{ "Event": { "analysis": "1", "date": "2026-03-18", "extends_uuid": "", "info": "[Threat Intel] Beast Ransomware Toolkit: A Proactive Threat Intelligence Report", "protected": false, "publish_timestamp": "1775231580", "published": true, "threat_level_id": "2", "timestamp": "1775231580", "uuid": "4afc975e-e4ce-47b4-8a41-126cf0b0adeb", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#e57031", "local": false, "name": "misp-galaxy:producer=\"Team Cymru\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#aad818", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#682cad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#866c0c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Active Scanning - T1595\"", "relationship_type": "" }, { "colour": "#b24806", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#b596f0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Lateral Tool Transfer - T1570\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"beast\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"4605654f-8487-4d17-bfbb-bbcc223281d5\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"LaZagne\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MimiKatz\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004410", "to_ids": false, "type": "link", "uuid": "518e4411-cc6f-4cb2-a268-9daa7a5c7478", "value": "https://www.team-cymru.com/post/beast-ransomware-server-toolkit-analysis" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774004410", "to_ids": false, "type": "text", "uuid": "6975b9ef-3fce-4b65-aeb8-6f01c263c2a5", "value": "This analysis delves into the Beast ransomware, a Ransomware-as-a-Service (RaaS) that emerged in June 2024 as a successor to Monster ransomware. The investigation focuses on a Beast ransomware server detected in March 2026, revealing the operators' toolkit and attack methodology. The toolkit includes various tools for reconnaissance, network mapping, credential theft, persistence, lateral movement, exfiltration, and impact. Notable findings include the presence of both Windows and Linux versions of Beast ransomware, indicating targeting of workstations and Linux servers on VMware ESXi hypervisors. The report highlights the importance of proactive collection of internet telemetry in identifying ransomware operators' toolkits before they can be used against targets." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774004410", "to_ids": false, "type": "text", "uuid": "dbe16ea5-699c-4ab4-9e06-95af9d765938", "value": "Name: Beast Ransomware Toolkit: A Proactive Threat Intelligence Report\nAuthor: AlienVault\nAdversary: Beast\nTags: [\"monster\", \"toolkit\", \"beast\", \"raas\", \"encryption\", \"exfiltration\", \"ransomware\", \"lateral-movement\", \"reconnaissance\"]\nTgtd countries: []\nMlwr families: [\"Beast\", \"Monster\"]\nAttack_ids: [\"T1003\", \"T1021.004\", \"T1135\", \"T1021\", \"T1595\", \"T1070\", \"T1078\", \"T1486\", \"T1570\", \"T1046\", \"T1021.001\", \"T1490\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774004410", "to_ids": false, "type": "threat-actor", "uuid": "7dbbac33-9727-4473-bd5c-c7ccf0d4247e", "value": "Beast" }, { "category": "Network activity", "comment": "Beast Ransomware Open Directory", "deleted": false, "disable_correlation": false, "timestamp": "1775230624", "to_ids": true, "type": "ip-dst", "uuid": "3f1da07f-5da0-49cd-86d2-7b482fad52d1", "value": "5.78.84.144", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230645", "uuid": "0b619238-2635-4ee7-b310-bc3dd2d15e23", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-title:Can't access file\nIOC-description:MD5 of 479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230645", "to_ids": true, "type": "md5", "uuid": "b6ebde76-f5fe-45e0-808f-b3fa0bb9b675", "value": "059ac4569026c1b74e541d98b6240574", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:Can't access file\nIOC-description:MD5 of 479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227088", "to_ids": true, "type": "sha1", "uuid": "2866af14-b517-4e0f-8fe5-cacc4b71ae74", "value": "2a9c036ed1f2a86bec63ead2f2d2e6412faf6ada", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-title:Can't access file\nIOC-description:MD5 of 479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227088", "to_ids": true, "type": "sha256", "uuid": "dedbb194-a66a-43ac-ad40-6824262d9140", "value": "479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226621", "to_ids": true, "type": "ssdeep", "uuid": "3a0801c9-866f-400f-a62f-897d21c84dec", "value": "1536:+eDgKdeWMHH5t1fzDhx6uEY5mZJtBtVa3hb7mS:rDHsHZt1LDeUyLVaE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226621", "to_ids": false, "type": "size-in-bytes", "uuid": "bc6ca2c5-60e4-4c48-abae-4bdfd9a2be02", "value": "82944" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226621", "to_ids": true, "type": "vhash", "uuid": "7abe917a-717b-431f-9c7d-7bc99ab555ff", "value": "0840466d755561b01011z20052z23z6025z905001e1z400127z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226621", "to_ids": true, "type": "filename", "uuid": "b2224a9e-a525-4805-93f7-cfaae2e51997", "value": "beast_ransom.bin" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 26/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226621", "to_ids": false, "type": "text", "uuid": "6fba268a-3c4b-4e92-94b0-78889b892a0f", "value": "IOC-title:Can't access file\nIOC-description:MD5 of 479d0947816467d562bf6d24b295bf50512176a2d3d955b8f4d932aea2378227\r\nType Description: Win32 EXE\nMicrosoft: Ransom:Win32/Beast.YAA!MTB\nVT Total Detection:63/72\nFirst Submission:2024-07-09T03:06:24.000000+00:00\nLast Submission:2025-11-06T04:32:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230667", "uuid": "e42fb764-cbe9-4d3a-91f6-62e95887522d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230667", "to_ids": true, "type": "md5", "uuid": "3a354c83-7020-43df-926d-aea63bcde53d", "value": "2d0e615505f20d45fb00cea4fc2f7216", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227090", "to_ids": true, "type": "sha1", "uuid": "e4497245-ed6a-4bcf-a53b-4fbc53073cc9", "value": "e3c2f3aa7763e87be2bf4b0f55c0764aa7ce3d37", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227090", "to_ids": true, "type": "sha256", "uuid": "c074ca86-fc14-4afb-827f-8ae06ab6f53c", "value": "2ce62601491549ab91c9517e0accf3286ed29976f6ec359d31ddc060a8d99eb3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226643", "to_ids": true, "type": "ssdeep", "uuid": "8177acd6-20cb-41a8-b4a5-9780c5ba43a6", "value": "3072:vufqM7tExy3nGt1yc0bwEIrn/eWhlLjuaR6:mfG/yc0bM/eWvLCaR6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226643", "to_ids": false, "type": "size-in-bytes", "uuid": "6f8334d2-2c1e-4472-8611-f3ea8096f8e4", "value": "106496" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226643", "to_ids": true, "type": "vhash", "uuid": "20816b47-daee-4f8b-afab-f1333a39bce5", "value": "0150466d755561b01011z20052z23z6025z905001e1z400127z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226643", "to_ids": true, "type": "filename", "uuid": "b7352e48-8e39-4665-ba6b-a3f6832f028d", "value": "encrypter-windows-gui-x86.exe.bin" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 01/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226643", "to_ids": false, "type": "text", "uuid": "8eeb6255-11b9-44d8-98c6-3ea285192a1f", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Beast.F\nVT Total Detection:60/71\nFirst Submission:2024-10-28T07:00:36.000000+00:00\nLast Submission:2024-10-28T12:22:32.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230689", "uuid": "f2870c77-3890-430b-be05-e8982b8e560d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230689", "to_ids": true, "type": "md5", "uuid": "d8734da8-6c70-40a8-bcb5-0dfba05a89b8", "value": "f1ade7769b7fdc2401798106ec7a9180", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227090", "to_ids": true, "type": "sha1", "uuid": "24f67d39-aef9-47f0-8a13-7adce72b19d8", "value": "61bd89ed258c4ed8901c6f02e18743607b52247e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227091", "to_ids": true, "type": "sha256", "uuid": "baf33072-479b-4da5-b637-958d932ec848", "value": "5bd8f9cbd108abc53fb1c44b8d10239a2a0a9dd20c698fd2fb5dc1938ae7ba96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226664", "to_ids": true, "type": "ssdeep", "uuid": "fdf9b67d-d391-4490-9545-83e0bcbcbf79", "value": "24576:UPntpHzhp8e0j+nAZRN7UNFDAp8vj/iXcSDvKP/BEXYWXE:UrHzhp8nSRV6tDvKP/BEIWXE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226664", "to_ids": false, "type": "size-in-bytes", "uuid": "183a9d95-c00e-4735-ba02-5c628830dced", "value": "1181184" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226664", "to_ids": true, "type": "vhash", "uuid": "3f5f1e24-6df6-476d-9e27-63e5e60b24f8", "value": "016046656d656290101070200841z23z6025z9050022z400157z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226664", "to_ids": true, "type": "filename", "uuid": "a48867ef-fa06-4ffb-9c9c-6dbac90de0d3", "value": "shapteam.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 01/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226664", "to_ids": false, "type": "text", "uuid": "a9f6adfb-c694-4a30-8083-57a1225e89d5", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Beast.YAP!MTB\nVT Total Detection:56/71\nFirst Submission:2025-03-04T16:45:18.000000+00:00\nLast Submission:2025-03-04T16:45:18.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230710", "uuid": "1337f23f-8caf-4bab-8072-24693d5cfd2d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230710", "to_ids": true, "type": "md5", "uuid": "ae3e70a8-f2d7-4107-951c-31584c0ad3a6", "value": "2eb4c4496ce075d5885d74d9273d43b9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227091", "to_ids": true, "type": "sha1", "uuid": "690ce7bb-0b0d-4e9f-87d8-ed1ab584e96f", "value": "5e11fdb2d0e0a646ef8a1b29b648eef2c5b554a2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227091", "to_ids": true, "type": "sha256", "uuid": "2e96ccc8-ea72-45ed-b2c4-e71cd0540c9e", "value": "6718cb66521a678274e5672285bf208eac375827d622edcf1fe7eba7e7aa65e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226686", "to_ids": true, "type": "ssdeep", "uuid": "9d5bf32d-4643-470c-a1db-3d7244a33602", "value": "1536:+eDgKdeWMHH5t1fzDhxHZyHfiEwi+61qtBtVa3hb7mS:rDHsHZt1LDt8frcLVaE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226686", "to_ids": false, "type": "size-in-bytes", "uuid": "4f45c92b-7683-4dbd-b7f5-f2f193168933", "value": "82944" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226686", "to_ids": true, "type": "vhash", "uuid": "147978ca-28b1-4291-9679-e4e1996a4f17", "value": "0840466d755561b01011z20052z23z6025z905001e1z400127z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226686", "to_ids": true, "type": "filename", "uuid": "b0eae820-c5ea-487c-9f39-2f47c77a7d82", "value": "encrypter-windows-x86.bin" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 01/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226686", "to_ids": false, "type": "text", "uuid": "ed710287-33b8-4627-9ddc-86845fee0370", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Beast.YAA!MTB\nVT Total Detection:59/71\nFirst Submission:2024-07-21T08:57:02.000000+00:00\nLast Submission:2024-07-21T08:57:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230731", "uuid": "1287e68c-3b1b-483a-9c08-ecf2fa76f017", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230731", "to_ids": true, "type": "md5", "uuid": "daa11e60-2294-450d-87f3-561bc341df9a", "value": "adbba4b9efa21ae70ee67e419cc6f429", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227092", "to_ids": true, "type": "sha1", "uuid": "4e6e24b8-3460-4e2c-bd67-921b8825edac", "value": "4097c78e93f0ce57494ea4a9e2441c0088f0d441", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227092", "to_ids": true, "type": "sha256", "uuid": "72040b74-ebd1-4e53-8514-00b11368de0f", "value": "812df0efea089b956d08352ff0a7e8789d43862dc3764f4441d4e1c1d1fb7957", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226708", "to_ids": true, "type": "ssdeep", "uuid": "e79bc44a-02b3-474e-b92a-a240d5722d3e", "value": "1536:zkBSruT3pryzCX5VHNbv8+7VGy9nnMXVAj2s3PLRnLnmFsxE:KSUZOGX/HlEqVBKVi39sB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226708", "to_ids": false, "type": "size-in-bytes", "uuid": "534e09f4-77ee-432d-a8b7-253ac6486e43", "value": "71475" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226708", "to_ids": true, "type": "vhash", "uuid": "21267762-26d9-492c-926b-e99af9277bc2", "value": "e8fbb126ed9a76bc9823512c4e51b648" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226708", "to_ids": true, "type": "filename", "uuid": "8de20704-6fc3-429a-889f-09daf613d4fa", "value": "encrypter-windows-gui-x86.exe.zip" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226708", "to_ids": false, "type": "text", "uuid": "5a7d8a72-0f10-4cc4-9f63-a79306ba8fd3", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:1/65\nFirst Submission:2024-10-29T07:14:02.000000+00:00\nLast Submission:2024-10-29T07:14:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230753", "uuid": "79d995fa-13b2-460f-bb74-f5233a3b9e47", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230753", "to_ids": true, "type": "md5", "uuid": "91cff608-f586-4f6c-a5b1-ea8f58236519", "value": "bae8e04226ff74f7c40f9bd2e6e3b4ae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227094", "to_ids": true, "type": "sha1", "uuid": "885d0f79-3b30-4c56-b596-377e4504a52e", "value": "87ca31acfcb12b6eac57e1fd47926be330a11e03", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227094", "to_ids": true, "type": "sha256", "uuid": "8cf43dc2-0528-4466-a9b4-79b9e603fd6e", "value": "cc0680de960f3e1b727b61a42e59f9c282bd8e41fe20146ed191c7f4bf9283a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226729", "to_ids": true, "type": "ssdeep", "uuid": "48037e3a-3b46-4e39-94b4-172515045629", "value": "3072:vufqM7tExy3nGt1yc0bwEIrn/eufCNzxaR6:mfG/yc0bM/eufCNzxaR6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226729", "to_ids": false, "type": "size-in-bytes", "uuid": "989d3f06-ca86-47bb-ab57-b08592f74df6", "value": "106496" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226729", "to_ids": true, "type": "vhash", "uuid": "feb713cf-3038-4b7d-8faf-f0bd6e51d283", "value": "0150466d755561b01011z20052z23z6025z905001e1z400127z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226729", "to_ids": true, "type": "filename", "uuid": "775e4344-d3e3-49d0-be84-c1797de49078", "value": "encrypter-windows-gui-x86.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 01/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226729", "to_ids": false, "type": "text", "uuid": "c87b6d01-d501-4f51-bc6f-2657d7ddd48f", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Beast.F\nVT Total Detection:59/71\nFirst Submission:2024-10-20T20:52:27.000000+00:00\nLast Submission:2024-10-21T13:46:25.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775230774", "uuid": "277f973f-b9e6-4b25-921f-713a085e3569", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775230774", "to_ids": true, "type": "md5", "uuid": "66dd835a-2ae6-48c7-8e70-9595cb9efdbd", "value": "3155f30b92a69aa0f88f4248001892e5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775227095", "to_ids": true, "type": "sha1", "uuid": "761c6042-10f8-4c29-89e4-8b4e906be538", "value": "16975276d477ec4d648582c319e654bea6377be9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775227095", "to_ids": true, "type": "sha256", "uuid": "0db3aaed-1177-4a9a-9ab9-b775dbab32b3", "value": "cf5c45be416d1b18dd67ffa95c6434691f1f9ba9c30754fa6fc9978c1f975750", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775226751", "to_ids": true, "type": "ssdeep", "uuid": "f44cdc2b-e1e7-48ee-bfb6-836504ab83bf", "value": "24576:5RRSwauAJS9hx98vf9ozRiOv9LnnEUKP/F+5nGnU:Ywamcl6hnEUKP/FyGnU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775226751", "to_ids": false, "type": "size-in-bytes", "uuid": "fae243cf-a9ce-4631-85d0-ecc26a7663e5", "value": "1184768" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775226751", "to_ids": true, "type": "vhash", "uuid": "223a8c85-f770-4b91-bf4e-8359e5f4bda9", "value": "016046656d656290101070200861z23z6025z9050022z400157z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775226751", "to_ids": true, "type": "filename", "uuid": "7b622e05-90cf-4df2-b285-a3ef8f5de5eb", "value": "encrypter-windows-gui-x86.exe" }, { "category": "Other", "comment": "Checked: 03/04/2026\nLast-scan\t: 02/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775226751", "to_ids": false, "type": "text", "uuid": "02fe5858-3bdb-4fb1-ab14-30e7c9cad4aa", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Etset!rfn\nVT Total Detection:52/71\nFirst Submission:2026-01-26T05:01:05.000000+00:00\nLast Submission:2026-01-29T05:49:23.000000+00:00" } ] } ] } }