{ "Event": { "analysis": "1", "date": "2026-04-01", "extends_uuid": "", "info": "[Threat Intel] A laughing RAT: CrystalX combines spyware; stealer; and prankware features", "protected": false, "publish_timestamp": "1775970084", "published": true, "threat_level_id": "2", "timestamp": "1775970084", "uuid": "3600d053-2339-4ab9-b4b6-bfb259285a64", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775041210", "to_ids": false, "type": "link", "uuid": "f1cda6ca-562a-4e1c-8c20-215f11a20863", "value": "https://securelist.com/crystalx-rat-with-prankware-features/119283/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775041210", "to_ids": false, "type": "text", "uuid": "73bf3f7d-880f-45c4-ad35-02040a68b46a", "value": "In March\u202f2026, a new MaaS active campaign was discovered promoting previously unknown malware in private Telegram chats. The Trojan features an extensive arsenal of capabilities. On the panel provided to third\u2011party actors, in addition to the standard features of RAT\u2011like malware, a stealer, keylogger, clipper, and spyware are also available." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775041210", "to_ids": false, "type": "text", "uuid": "c9e837a8-5229-4070-8f5e-2d15542f090a", "value": "Name: A laughing RAT: CrystalX combines spyware; stealer; and prankware features\nAuthor: AlienVault\nAdversary: \nTags: [\"malware-as-a-service\", \"crystalx\", \"rat\", \"maas\"]\nTgtd countries: []\nMlwr families: [\"CrystalX\"]\nAttack_ids: []\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775964134", "to_ids": true, "type": "md5", "uuid": "39b8df56-3846-435e-9220-4c5c3d5b55d8", "value": "2dbe6de177241c144d06355c381b868c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965100", "to_ids": true, "type": "domain", "uuid": "bab4e797-a053-41c6-9cbf-255bc31278ab", "value": "crystalxrat.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965122", "to_ids": true, "type": "domain", "uuid": "34274a78-7efb-45e7-b48d-5b5fef604dd2", "value": "webcrystal.lol", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965143", "to_ids": true, "type": "domain", "uuid": "1b67672d-195b-438e-9b6f-ea0f10659b9d", "value": "webcrystal.sbs", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965164", "uuid": "55ef8ba4-fd24-4e2b-ae11-e2e99382e24d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965164", "to_ids": true, "type": "md5", "uuid": "d56f1abe-7c6a-4030-9d7c-1a69593e3afe", "value": "1a68ae614fb2d8875cb0573e6a721b46", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964129", "to_ids": true, "type": "sha1", "uuid": "6acacc54-8f8b-49bc-8938-17ad739d8b67", "value": "c67344e14af1560bf820375d144ea4ea7a21333b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964129", "to_ids": true, "type": "sha256", "uuid": "9b0804f3-d5fe-48a9-a2e2-504ba1d263fc", "value": "912fcd1ba138a8af6ada02a5d62a5a918ff06d4618c041dbf075a60ea37d4d09", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963009", "to_ids": true, "type": "ssdeep", "uuid": "74082756-0bee-42b5-a0ad-a00765348dea", "value": "49152:VcHeoH9Ptt5mG+IDbuUtlylOgU41pZVTnBJNXbPiM5onZYi9QJAj6f9fX921wJb0:VNSNeAEPNrPi7URKW0E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963009", "to_ids": false, "type": "size-in-bytes", "uuid": "8c8547ed-531a-4c6b-816a-31c8293d19a8", "value": "8893952" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963009", "to_ids": true, "type": "vhash", "uuid": "fcd03b26-71e7-4d0b-9904-d0c85e3afb9b", "value": "086036675d5\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963009", "to_ids": true, "type": "filename", "uuid": "dd6e57f7-2d93-4251-8806-04ffe0221e4e", "value": "912fcd1ba138a8af6ada02a5d62a5a918ff06d4618c041dbf075a60ea37d4d09.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963009", "to_ids": false, "type": "text", "uuid": "7681c02f-3234-4092-8204-ba806ec606bb", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:45/72\nFirst Submission:2026-03-15T17:14:58.000000+00:00\nLast Submission:2026-04-03T09:27:54.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965185", "uuid": "026daec7-e01f-4315-9e49-8848d1a24f19", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965185", "to_ids": true, "type": "md5", "uuid": "507f8328-acff-4c39-ad31-7c8d5dcb4ebc", "value": "47accb0ecfe8ccd466752dde1864f3b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964130", "to_ids": true, "type": "sha1", "uuid": "d74d8403-830c-48c7-a94b-1d96e5de7f13", "value": "c922a2e4b0cf9d4795b66d99771517b58485450a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964130", "to_ids": true, "type": "sha256", "uuid": "abf310bd-f318-4952-a816-1fc72471507f", "value": "e08610b28e637679feaf243622adf3386a04bd24c915fe64c908d4d68b9fd203", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963052", "to_ids": true, "type": "ssdeep", "uuid": "96fabe6e-7245-4ad0-a973-1f26f39873cc", "value": "98304:mEhSq16VR84rwKsYds6frF9jY+AwGiEEBI:moS6MZrOYdssx9jjbBI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963052", "to_ids": false, "type": "size-in-bytes", "uuid": "dba78c2c-5785-4690-94bf-a40b0efe1a85", "value": "9201092" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963052", "to_ids": true, "type": "vhash", "uuid": "0a129b9c-b768-4572-bc73-7ee6c7cc0374", "value": "096096656d55551d15541az2e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963052", "to_ids": true, "type": "filename", "uuid": "4f437c55-ed7a-42d2-9711-dbc33cafba42", "value": "e08610b28e637679feaf243622adf3386a04bd24c915fe64c908d4d68b9fd203.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963052", "to_ids": false, "type": "text", "uuid": "1243c1e2-e01a-4afa-b137-53025c0c26a7", "value": "Type Description: Win32 EXE\nMicrosoft: PWS:Win64/CrystalX.C!MTB\nVT Total Detection:44/72\nFirst Submission:2026-03-01T21:49:02.000000+00:00\nLast Submission:2026-04-03T10:34:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965207", "uuid": "e098189f-2bdf-470b-a8a5-54138c15c6b6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965207", "to_ids": true, "type": "md5", "uuid": "e70c3df6-0300-42e4-9124-c4291a9254c4", "value": "49c74b302bfa32e45b7c1c5780dd0976", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964130", "to_ids": true, "type": "sha1", "uuid": "2a16cc65-5de1-42b6-96e7-a7b13f93e3dd", "value": "0ac40a9e4bb3a1a26208855297da0110b2bb5f30", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964131", "to_ids": true, "type": "sha256", "uuid": "46b673b1-3e0e-4f49-91fa-20b94d43fd29", "value": "33d2ede41373ccb57c46aa7f608f7b8610cff511500eaa80c24427a1de11bcb0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963073", "to_ids": true, "type": "ssdeep", "uuid": "ed026ddb-00d7-40b9-bfff-9be8211bf67e", "value": "49152:ZldVWSEAhsJGThsgl+wJpYqIajNPXcisBm/cSo:ZldV/EAssTWCJECNXcisBcFo" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963073", "to_ids": false, "type": "size-in-bytes", "uuid": "4160bac1-6d30-44d4-bc2f-e24d5fb3f1c2", "value": "1915904" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963073", "to_ids": true, "type": "vhash", "uuid": "981a8822-41b6-485c-af05-e0a680ecc383", "value": "01603e0f7d1bz4!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963073", "to_ids": true, "type": "filename", "uuid": "0bfaf53a-845b-4fab-8a1d-7512e8238963", "value": "33d2ede41373ccb57c46aa7f608f7b8610cff511500eaa80c24427a1de11bcb0.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963073", "to_ids": false, "type": "text", "uuid": "a8bec730-2500-4d4d-a6e8-92948601e2a5", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:46/72\nFirst Submission:2026-01-02T23:37:42.000000+00:00\nLast Submission:2026-04-03T09:17:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965228", "uuid": "0ab63271-2c9c-454f-97f3-c8292267c709", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965228", "to_ids": true, "type": "md5", "uuid": "f6cd3eba-f877-4d28-bd6e-d070cc2422e8", "value": "88c60df2a1414cbf24430a74ae9836e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964131", "to_ids": true, "type": "sha1", "uuid": "d7998f7d-8ce7-46af-9a14-415f62dac6c9", "value": "0c79011beaa07e60f956ff8df95be4b503662c8e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964131", "to_ids": true, "type": "sha256", "uuid": "0e60ecb1-2890-4fe6-9dfa-98e68a63e334", "value": "4049b11974d4b950885ae93bc9af3c9352b70a064b373fab60f4c99542f71b20", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963095", "to_ids": true, "type": "ssdeep", "uuid": "a510f953-33c2-44f2-bc1a-d3da11ff6d43", "value": "49152:QtAttpS/T58Hn+sFzsinMYBB8fyRNOnFiSxi0mlOPDL94jLef9fX921wJbBguofo:QmIeD7OFiaYNsxE8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963095", "to_ids": false, "type": "size-in-bytes", "uuid": "9a284f61-3e36-4257-8e34-20a383f5ccbe", "value": "8459776" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963095", "to_ids": true, "type": "vhash", "uuid": "932667ac-8fca-442e-8da7-8fed4bbcfc96", "value": "086096656d55551d15541az2e!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963095", "to_ids": true, "type": "filename", "uuid": "31407873-6248-4158-8642-5c2bcdd95811", "value": "4049b11974d4b950885ae93bc9af3c9352b70a064b373fab60f4c99542f71b20.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963095", "to_ids": false, "type": "text", "uuid": "efca9094-f019-493e-9c60-580f757dc321", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:48/72\nFirst Submission:2026-03-19T11:06:55.000000+00:00\nLast Submission:2026-04-03T05:09:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965249", "uuid": "99c6f7b0-adfe-4b0c-8711-833375337d1d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965249", "to_ids": true, "type": "md5", "uuid": "b3ad4233-b441-4db7-ab32-ae845d3fdbcb", "value": "e540e9797e3b814bfe0a82155dfe135d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964133", "to_ids": true, "type": "sha1", "uuid": "16a8c381-31bd-447c-aacf-881e2c31dab4", "value": "d823e0895acd88ad00ce46ff40ccac6b12bf35d0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964133", "to_ids": true, "type": "sha256", "uuid": "edd23c8c-22df-49cb-8829-32df44e863cd", "value": "3b85ecfe621924eba4d16d5993b2beece2a07fbedc7ef15850bcfdd44c4f39f9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963117", "to_ids": true, "type": "ssdeep", "uuid": "d98d5e42-865e-4edf-ba45-993ce26b3ffe", "value": "49152:Q91mhz7QC8zeUDQBzTt3erZKEp3X26L9LrVWHuJvlCFvnxwy99Ahvbmjef9fX92k:QMZWTprYuFlaAhf9FVuFSEQ5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963117", "to_ids": false, "type": "size-in-bytes", "uuid": "1342473b-3812-4d8e-89df-378d0f7410bd", "value": "8888832" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963117", "to_ids": true, "type": "vhash", "uuid": "419bb1ca-e106-445e-a14a-3a5e1a632e0f", "value": "086036675d5\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963117", "to_ids": true, "type": "filename", "uuid": "b0fe1038-f76b-4a00-b18e-7196125b57a6", "value": "3b85ecfe621924eba4d16d5993b2beece2a07fbedc7ef15850bcfdd44c4f39f9.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963117", "to_ids": false, "type": "text", "uuid": "9e4051cd-7caa-4193-917e-3051bb6e5d6a", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:44/72\nFirst Submission:2026-03-15T18:24:31.000000+00:00\nLast Submission:2026-04-03T09:23:13.000000+00:00" } ] } ] } }