{ "Event": { "analysis": "1", "date": "2026-03-18", "extends_uuid": "", "info": "[Threat Intel] Analysis of the Spear-Phishing and KakaoTalk-Linked Threat Campaign", "protected": false, "publish_timestamp": "1775231560", "published": true, "threat_level_id": "2", "timestamp": "1775231560", "uuid": "2f150a41-3825-426b-b9a1-b95725643003", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Opal Sleet\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889223", "to_ids": false, "type": "link", "uuid": "9e54b578-61e3-4141-9ac8-42f86f79cc88", "value": "https://www.genians.co.kr/en/blog/threat_intelligence/kakaotalk", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773889223", "to_ids": false, "type": "text", "uuid": "d67b6588-3ed5-420b-98b5-2b45a226081c", "value": "The Konni Group conducted a sophisticated multi-stage attack campaign, initiating with a spear-phishing email disguised as a North Korean human rights lecturer appointment. The attack progressed through execution of a malicious LNK file, installation of remote access malware, and long-term persistence for data theft. A key feature was the unauthorized access to victims' KakaoTalk PC applications, used to distribute additional malicious files to selected contacts. The campaign employed multiple RAT families, including EndRAT, RftRAT, and RemcosRAT, with a distributed C2 infrastructure across Finland, Japan, and the Netherlands. The threat actor's tactics included trust-based propagation, account session abuse, and modular payload deployment, highlighting the need for advanced behavior-based detection and multi-layered defense strategies." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773889223", "to_ids": false, "type": "text", "uuid": "a1cda94d-cec5-4d1c-b90a-709893eba0c6", "value": "Name: Analysis of the Spear-Phishing and KakaoTalk-Linked Threat Campaign\nAuthor: AlienVault\nAdversary: Konni Group\nTags: [\"spear-phishing\", \"autoit\", \"rat\", \"rftrat\", \"north korea lure\", \"persistence\", \"remcosrat\", \"endrat\", \"kakaotalk\"]\nTgtd countries: []\nMlwr families: [\"EndRAT\", \"RftRAT\", \"RemcosRAT\"]\nAttack_ids: [\"T1053.005\", \"T1132.001\", \"T1036.005\", \"T1204.002\", \"T1573.001\", \"T1566.001\", \"T1082\", \"T1005\", \"T1140\", \"T1219\", \"T1055\", \"T1090\", \"T1083\", \"T1059.001\", \"T1547.001\", \"T1027\", \"T1071.001\", \"T1574.002\", \"T1105\", \"T1021.001\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773889223", "to_ids": false, "type": "threat-actor", "uuid": "3b9e45fd-fbd1-4553-bd67-e21e5da8700a", "value": "Konni Group" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227047", "to_ids": true, "type": "md5", "uuid": "4ca92376-4687-4d6d-beeb-ca88eabfcf18", "value": "01022facb38cf60b052e65a682f4a127", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227048", "to_ids": true, "type": "md5", "uuid": "60850483-140a-47b9-893a-5a5d4e4324bb", "value": "148405ff05bf15a6a053e4e7c1795d40", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227049", "to_ids": true, "type": "md5", "uuid": "a8dafc13-2311-4221-b16c-62da4b6f5bb8", "value": "2e1b0ac49313873a0e0b982c591a5264", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:03/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775227050", "to_ids": true, "type": "md5", "uuid": "23f6517d-9eef-4595-8036-b095f8678dab", "value": "7dc50e8af0070e544bff5299405cd3b9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775228504", "to_ids": true, "type": "ip-dst", "uuid": "4d2f5faf-9a9a-4518-bd39-69e1fff39d8c", "value": "178.16.54.208", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775228525", "to_ids": true, "type": "domain", "uuid": "e2556f25-f5e9-426b-a618-d9fab34f57be", "value": "drfeysal.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775228546", "to_ids": true, "type": "ip-dst", "uuid": "63b84320-299d-4ba3-8d2a-1f4fbfb9f76b", "value": "185.21.14.249", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775228567", "to_ids": true, "type": "ip-dst", "uuid": "1a103f00-85d9-4a15-b1fa-f5bb46e6401b", "value": "157.180.88.26", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775228589", "to_ids": true, "type": "ip-dst", "uuid": "404082ee-158a-4166-ab55-96897cd808d8", "value": "96.62.214.5", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775228610", "uuid": "957773ea-9506-46bb-b647-4dcb23add0f1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775228610", "to_ids": true, "type": "md5", "uuid": "68d05899-9525-44c1-aa1c-bd7f47359333", "value": "3288c284561055044c489567fd630ac2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227043", "to_ids": true, "type": "sha1", "uuid": "908570d8-e80d-40da-ba06-5a66cefead46", "value": "11ffeabbe42159e1365aa82463d8690c845ce7b7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227043", "to_ids": true, "type": "sha256", "uuid": "895e629c-4928-4ce2-b989-ae090088ab8d", "value": "ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226030", "to_ids": true, "type": "ssdeep", "uuid": "07749fc0-8c42-425d-ac2f-06653ab113f7", "value": "24576:prKxoVT2iXc+IZ++6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:EHZ5pdqYH8ia6GcKuR7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226030", "to_ids": false, "type": "size-in-bytes", "uuid": "328c5cd0-0d87-4789-89bb-46a09ef75c03", "value": "1460224" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226030", "to_ids": true, "type": "vhash", "uuid": "6ba86f6c-dd02-4304-83d6-d15826ba216d", "value": "016096665d1c0d5c05156038z329z3bz31z4bz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226030", "to_ids": true, "type": "filename", "uuid": "833ac377-82e5-4fdc-b0ff-02c7aa9d510e", "value": "RDPWInst.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226030", "to_ids": false, "type": "text", "uuid": "47b3beb0-8a9d-4f87-a870-73d00a414c34", "value": "Type Description: Win32 EXE\nMicrosoft: PUA:Win32/RDPWrap\nVT Total Detection:45/71\nFirst Submission:2017-12-27T22:00:39.000000+00:00\nLast Submission:2026-04-03T07:13:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775228631", "uuid": "854b2d0b-8cd0-404f-a361-8fa107854404", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775228631", "to_ids": true, "type": "md5", "uuid": "c813bc79-ce9e-4051-bc11-1c013b65f313", "value": "461ade40b800ae80a40985594e1ac236", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227045", "to_ids": true, "type": "sha1", "uuid": "2485e80d-5f3b-438b-8e91-958464e49b2c", "value": "b3892eef846c044a2b0785d54a432b3e93a968c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227045", "to_ids": true, "type": "sha256", "uuid": "e9d20c40-6b7d-4293-83ea-c2382a602b95", "value": "798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226052", "to_ids": true, "type": "ssdeep", "uuid": "2920fed2-20ec-4b11-95d0-fe57e7c08567", "value": "3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226052", "to_ids": false, "type": "size-in-bytes", "uuid": "045a48eb-cca8-42de-8da6-7b23930aeb7d", "value": "116736" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226052", "to_ids": true, "type": "vhash", "uuid": "36a5a205-23c8-41aa-826b-648b614b6f05", "value": "115066651d1555155az4fnz1ez2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226052", "to_ids": true, "type": "filename", "uuid": "fafad9b8-76ba-4c2e-98b2-ef4b322650b4", "value": "rdpwrap.dll" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 28/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226052", "to_ids": false, "type": "text", "uuid": "79819d33-231f-48c0-b773-c5b9960dff16", "value": "Type Description: Win32 DLL\nMicrosoft: PUA:Win32/RDPWrap\nVT Total Detection:38/71\nFirst Submission:2014-12-11T21:14:35.000000+00:00\nLast Submission:2026-04-03T08:16:44.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775228653", "uuid": "83a37415-153b-4f8f-95af-72463e1a0767", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775228653", "to_ids": true, "type": "md5", "uuid": "9dc8441e-66cb-494c-8bc9-957cda4dabe5", "value": "61f65bd593ea0e52ac0dfdc6bc9cd73a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227046", "to_ids": true, "type": "sha1", "uuid": "7e6569b0-3d26-49be-a0f6-bb28bf11ff25", "value": "e5adeecfb03cc7d26de2f11746d3aef6b1fd4830", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227046", "to_ids": true, "type": "sha256", "uuid": "5a481bce-ad76-4f5e-8655-50a6daa68f8d", "value": "aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226073", "to_ids": true, "type": "ssdeep", "uuid": "0ab3e1a9-c816-4822-898c-a0dc53f78e89", "value": "24576:PUotovoXGo9zmmtVjRXEhMWgh5RfSqR8kkR2J9IWB7IyLS5LNYwihU:lmo2ixH++Wg51SqGkkR2bWyW5pY/h" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226073", "to_ids": false, "type": "size-in-bytes", "uuid": "3bbcf2d7-1fac-4120-94bd-9e3d98a32c37", "value": "1172992" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226073", "to_ids": true, "type": "vhash", "uuid": "83445b93-8dd6-4118-a192-947b1d545360", "value": "016066050d0f0f751bz17z17z13z1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226073", "to_ids": true, "type": "filename", "uuid": "751488d3-7a38-400a-920c-817b372ad080", "value": "aa51573f9abcd4a1ec4a61ee7e5811c0279e015ea22bdb787780d67ce7153a57.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 01/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226073", "to_ids": false, "type": "text", "uuid": "eb14832d-1263-439c-a0c9-e597eacf6dc5", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:55/71\nFirst Submission:2026-03-02T08:00:17.000000+00:00\nLast Submission:2026-03-17T12:35:59.000000+00:00" } ] } ] } }