFKUKB3KH8e5T:uDrVN+03k0+L1KHQW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1755913117", "to_ids": false, "type": "size-in-bytes", "uuid": "074f88cd-611e-4747-9e41-43e59e12e748", "value": "2888464" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1755913117", "to_ids": true, "type": "vhash", "uuid": "e1b0ef32-dfe1-4003-97f3-6fbe40f3b629", "value": "026066655d5d0565614z82z7oz34z1b7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1755913117", "to_ids": true, "type": "filename", "uuid": "a0f6737d-2097-4a2c-b009-5658975dd5fa", "value": "Encrypted.exe" }, { "category": "Other", "comment": "Checked: 23/08/2025\nLast-scan\t: 23/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1755913117", "to_ids": false, "type": "text", "uuid": "8415655e-b77b-45a0-ae4d-d0c56d4151e4", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Leonem!rfn\nVT Total Detection:40/72\nFirst Submission:2025-05-23T10:35:08.000000+00:00\nLast Submission:2025-08-16T10:40:10.000000+00:00" }, { "category": "Other", "comment": "Checked: 29/08/2025\nLast-scan\t: 29/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1756429107", "to_ids": false, "type": "text", "uuid": "725678c6-9c2a-443e-9140-49084a0e512c", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Leonem!rfn\nVT Total Detection:46/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1756429107", "to_ids": true, "type": "ssdeep", "uuid": "6ef4e3b1-567e-4825-a1b6-6c37b0bfcf0b", "value": "49152:uDr9FtzWK5brAK6qn+0QuKnIqjZuD+CPS1xzMHtFKUKB3KH8e5T:uDrVN+03k0+L1KHQW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1756429107", "to_ids": false, "type": "size-in-bytes", "uuid": "9c2122b0-5be3-4773-97c2-a1f450aa023e", "value": "2888464" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1756429107", "to_ids": true, "type": "vhash", "uuid": "bd402ca5-c5c2-4a74-8013-605ed722bb7c", "value": "026066655d5d0565614z82z7oz34z1b7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1756429107", "to_ids": true, "type": "filename", "uuid": "661fd9c4-884f-4a7a-8163-e68cf4075524", "value": "Encrypted.exe" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1756429128", "uuid": "062f4c95-a32e-4b95-a871-ab6b648160f9", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1755914130", "to_ids": true, "type": "md5", "uuid": "fca62e03-7dee-4cdd-b207-19cb6cd11628", "value": "441b35ee7c366d4644dca741f51eb729", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1755913869", "to_ids": true, "type": "sha1", "uuid": "3c4a81f3-da8a-45d8-9a89-99d41b46f1f6", "value": "5b4af9d5225352ce78b5009fe05ab7bbc0d9d0b1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1755913869", "to_ids": true, "type": "sha256", "uuid": "76b70840-d862-488f-8ff5-a0cc74cde4a8", "value": "da34b4041090eafb852985866dd9fc5c435b5654a4c671a2c7f73be2804e2c22", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1755913225", "to_ids": true, "type": "ssdeep", "uuid": "53bf290d-c225-4ef6-ace0-163865df8e98", "value": "3072:55vlPRcFK2you7hL/97RZ5vEMa3rNEAYe111MovdNE:nvDc0UubmTPvdK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1755913225", "to_ids": false, "type": "size-in-bytes", "uuid": "1dd80642-989a-4dcc-b739-1045725d99f9", "value": "1215128" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1755913225", "to_ids": true, "type": "vhash", "uuid": "946ccf11-a6f4-44e4-ae3f-bbc972c086a9", "value": "016056655d15156az44!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1755913225", "to_ids": true, "type": "filename", "uuid": "844cfe8e-7f2f-435c-8a73-d7f5d67ffeb2", "value": "lft27.exe" }, { "category": "Other", "comment": "Checked: 23/08/2025\nLast-scan\t: 23/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1755913225", "to_ids": false, "type": "text", "uuid": "93cd0c39-c3eb-4250-a443-0ed46c3e5dbc", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Znyonm!rfn\nVT Total Detection:47/72\nFirst Submission:2025-08-12T13:31:48.000000+00:00\nLast Submission:2025-08-12T13:31:48.000000+00:00" }, { "category": "Other", "comment": "Checked: 29/08/2025\nLast-scan\t: 29/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1756429128", "to_ids": false, "type": "text", "uuid": "4ec30c5e-a344-45c4-93f6-ef0a0ef1dc73", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Znyonm!rfn\nVT Total Detection:55/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1756429128", "to_ids": true, "type": "ssdeep", "uuid": "d53174c9-9552-4b6e-89b0-152b8f574106", "value": "3072:55vlPRcFK2you7hL/97RZ5vEMa3rNEAYe111MovdNE:nvDc0UubmTPvdK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1756429128", "to_ids": false, "type": "size-in-bytes", "uuid": "825a16ad-c230-49b8-9d1c-4bcdea462af8", "value": "1215128" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1756429128", "to_ids": true, "type": "vhash", "uuid": "cdaaa2da-756b-44fd-b96c-3eaef94186e7", "value": "016056655d15156az44!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1756429128", "to_ids": true, "type": "filename", "uuid": "37587ee6-859b-427f-9ba7-efe3288f7f72", "value": "lft27.exe" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1756429149", "uuid": "315355bf-1fc4-47d6-aeba-82393f99320c", "Attribute": [ { "category": "Payload delivery", "comment": "GodRAT Builder", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1755914152", "to_ids": true, "type": "md5", "uuid": "15d919f8-cbd1-4df2-9727-8d20d069f215", "value": "5f7087039cb42090003cc9dbb493215e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT Builder", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1755913870", "to_ids": true, "type": "sha1", "uuid": "590fa6c2-7138-4cbf-8fb8-b379ee4e7b74", "value": "e883873858e12f517efddb62be60094fc7b14f88", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GodRAT Builder", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1755913870", "to_ids": true, "type": "sha256", "uuid": "b5c8ef0e-3176-47c8-81dc-dcd8faf532db", "value": "b673444daf876eeff6aa81bfcd86f68fa7e5c4c48efff183d94edfbb57d93ef5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1755913310", "to_ids": true, "type": "ssdeep", "uuid": "c421ca2c-29bb-4f03-b239-9418123290b4", "value": "49152:VadstS/X7AoBxtqFATiOTUeayjSMUXcDcKTwR/BOzIApvu0bcPYyw/NJYMwS:8n/rA7nUDsRJOzI0LMsN2Mw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1755913310", "to_ids": false, "type": "size-in-bytes", "uuid": "47bb80dd-5504-475a-83d9-8400997a1616", "value": "3719168" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1755913310", "to_ids": true, "type": "vhash", "uuid": "0cef370d-379d-4f78-af74-c0afbaf142d4", "value": "0360666666555d7511006030041009b6z11095zb0301b62z101e7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1755913310", "to_ids": true, "type": "filename", "uuid": "bd6c2b8f-0c3f-4e11-b6ea-d21659bd0da6", "value": "GodRAT V3.5.exe" }, { "category": "Other", "comment": "Checked: 23/08/2025\nLast-scan\t: 22/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1755913310", "to_ids": false, "type": "text", "uuid": "52103e02-b2d6-456e-8543-9ed5f2e895fe", "value": "GodRAT Builder\r\nType Description: Win32 EXE\nMicrosoft: TrojanDownloader:Win32/Zegost.E!bit\nVT Total Detection:56/72\nFirst Submission:2024-07-08T13:24:19.000000+00:00\nLast Submission:2024-07-08T13:24:19.000000+00:00" }, { "category": "Other", "comment": "Checked: 29/08/2025\nLast-scan\t: 29/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1756429149", "to_ids": false, "type": "text", "uuid": "950ab3e1-a3b3-4313-8c3c-c0dbd7ae5280", "value": "Type Description: Win32 EXE\nMicrosoft: TrojanDownloader:Win32/Zegost.E!bit\nVT Total Detection:55/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1756429149", "to_ids": true, "type": "ssdeep", "uuid": "208c5438-937d-4cf2-9c73-50edf9e9f19b", "value": "49152:VadstS/X7AoBxtqFATiOTUeayjSMUXcDcKTwR/BOzIApvu0bcPYyw/NJYMwS:8n/rA7nUDsRJOzI0LMsN2Mw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1756429149", "to_ids": false, "type": "size-in-bytes", "uuid": "ac0b65d4-f5d6-476d-92b1-13c2786840eb", "value": "3719168" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1756429149", "to_ids": true, "type": "vhash", "uuid": "ac21f110-9025-4fb9-91d8-4da2a6c33670", "value": "0360666666555d7511006030041009b6z11095zb0301b62z101e7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1756429149", "to_ids": true, "type": "filename", "uuid": "f48dd64f-3edb-46cd-9791-2a0a1340b201", "value": "GodRAT V3.5.exe" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1756429171", "uuid": "b516ed57-2e72-4324-a3f1-731c51e59626", "Attribute": [ { "category": "Payload delivery", "comment": "Async RAT Injector", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1755914173", "to_ids": true, "type": "md5", "uuid": "01e300d5-a37b-4409-b8ac-bb0110d20276", "value": "961188d6903866496c954f03ecff2a72", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Async RAT Injector", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1755913871", "to_ids": true, "type": "sha1", "uuid": "da71e904-a679-455f-bb56-f997870b4736", "value": "484dc5ae5493465b3f90f74b0b0f612f2f8cdbfe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Async RAT Injector", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1755913871", "to_ids": true, "type": "sha256", "uuid": "00b44ca8-6165-4147-a6ac-9638b8e0e683", "value": "ed1dfd2e913e1c53d9f9ab5b418f84e0f401abfdf8e3349e1fcfc98663dcb23f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1755913438", "to_ids": true, "type": "ssdeep", "uuid": "6aa4e10e-56b3-4282-8bb6-c7e4fa7b8370", "value": "12288:iisBFQtLPcQVGKMO1ReRFNjXvskcfXmaThoXUGrnUHC2gRmWAND9eDB:iJBqhPcQMKM/R7XvfcfXmaThoEGrnUHY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1755913438", "to_ids": false, "type": "size-in-bytes", "uuid": "87f9d89d-934f-484a-9abd-03c87f2262f0", "value": "737216" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1755913438", "to_ids": true, "type": "vhash", "uuid": "e2af0d8e-392a-40b1-b442-3e8e82aaec07", "value": "175056555d15156az4e?z3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1755913438", "to_ids": true, "type": "filename", "uuid": "b1705724-5e99-4129-98d2-d665f1e48d17", "value": "_ed1dfd2e913e1c53d9f9ab5b418f84e0f401abfdf8e3349e1fcfc98663dcb23f.dll" }, { "category": "Other", "comment": "Checked: 23/08/2025\nLast-scan\t: 23/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1755913438", "to_ids": false, "type": "text", "uuid": "f1a8b4f7-e801-4ddb-82fd-043aaad86e9f", "value": "Async RAT Injector\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:50/72\nFirst Submission:2024-12-19T08:38:06.000000+00:00\nLast Submission:2025-08-20T14:17:57.000000+00:00" }, { "category": "Other", "comment": "Checked: 29/08/2025\nLast-scan\t: 29/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1756429171", "to_ids": false, "type": "text", "uuid": "9e7b7467-81fa-47cc-a8ff-bd0f8f41610d", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:49/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1756429171", "to_ids": true, "type": "ssdeep", "uuid": "cc9a57cd-1136-4650-b5e2-aaa16a873568", "value": "12288:iisBFQtLPcQVGKMO1ReRFNjXvskcfXmaThoXUGrnUHC2gRmWAND9eDB:iJBqhPcQMKM/R7XvfcfXmaThoEGrnUHY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1756429171", "to_ids": false, "type": "size-in-bytes", "uuid": "a691444b-1ed6-4368-9368-e36584d34d3f", "value": "737216" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1756429171", "to_ids": true, "type": "vhash", "uuid": "a459cb6a-e2d6-4c49-96a4-94df02f117b7", "value": "175056555d15156az4e?z3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1756429171", "to_ids": true, "type": "filename", "uuid": "3815f7e2-bb23-4fc6-a28b-23f4ccbd36d1", "value": "_ed1dfd2e913e1c53d9f9ab5b418f84e0f401abfdf8e3349e1fcfc98663dcb23f.dll" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1756429192", "uuid": "227209ad-1f8e-4e9a-842f-23d1c6765c32", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1755914195", "to_ids": true, "type": "md5", "uuid": "ea839904-45a5-414e-beed-091512b67e31", "value": "bb23d0e061a8535f4cb8c6d724839883", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1755913872", "to_ids": true, "type": "sha1", "uuid": "e838ef31-aac7-430a-9c7b-1686367074fa", "value": "21a390cd3c56a5277c88f201a67b864e4511ee4b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1755913872", "to_ids": true, "type": "sha256", "uuid": "58771c20-f6ef-41a8-947e-2853ae1e65c8", "value": "48d0d162bd408f32f8909d08b8e60a21b49db02380a13d366802d22d4250c4e7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1755913482", "to_ids": true, "type": "ssdeep", "uuid": "59b9b5be-4fef-4777-a400-5acc6170f01f", "value": "49152:EDrjFtzWK5brAK6qn+0QuKnIqjZuD+CPS1xz7ZGhztFKUKB3KH8e58:EDrfN+03k0+L15uQ1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1755913482", "to_ids": false, "type": "size-in-bytes", "uuid": "adf89c40-0110-40fd-93f5-8cc1115dd1fb", "value": "3133608" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1755913482", "to_ids": true, "type": "vhash", "uuid": "7ef05bcd-32e9-40c0-978b-911f9b3a60a5", "value": "036066655d5d0565614z82z7oz34z1b7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1755913482", "to_ids": true, "type": "filename", "uuid": "e79f0983-addc-4161-bc91-17454cb8a37c", "value": "Encrypted.exe" }, { "category": "Other", "comment": "Checked: 23/08/2025\nLast-scan\t: 23/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1755913482", "to_ids": false, "type": "text", "uuid": "716ea238-c6fc-4f4a-821a-e7878dd86f95", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/GodRat.C!MTB\nVT Total Detection:49/72\nFirst Submission:2025-05-21T10:23:17.000000+00:00\nLast Submission:2025-08-22T06:33:02.000000+00:00" }, { "category": "Other", "comment": "Checked: 29/08/2025\nLast-scan\t: 29/08/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1756429192", "to_ids": false, "type": "text", "uuid": "8d2a01ac-10ba-407c-b6bf-dcb224c26b39", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/GodRat.C!MTB\nVT Total Detection:50/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1756429192", "to_ids": true, "type": "ssdeep", "uuid": "54386264-c29e-4046-9353-3cd9786e906e", "value": "49152:EDrjFtzWK5brAK6qn+0QuKnIqjZuD+CPS1xz7ZGhztFKUKB3KH8e58:EDrfN+03k0+L15uQ1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1756429192", "to_ids": false, "type": "size-in-bytes", "uuid": "b35a2882-60f2-4eb8-b135-a58afd6a219c", "value": "3133608" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1756429192", "to_ids": true, "type": "vhash", "uuid": "c9d92b30-1ce4-482d-a12f-223d56865161", "value": "036066655d5d0565614z82z7oz34z1b7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1756429192", "to_ids": true, "type": "filename", "uuid": "744b5e41-4bb0-4787-a9ff-9a68f06bc7a3", "value": "Encrypted.exe" } ] } ] } }