{ "Event": { "analysis": "1", "date": "2026-05-14", "extends_uuid": "", "info": "[Threat Intel] Kazuar: Anatomy of a nation-state botnet", "protected": false, "publish_timestamp": "1779547475", "published": true, "threat_level_id": "2", "timestamp": "1779547474", "uuid": "5df6c3a9-4e93-4dc5-bc9f-d50b8ac31856", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#77a4ec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"", "relationship_type": "" }, { "colour": "#3eb869", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Data Staging - T1074.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#fd9f99", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Mail Protocols - T1071.003\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#23cf0e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Email Collection - T1114.002\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#e4d611", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Kazuar\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Turla\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900412", "to_ids": false, "type": "link", "uuid": "fac750bb-346c-4d71-84a9-999b1a77b537", "value": "https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778900412", "to_ids": false, "type": "text", "uuid": "b5339dfc-6d48-4aa3-8be0-cde334be7938", "value": "Kazuar is a sophisticated malware attributed to Russian state actor Secret Blizzard, having evolved from a traditional backdoor into a highly modular peer-to-peer botnet ecosystem. The malware comprises three distinct module types\u2014Kernel, Bridge, and Worker\u2014that distribute functionality across infected systems. A leadership election mechanism ensures only one Kernel module communicates externally, reducing detection opportunities. The architecture supports flexible configuration with over 150 options, multiple C2 channels including HTTP, WebSockets, and Exchange Web Services, and extensive data collection capabilities. Secret Blizzard primarily targets government, diplomatic, and defense organizations in Europe, Central Asia, and Ukraine to support Russian foreign policy and military intelligence objectives. The botnet maintains persistent access through sophisticated IPC mechanisms, staged data exfiltration during working hours, and comprehensive anti-analysis checks." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778900412", "to_ids": false, "type": "text", "uuid": "55f4c280-6ea0-4b58-b951-59f0885d9efb", "value": "Name: Kazuar: Anatomy of a nation-state botnet\nAuthor: AlienVault\nAdversary: Turla\nTags: [\"c2 infrastructure\", \"russia fsb\", \"espionage\", \"peer-to-peer botnet\", \"modular architecture\", \"kazuar\", \"pelmeni\", \"diplomatic targeting\", \"nation-state\"]\nTgtd countries: [\"Ukraine\"]\nMlwr families: [\"Kazuar - S0265\", \"Pelmeni\"]\nAttack_ids: [\"T1113\", \"T1056.001\", \"T1114\", \"T1074.001\", \"T1082\", \"T1071\", \"T1005\", \"T1055\", \"T1071.003\", \"T1090\", \"T1059\", \"T1083\", \"T1497\", \"T1102\", \"T1057\", \"T1041\", \"T1562.001\", \"T1027\", \"T1114.002\", \"T1573\", \"T1095\", \"T1132\", \"T1027.002\", \"T1071.001\"]\nIndustries: [\"Government\", \"Defense\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1778981467", "to_ids": false, "type": "threat-actor", "uuid": "e1100885-2767-4eac-b9c2-c9575b3c557d", "value": "Secret Blizzard", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Turla\"", "relationship_type": "" }, { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779547474", "to_ids": true, "type": "md5", "uuid": "253caa22-8c78-4ea3-ab40-8c4d10743e43", "value": "82760b84f1d703d596c79b88ba4fac1e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547465", "uuid": "ca102bc2-1563-4544-8895-093cc3c34865", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547464", "to_ids": true, "type": "md5", "uuid": "f3fa23d0-1484-4734-b1d6-831401ae6840", "value": "035e952a9504894fb311aef75ab64aec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547464", "to_ids": true, "type": "sha1", "uuid": "fdd49fb8-57c8-4e70-b2c3-34bc94eca92c", "value": "78db2202722f8c5afd7ee135e620908d99bc3d55", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547465", "to_ids": true, "type": "sha256", "uuid": "ecd30376-767c-4f3a-b130-a360fab57875", "value": "436cfce71290c2fc2f2c362541db68ced6847c66a73b55487e5e5c73b0636c85", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779000039", "to_ids": true, "type": "ssdeep", "uuid": "72acbd83-93d5-4ab1-b5c8-8e83160f2f90", "value": "49152:V0DtrZZPwbbeGfMZoYauY95t4hVtAKiBuB0rVnt7:udZPwbbeSmWtzKiB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779000039", "to_ids": false, "type": "size-in-bytes", "uuid": "e561482b-3b4b-4490-b4a9-e38a41f03908", "value": "1910784" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779000039", "to_ids": true, "type": "vhash", "uuid": "78868a85-a854-4dfb-a20c-45b0353d64bf", "value": "216026651810415ffff1149dd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779000039", "to_ids": true, "type": "filename", "uuid": "f3854090-d735-4d13-a54f-7d7dce208198", "value": "cmr0ec934.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 17/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779000039", "to_ids": false, "type": "text", "uuid": "c302ef5e-3e59-4e67-9790-700de1464e96", "value": "Type Description: Win32 EXE\nMicrosoft: Backdoor:MSIL/KazuarModule.A!dha\nVT Total Detection:47/71\nFirst Submission:2026-05-12T21:41:38.000000+00:00\nLast Submission:2026-05-12T21:41:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547467", "uuid": "8ddf58ed-5349-4022-a104-86872c4ea165", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547466", "to_ids": true, "type": "md5", "uuid": "296ef247-bcf3-48ee-a76d-0b127cfc28cc", "value": "9769354a8d84f6bc5cbf86f54fb4f0b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547467", "to_ids": true, "type": "sha1", "uuid": "1a6a3d40-2e30-40d0-b814-6cf6821de6b8", "value": "84626b6e99ffeca12d7a0371c7949e44b81a6b87", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547467", "to_ids": true, "type": "sha256", "uuid": "2afc7f04-8192-402e-a1d5-d7358cd7f7db", "value": "69908f05b436bd97baae56296bf9b9e734486516f9bb9938c2b8752e152315d4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779000061", "to_ids": true, "type": "ssdeep", "uuid": "4fb7f654-a2c0-43db-8886-4aeb9f52f181", "value": "3072:MDh+2M3hPK4zxCzlwhoQg6B+1kRm7UxelRxiRZGXU:MDhu3k4NhtQkRkUABiRZG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779000061", "to_ids": false, "type": "size-in-bytes", "uuid": "edb2df2c-11a7-4844-b1e1-499ff832a9e5", "value": "151552" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779000061", "to_ids": true, "type": "vhash", "uuid": "3c1a9f47-a91e-48c4-a356-14ee56e1c87a", "value": "1150966d7565151c051d1085z10026085z9095z1071z9ez4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779000061", "to_ids": true, "type": "filename", "uuid": "e0357b56-3b7c-412c-93c0-25688ee41685", "value": "hpbprndiLOC.dll" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 17/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779000061", "to_ids": false, "type": "text", "uuid": "3b026bc0-07dc-4de7-906d-9e14c1ccbdec", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win64/Kazuar.OB!dha\nVT Total Detection:45/71\nFirst Submission:2025-10-08T11:55:31.000000+00:00\nLast Submission:2025-10-08T11:55:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547469", "uuid": "b25c0e4b-c31d-4e55-8802-30a44c6d1fd1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547469", "to_ids": true, "type": "md5", "uuid": "9ce4afdc-ee19-4ff6-9337-796c5a930828", "value": "bd7d85741a3801d8fe7a725061249337", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547469", "to_ids": true, "type": "sha1", "uuid": "a6012086-8846-4ebc-988a-54e1a46a6c89", "value": "fb5eb1cad3444d7a1647bb906fff3200d8a707f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547469", "to_ids": true, "type": "sha256", "uuid": "c8d5876a-bc83-4326-9679-d822f495e781", "value": "6eb31006ca318a21eb619d008226f08e287f753aec9042269203290462eaa00d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779000084", "to_ids": true, "type": "ssdeep", "uuid": "f79c9a75-5755-4bdd-af8f-64ac1a6e532e", "value": "49152:nN1zYajZjhtZQ4NEE0Z3e7GxBlOf9jjQeD:njYQZjhtZnq" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779000084", "to_ids": false, "type": "size-in-bytes", "uuid": "6daf814c-e8c7-4c81-93e3-b8969b235004", "value": "2507264" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779000084", "to_ids": true, "type": "vhash", "uuid": "d1e42c81-b96c-45c9-b0c6-1de33a441e91", "value": "226026551fa0e22ffff161563ff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779000084", "to_ids": true, "type": "filename", "uuid": "5467c2eb-cf91-4cc2-b670-6813ddb8ed9d", "value": "6eb31006ca318a21eb619d008226f08e287f753aec9042269203290462eaa00d.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 17/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779000084", "to_ids": false, "type": "text", "uuid": "798317b8-ac7e-4eb5-bfa4-c98d9dfe5f56", "value": "Type Description: Win32 EXE\nMicrosoft: Backdoor:MSIL/KazuarModule.A!dha\nVT Total Detection:43/71\nFirst Submission:2026-05-12T21:43:49.000000+00:00\nLast Submission:2026-05-14T10:40:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547472", "uuid": "bfc6823b-bca4-4e53-8bd7-59c4156c182b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547472", "to_ids": true, "type": "md5", "uuid": "1e46acf3-312a-41a9-b98b-f0c1c02ed0f3", "value": "78aaeff421355a794a6248c84871eef7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#81bddc", "local": false, "name": "QuotaExceededError", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547472", "to_ids": true, "type": "sha1", "uuid": "4411ba7b-dbb4-4d42-b491-e2d5ceac0b8b", "value": "ac6957ce5b1d361561d1836a6c026ab9a3279227", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547472", "to_ids": true, "type": "sha256", "uuid": "cb96ae51-eaa7-4229-8d6e-fd43579ceeba", "value": "c1f278f88275e07cc03bd390fe1cbeedd55933110c6fd16de4187f4c4aaf42b9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779000106", "to_ids": true, "type": "ssdeep", "uuid": "1e10fd6d-a588-4195-8444-ee9d3f2f401a", "value": "49152:Q2ud9UEURHG7i4rWBcZaX3aiRL+XrXuUnC3s49cFjpzh2e3Uvu+hBYAaGriBBSIq:W96m7i" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779000106", "to_ids": false, "type": "size-in-bytes", "uuid": "5de499f4-9610-4c6f-bc95-0f545af0a017", "value": "1985024" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779000106", "to_ids": true, "type": "vhash", "uuid": "51d9d4d2-5e65-422e-8425-71372a3c3b3b", "value": "216026651810415ffff114ade" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779000106", "to_ids": true, "type": "filename", "uuid": "fc4e9e9c-164a-4a5f-b0e5-0e6a2ec5ba8c", "value": "c1f278f88275e07cc03bd390fe1cbeedd55933110c6fd16de4187f4c4aaf42b9.bin" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 17/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779000106", "to_ids": false, "type": "text", "uuid": "ed6a10e0-1fea-454b-b92d-d86670c736c6", "value": "Type Description: Win32 EXE\nMicrosoft: Backdoor:MSIL/KazuarModule.A!dha\nVT Total Detection:47/71\nFirst Submission:2026-05-12T21:38:48.000000+00:00\nLast Submission:2026-05-12T21:38:48.000000+00:00" } ] } ] } }