{ "Event": { "analysis": "1", "date": "2026-04-30", "extends_uuid": "", "info": "[Threat Intel] An In-Depth Analysis of Novel KarstoRAT Malware", "protected": false, "publish_timestamp": "1779546327", "published": true, "threat_level_id": "3", "timestamp": "1779546327", "uuid": "f8039ec4-0358-40b3-938b-b4e50d276939", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#8b05c0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1123\"", "relationship_type": "" }, { "colour": "#d74cce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#c8f8ef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Binary Proxy Execution - T1218\"", "relationship_type": "" }, { "colour": "#eb2300", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Defacement - T1491\"", "relationship_type": "" }, { "colour": "#ece0df", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Video Capture - T1125\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777950040", "to_ids": false, "type": "link", "uuid": "80ecfcff-2f6f-457b-9a85-e2ce1b7ecacf", "value": "https://www.levelblue.com/hubfs/Web/Library/Documents_pdf/TTR-Spotlight-Novel-KarstoRAT-Malware.pdf", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777950040", "to_ids": false, "type": "text", "uuid": "c4cda3d7-a526-4e93-aaaf-f2fbb88a36e3", "value": "KarstoRAT is a newly identified remote access trojan that emerged in early 2026, combining surveillance, credential theft, and remote command execution capabilities. The malware supports extensive post-compromise operations including system reconnaissance, screenshot and audio capture, webcam monitoring, keylogging, and token theft. It communicates with a C2 server at 212.227.65[.]132 using HTTP protocols with the user agent 'SecurityNotifier'. Distribution occurs through gaming-themed lure pages targeting Roblox players and FPS/GTA modders via fake cheat loaders. KarstoRAT employs multiple persistence mechanisms through registry keys, scheduled tasks, and startup folders, while featuring a UAC bypass using the fodhelper.exe technique. The malware has not been publicly advertised on cybercrime forums, suggesting private development and limited operator use rather than commodity distribution." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777950040", "to_ids": false, "type": "text", "uuid": "fb4efb57-e140-4137-802d-abc7b13bdf47", "value": "Name: An In-Depth Analysis of Novel KarstoRAT Malware\nAuthor: AlienVault\nAdversary: \nTags: [\"gaming lure pages\", \"karstorat\", \"webcam surveillance\", \"fodhelper exploit\", \"discord token stealer\"]\nTgtd countries: []\nMlwr families: [\"KarstoRAT\"]\nAttack_ids: [\"T1053.005\", \"T1113\", \"T1056.001\", \"T1123\", \"T1548.002\", \"T1204.002\", \"T1115\", \"T1082\", \"T1106\", \"T1555\", \"T1218\", \"T1491\", \"T1125\", \"T1083\", \"T1204\", \"T1057\", \"T1041\", \"T1547.001\", \"T1562.001\", \"T1027\", \"T1059.003\", \"T1070.004\", \"T1071.001\", \"T1105\", \"T1490\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623832", "to_ids": true, "type": "hostname", "uuid": "508f5a1a-5cd3-465d-9138-b15bf68be85f", "value": "hallucinative-shabbily-olga.ngrok-free.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623853", "to_ids": true, "type": "ip-dst", "uuid": "3580808c-ca65-49ca-918c-9eb41cfd250e", "value": "212.227.65.132", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546315", "uuid": "02ebf798-2c7a-4f34-8bf9-a5969a2a7a7d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546314", "to_ids": true, "type": "md5", "uuid": "a68f0624-6242-4b46-9130-3dfb2150cd1d", "value": "19e747644979f0f1ee459d2d298ab5d6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546314", "to_ids": true, "type": "sha1", "uuid": "ff7a275b-9cd5-4224-8b54-91f6575e1443", "value": "10c9a8a6c6f6ea9233a7df700c4a724b5f49ff74", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546315", "to_ids": true, "type": "sha256", "uuid": "79cc2c51-f474-45c9-b2d7-f6cc2c66feff", "value": "65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778621617", "to_ids": true, "type": "ssdeep", "uuid": "320c5150-68ad-4bc8-87da-db0be6c2c10d", "value": "1572864:le5/uapcYbwCd9xjMPR1d5PIMoVBw/fgI495iX7zZ+4Oj:tajMC7mPbLNE+WszItj" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778621617", "to_ids": false, "type": "size-in-bytes", "uuid": "3965a5e0-c08b-442c-8f6e-52ad9093b04e", "value": "67036160" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778621617", "to_ids": true, "type": "vhash", "uuid": "eb198da1-7504-4db8-849c-e1ff643a38ca", "value": "067076655d155d05755az59hz3lz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778621617", "to_ids": true, "type": "filename", "uuid": "e9686097-ba79-4f71-8aba-7b7ac95ea460", "value": "65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b.exe" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 06/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778621617", "to_ids": false, "type": "text", "uuid": "3f224809-30f9-42e9-bc74-06b6f58e88da", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Etset!rfn\nVT Total Detection:32/68\nFirst Submission:2026-01-15T20:27:06.000000+00:00\nLast Submission:2026-02-28T09:12:53.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546318", "uuid": "ba621693-a805-4edb-a2ec-6ba9df4155d1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546317", "to_ids": true, "type": "md5", "uuid": "02300d09-6245-4d07-af67-1524a4679b35", "value": "fe9db3aed6a04c762472afdf2face254", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546317", "to_ids": true, "type": "sha1", "uuid": "231a5b65-64ee-4605-bb06-deed3bc2de01", "value": "94e98b714bfb102d143957cf1e00bd45b5b8fa4d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546318", "to_ids": true, "type": "sha256", "uuid": "90d7f826-0819-4db9-91e6-d2488fce5df4", "value": "07131e3fcb9e65c1e4d2e756efdb9f263fd90080d3ff83fbcca1f31a4890ebdb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778621638", "to_ids": true, "type": "ssdeep", "uuid": "6826b917-9ed4-498b-9c4e-653ca5e5ef0c", "value": "3072:XOJQsTtxRGiwtsvccTJOLHonuKV1uKNJy/7:XOJ556XtsvbTJOLi1uKNJi" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778621638", "to_ids": false, "type": "size-in-bytes", "uuid": "1bff31bc-c71f-4fa4-bb43-3ce023d10563", "value": "151552" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778621638", "to_ids": true, "type": "vhash", "uuid": "5daee12f-33e6-44bc-8957-e518280de788", "value": "015066655d1555551085z7002a7z37z22z181z7010046z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778621638", "to_ids": true, "type": "filename", "uuid": "943ca7d6-fcba-4228-ac79-aad6409d4f9e", "value": "iu05e.exe" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 06/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778621638", "to_ids": false, "type": "text", "uuid": "153637e5-6e74-4e96-bd90-7d83983fcc4e", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/KarstoRAT.A!AMTB\nVT Total Detection:49/70\nFirst Submission:2026-02-26T00:38:20.000000+00:00\nLast Submission:2026-02-27T06:56:53.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546321", "uuid": "9d8b1769-99b1-4602-9fea-e81d66bd9e71", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546320", "to_ids": true, "type": "md5", "uuid": "2a2c954d-a3f6-401a-9cdb-41a858a69cd0", "value": "f35cebd169a5751e89d7048a28ecace7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546320", "to_ids": true, "type": "sha1", "uuid": "787dce49-d812-4d74-beae-eac5cee502e4", "value": "2d32b10f191b3897dc4ab5041639f16e0bd75ba4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546321", "to_ids": true, "type": "sha256", "uuid": "28c3712e-a211-43b8-aa03-8b35b66e791c", "value": "839e882551258bf34e5c5105147f7198af2daf7e579d7d4a8c5f1f105966fd7e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778621660", "to_ids": true, "type": "ssdeep", "uuid": "b6ed2b25-1a1c-4212-9af9-19d2603021d9", "value": "3072:IFv0eY/1RJENt2hy/5+Xkr76r5fKjZME:IN0b1RuNt0W3reVfKjZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778621660", "to_ids": false, "type": "size-in-bytes", "uuid": "66b31095-114b-4b09-89b2-13b43d074efe", "value": "146432" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778621660", "to_ids": true, "type": "vhash", "uuid": "125b275d-e1fd-4ad3-94b2-fa8fa9def5e8", "value": "015066655d1555551085z7002a7z37z22z181z7020046z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778621660", "to_ids": true, "type": "filename", "uuid": "ff2726a8-e5cc-4d62-b8db-8d0a03e18b8e", "value": "H-Mohsen.exe" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778621660", "to_ids": false, "type": "text", "uuid": "d2ca09a2-4506-4dc4-bd8e-06e6489f2dc7", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/KarstoRAT.A!AMTB\nVT Total Detection:50/71\nFirst Submission:2026-03-03T09:16:37.000000+00:00\nLast Submission:2026-05-03T20:38:29.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546324", "uuid": "aae983e5-908c-49a2-a6d1-87b703ca6292", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546323", "to_ids": true, "type": "md5", "uuid": "beb5b0ce-f69d-4a8a-b1ba-98764a620da4", "value": "a857e04d4e07ad9671c4290c0a3b856c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546323", "to_ids": true, "type": "sha1", "uuid": "0fbbe1d7-4a47-4b5e-ab3e-073150181467", "value": "911c94edb0fbef89c1a120a3530560fb6b0114d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546324", "to_ids": true, "type": "sha256", "uuid": "02b911ca-afa5-4762-b7f5-af48f176d014", "value": "ee5b0c1f0015b9f59e34ef8017ead6e83259b32c4b0e07dc1f894b0d407094a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778621682", "to_ids": true, "type": "ssdeep", "uuid": "66ee6616-346e-4e95-8e73-f2d8f3fb69c6", "value": "3072:Iw+Kg2smhmBxaMhyf4ZLz2Y/xtVN5uKNJ:Iw+Kg46fhyfiLz1fuKNJ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778621682", "to_ids": false, "type": "size-in-bytes", "uuid": "a67ef148-b93a-46e8-9261-53d37966c59c", "value": "151552" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778621682", "to_ids": true, "type": "vhash", "uuid": "425b215a-b599-4791-a62e-db8acf461598", "value": "015066655d1555551085z7002a7z37z22z181z7010046z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778621682", "to_ids": true, "type": "filename", "uuid": "a9348835-0b61-413c-aa46-d1efdeec9205", "value": "sample_00131.exe" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 06/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778621682", "to_ids": false, "type": "text", "uuid": "e9728fd8-41a6-4076-8bca-2ae115dbf6ed", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/KarstoRAT.A!AMTB\nVT Total Detection:52/70\nFirst Submission:2026-03-03T09:16:32.000000+00:00\nLast Submission:2026-03-12T03:07:03.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546327", "uuid": "fd2a494f-904b-4c17-9cc8-a898288519f3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546326", "to_ids": true, "type": "md5", "uuid": "0af416df-3589-4cab-ba21-f5604e5445e7", "value": "a5bef919eb260af5bb8eba243ed4fd75", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546326", "to_ids": true, "type": "sha1", "uuid": "547de019-92f2-49e8-8813-7f5eaf74a025", "value": "c6297eae6d141d5f803aaeb2cec08328b4ac4183", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546327", "to_ids": true, "type": "sha256", "uuid": "35746ed3-6963-4e3e-b5c1-14ec9153378e", "value": "aca3f2902307c5ebdb43811b74000783d61b6ad29d7796bb8107d8b1b38d76a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778621703", "to_ids": true, "type": "ssdeep", "uuid": "94681863-7772-4bef-8838-94a7f719d71c", "value": "1536:UcFeNvAR+haMKxkIYrb7cLDhN+3AD+X2aiDOWfD58p+xbDLua:myCaz5AXcxN+QSGfr5vu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778621703", "to_ids": false, "type": "size-in-bytes", "uuid": "fdbb8ab3-fca1-482a-bc2d-bd6cbbbbc3c6", "value": "94208" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778621703", "to_ids": true, "type": "vhash", "uuid": "ada4f619-9696-435c-b604-5ddd081d015e", "value": "094066655d1555551065z700247z37z22z151z72z275z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778621703", "to_ids": true, "type": "filename", "uuid": "d3621e3d-31a5-47a6-a558-481b68768f73", "value": "sample_00094.exe" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778621703", "to_ids": false, "type": "text", "uuid": "ef5a0e0b-64d3-4040-9380-64314ea949f5", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/KarstoRAT.A!AMTB\nVT Total Detection:49/71\nFirst Submission:2026-03-03T09:16:30.000000+00:00\nLast Submission:2026-03-12T02:42:08.000000+00:00" } ] } ] } }