{ "id": "30b19e57-9f67-4b2c-adf7-8e448c640ad1", "created_at": "2026-04-06T00:06:33.098355Z", "updated_at": "2026-04-10T03:37:09.043013Z", "deleted_at": null, "sha1_hash": "0544fffc51395b5b16d4fc8f863085ab9f2157e9", "title": "Agent Tesla | Old RAT Uses New Tricks to Stay on Top - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1311470, "plain_text": "Agent Tesla | Old RAT Uses New Tricks to Stay on Top -\r\nSentinelLabs\r\nBy Jim Walter\r\nPublished: 2020-08-10 · Archived: 2026-04-05 13:21:37 UTC\r\nAs other researchers have recently noted, the Agent Tesla RAT (Remote Access Trojan) has become one of the\r\nmost prevalent malware families threatening enterprises in the first half of 2020, being seen in more attacks than\r\neven TrickBot or Emotet and only slightly fewer than Dridex. Although the Agent Tesla RAT has been around for\r\nat least 6 years, it continues to adapt and evolve, defeating many organizations’ security efforts. During the\r\nCOVID-19 pandemic new variants have been introduced with added functionality, and the malware has been\r\nwidely used in Coronavirus-themed phishing campaigns.\r\nAgent Tesla | Background \u0026 Overview\r\nAgent Tesla is, at its core, a keylogger and information stealer. First discovered in late 2014, there has been steady\r\ngrowth in the use of Agent Tesla over the last 1-2 years. The malware was initially sold in various underground\r\nforums and marketplaces, as well as it’s very own AgentTesla.com site (now defunct)  Agent Tesla, like many of\r\nits contemporaries, offered both the malware itself as well a management panel for administration and data\r\ncollection and management. Information harvested from infected devices quickly becomes available for the\r\nattacker via the panel interface.\r\nWhen originally launched, various ‘packages’ were available for purchase. Each package was basically\r\ndifferentiated by the license duration and build/update access. At the time, pricing was quite competitive with a 1\r\nmonth license selling for $12.00 USD all the way up to 6 month licenses going for $35.00. It is also worth noting\r\nthat, like many other tools of this nature, cracked and leaked versions of Agent Tesla were quick to appear.\r\nEarly versions of Agent Tesla also touted the full suite of features as one would expect to find in a modern RAT,\r\nincluding:\r\nMulti Language Support\r\nPHP Web Panel\r\nAutomatic Activation upon payment (for direct customers)\r\n24/7 support\r\nhttps://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\r\nPage 1 of 9\n\nStable and Fast execution\r\nMultiple delivery methods for keystroke logs, screenshots, and clipboard pulls\r\nSupport for multiple Windows versions (XP upward)\r\nDelivery Mechanism\r\nLike many other threats, the primary delivery mechanism for Agent Tesla is email (phishing messages). Attackers\r\nare often timely with their social engineering lures, and the current pandemic is not off limits to the attackers. In\r\nthe last few months, attackers have been observed spreading Agent Tesla via COVID-themed messages, often\r\nmasquerading as information information or updates from the WHO (World Health Organization)\r\nhttps://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\r\nPage 2 of 9\n\nActors behind Agent Tesla campaigns have also used malicious Office documents to facilitate first-stage delivery.\r\nSpecially-crafted documents, exploiting Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570,\r\nhave been leveraged, even in present day campaigns.  These and similar exploits allow for quick delivery and\r\nexecution with minimal user interaction (beyond opening the malicious documents and allowing active content to\r\nproceed)\r\nFeature Set of New Agent Tesla Variants\r\nOver time, additional features have been added to Agent Tesla. These improvements include more robust\r\nspreading and injection methods as well as discovery and theft of wireless network details and credentials.\r\nCurrently, Agent Tesla continues to be utilized in various stages of attacks. Its capability to persistently manage\r\nand manipulate victims’ devices is still attractive to low-level criminals. Agent Tesla is now able to harvest\r\nconfiguration data and credentials from a number of common VPN clients, FTP and Email clients, and Web\r\nBrowsers. The malware has the ability to extract credentials from the registry as well as related configuration or\r\nsupport files. Our analysis of a swatch of current Agent Tesla samples reveals the following list of targeted\r\nsoftware:\r\nhttps://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\r\nPage 3 of 9\n\n360 Browser\r\nApple Safari\r\nBecky! Internet Mail\r\nBlackHawk\r\nBrave\r\nCentBrowser\r\nCFTP\r\nChedot\r\nChromium (general)\r\nCitrio\r\nClaws Mail\r\nCoccoc\r\nComodo Dragon\r\nhttps://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\r\nPage 4 of 9\n\nCoolNovo\r\nCoreFTP\r\nCyberFox\r\nElements\r\nEpic Privacy\r\nFileZilla\r\nFlashFXP\r\nFlock\r\nGoogle Chrome\r\nIceCat\r\nIceDragon\r\nIncrediMail\r\nIridium\r\nKMeleon\r\nKometa\r\nLiebao\r\nMicrosoft IE \u0026 Edge\r\nMicrosoft Outlook\r\nMozilla Firefox\r\nMozilla Thunderbird\r\nOpenVPN\r\nOpera\r\nOpera Mail\r\nOrbitum\r\nPaleMoon\r\nPostbox\r\nQIP Surf\r\nQualcomm Eudora\r\nSeaMonkey\r\nSleipnir 6\r\nSmartFTP\r\nSputnik\r\nTencent QQBrowser\r\nThe Bat! Email\r\nTorch\r\nTrillian Messenger\r\nUCBrowser\r\nUran\r\nVivaldi\r\nWaterFox\r\nWinSCP\r\nYandex\r\nhttps://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\r\nPage 5 of 9\n\nHarvested data is transmitted to the C2 via SMTP or FTP. The transfer method is dictated per the malware’s\r\ninternal configuration, which also includes credentials (FTP or SMTP) for the attacker’s C2.\r\nCurrent variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into\r\nknown (and vulnerable) binaries already present on targeted hosts.\r\nFor example, as we see in sample 4007480b1a8859415bc011e4981f49ce2ff7a7dd7e883fe70d9f304cbfefedea , a\r\ncopy of RegAsm.exe (dropped into %temp%) is subsequently injected into. That new instance of RegAsm.exe is\r\nthen responsible for handling the brunt of the malicious activity (data harvesting, exfiltration). We can also see\r\nfrequent use of ‘Process Hollowing’ as an injection method.  Process Hollowing allows for the creation or\r\nmanipulation of processes through which sections of memory are unmapped (hollowed) with that space then being\r\nreallocated with the desired malicious code.\r\nSome examples get a litte less creative with regards to process creation and subsequent injection. For example, in\r\nsample b74bcc77983d587207c127129cfda146644f6a4078e9306f47ab665a86f4ad13 , we can observe it creating\r\nhidden folders and processes in %temp%, and using those hidden process instances for the primary infection\r\nroutines, and as the persistent process (set via Registry)\r\n/c copy \"C:/Users/admin1/Desktop/tes_10.exe\" \"%temp%FolderNname.exe\" /Y\r\nExecution Behavior\r\nhttps://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\r\nPage 6 of 9\n\nUpon launch, the malware will begin to gather local system information, install the keylogger module, as well as\r\ninitializing routines for discovering and harvesting data. Part of this process includes basic WMI queries.\r\nExamples include:\r\nstart iwbemservices::execquery - select * from win32_operatingsystem\r\nstart iwbemservices::execquery - select * from win32_processor\r\nRecent samples, with the ability to discover wireless network settings and credentials will spawn an instance of\r\nnetsh.exe after a brief sleeping period (after launch). The syntax utilized initially is:\r\nNetsh.exe wlan show profile\r\nPersistence is typically achieved via registry key entry or scheduled task.\r\nFor example, in sample 7ec2b40879d6be8a8c6b6ba239d5ae547604ad2605de0d2501a4cca25915afa1 a copy of the\r\nexecutable file is dropped into ~AppDataLocalTemp, and targeted w/ the following syntax to generate the\r\npersistent task:\r\nSchtasks.exe /Create /TN \"UpdatesxjZWstBWrIuw\" /XML C:UsersxxxxxxAppDataLocalTemptmp1718.tmp\"\r\nIn the sample b74bcc77983d587207c127129cfda146644f6a4078e9306f47ab665a86f4ad13 , we see an example of\r\nestablishing persistence via the registry. Upon launch, an instance of the malware is dropped into %temp% as a\r\nhidden file, in a hidden folder.\r\nhttps://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\r\nPage 7 of 9\n\n/c copy \"C:/Users/admin1/Desktop/tes_10.exe\" \"%temp%FolderNname.exe\" /Y\r\nThe following command is then used to create the Autorun registry key:\r\n/c reg add \"HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows\" /v Load /t REG_SZ /d \"%temp%FolderN\r\nConclusion\r\nAgent Tesla has been around for several years now, and yet we still see it utilized as a commodity in many low-to-mildly sophisticated attacks. Attackers are continually evolving and finding new ways to use tools like Agent Tesla\r\nsuccessfully while evading detection. At the end of the day, if the goal is to harvest and steal data, attackers will go\r\nwith what works; thus, we still see ‘commodity’ tools like Agent Tesla, as well as Pony, Loki and other low-hanging fruit malware being used.  When combined with timely social engineering lures, these non-sophisticated\r\nattacks continue to be successful.  Detection and prevention are key to reducing exposure to these threats.  The\r\nSentinelOne platform is fully capable of detecting and preventing Agent Tesla-based malware campaigns.\r\nIndicators \u0026 IOCs\r\nMITRE ATT\u0026CK\r\nModify Registry (T1112)\r\nSubvert Trust Controls: Install Root Certificate (T1553.004)\r\nHide Artifacts: NTFS File Attributes (T1564.004)\r\nHijack Execution Flow: DLL Search Order Hijacking (T1574.001)\r\nProcess Injection: Process Hollowing (T1055.012)\r\nData from Information Repositories (T1213)\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)\r\nProcess Injection (T1055)\r\nUnsecured Credentials: Credentials In Files (T1552.001)\r\nSystem Information Discovery (T1082)\r\nQuery Registry (T1012)\r\nOS Credential Dumping (T1003)\r\nScheduled Task (T1053)\r\nSHA256\r\n70aecc29ffb60caf068e4d8107f4d53fcdbd333bed7ac6fb3a852b00e86ded31\r\n7d1bcec8a3f71910e15cbb3adae945cd5096b7de259b51aef8f2e229bd4b40e2\r\n7ec2b40879d6be8a8c6b6ba239d5ae547604ad2605de0d2501a4cca25915afa1\r\n9b27388be292aea50d62cfebd130a9832f0d676feb28771d70d3e30bdb117f3a\r\na040efaf5dfac863805103ea0aa90a15b3690ad060188a15ea7d68491b274123\r\naa08d96a25908ce76e07475aefbbe192bd812665a5600dc30600688510dd033e\r\nbe26ad023b732078c42b4f95067fb9107fe88aebd7ebbf852e7e968e50eee8a0\r\n1abf66ab839c550bc77d97d1644c1225935a86b9591e9a95bcd606ebec6bbc19\r\nhttps://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\r\nPage 8 of 9\n\nb74bcc77983d587207c127129cfda146644f6a4078e9306f47ab665a86f4ad13\r\nf44c6c8c1c81f9990f11a0f70e6517c358fc1ee00a78b32461d4a2594b48e47d\r\n9fee57918672137160499dcd1a099670ef8f9a787f3a1ad6d8123df26cddbc3b\r\n4007480b1a8859415bc011e4981f49ce2ff7a7dd7e883fe70d9f304cbfefedea\r\n590c19542f6959d6424107eb4f2998b04d035575341b1f23a40dea6d82aecadd\r\n648261052662b044dc233349ccdfa9dfd6853ec9a21ced386f8f172b2568b0d1\r\nf24018dead69b0f899d33e73f72f5c3ef6f3c391850484b06b042f36dbc08cac\r\n7ce7bf11f6285621381b80027c488e9b5009205131a89738975ccc89574a1533\r\ne2473526523180f460af4d8e164df9060c9f328cc7c0bae5846d51b28c12febe\r\n7adc0e8236262080e62c4bfb97e745880247f9e244ae8718e60cc217a3ae773b\r\n0107fadc185fd6b53dc033d4a79e53ef1621ae623917de029b6c02eeae2021c1\r\n388386f3361138514c561dcf6169e8f9e8726c91e2dc66663efb07bf21ece052\r\n507b63c73ba3bee19c8c8afb40526c1196240376277f4b49e25bedc5d866b980\r\nSHA1\r\na2ad3ec4cd2d70edf2bc9089c493f898b7da44a5\r\n8f841e8f7d2c3334145c8c9f89c8cd6929a06b2a\r\n3390272bb793ad15a45d647c3e5a716145fd262a\r\n8cd26c88b74f913f6e1c9d71a8d1e9aa53b7c6f6\r\n160c5583f9ba3d11e94a0dd8c9a64936981e8194\r\n859f498f0ba963e468a3912d936ad8e7ec01dbcd\r\n90fc8a737a7030db2e3583cbccb3156bb0a8ff12\r\n683efb5746e85867b5d613dc07a116a80becce58\r\n6c2d55f7fcecdcae779b148f0060b8ab4062e0a9\r\n7617dc78df626d5df43e38506fa7c577baef4bc5\r\n05d74461b2a63b75f319ef2c5c4aa074af4e97c3\r\n9e9c8ef7f20677795684b2749a59367cf5c3ec0a\r\n3e15c7c82b875c3553456dc08a8b79019cb48644\r\n7e674dd61f0802316bc092ffd44f5b8a36ab26d5\r\n7cf661644a638dcb554a81ba490ddcaee2ed6f12\r\n5b744ce5d3cccd556d66704d8fdde882ea928829\r\n94277994af62de5948d6de134edac0089a54b71e\r\n3ce8f4bfeb99fa2fb8898c7664ad3838ce4a4fcf\r\n4ffa900d7cf3ae6414bf90f6c9a4667cedfd57dd\r\n83be2722b7adc91bc3ee219b75e9176bc7ce8e6e\r\n72d3d907d7502c383ffc8239d255882838a5a6e4\r\nSource: https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\r\nhttps://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/" ], "report_names": [ "agent-tesla-old-rat-uses-new-tricks-to-stay-on-top" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433993, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0544fffc51395b5b16d4fc8f863085ab9f2157e9.pdf", "text": "https://archive.orkl.eu/0544fffc51395b5b16d4fc8f863085ab9f2157e9.txt", "img": "https://archive.orkl.eu/0544fffc51395b5b16d4fc8f863085ab9f2157e9.jpg" } }