{ "id": "bd20e0ea-206d-4c9e-9511-5c7e99de9e68", "created_at": "2026-04-06T00:08:08.695921Z", "updated_at": "2026-04-10T13:12:04.261759Z", "deleted_at": null, "sha1_hash": "14470e0b48bd93938da124484a61e7da6d2298a5", "title": "ORANGEWORM GROUP – KWAMPIRS ANALYSIS UPDATE - Security Art Work", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3888707, "plain_text": "ORANGEWORM GROUP – KWAMPIRS ANALYSIS UPDATE -\r\nSecurity Art Work\r\nBy Lab52\r\nPublished: 2019-03-13 · Archived: 2026-04-05 15:49:40 UTC\r\nThe OrangeWorm group was named and described by the Symantec Company in different blog entries [1] [2]. We\r\nwould highlight from these entries that it is a group that has been operational since 2015 and is focused on\r\nattacking the health, pharmaceutical, technological, manufacturing and logistics sectors. The sector most affected\r\nis healthcare as described by Symantec.\r\nBased on this information, Lab52 has carried out an in-depth study of the Kwampirs tool (OrangeWorm’s main\r\ntool) used by this group.\r\nNext, the RAT (Remote Administration Tool) in Dll format and the main binary or orchestrator of the infection\r\nwill be analyzed.\r\nTechnical analysis of Kwampirs Dropper\r\nWithin its arsenal, OrangeWorm has a RAT in DLL format whose execution and lateral movement is carried out\r\nby an executable together with the one that composes the threat known as Kwampirs.\r\nRegarding the executable, which we will call “Kwampirs Dropper” initially highlight its resources, among which\r\nare two images with corrupt sections. One of which consists of the DLL with RAT capabilities encrypted with an\r\nXOR key that in each execution extracts, decrypts and executes:\r\nThis threat has a first execution block, in charge of decrypting all the text strings that it will use and which are\r\nencrypted in its “.data” section with a relatively obfuscated XOR algorithm in order to make detection and\r\ndecryption difficult. After deciphering its strings, it extracts the creation and modification dates from User32.dll\r\nand collects information about the operating system it is on. From this point, its logic can be divided into 4\r\ndifferent paths, depending on the number of parameters, which provide different functionalities for each stage of\r\ninfection of the threat.\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 1 of 25\n\nIn order to provide the greatest clarity to this report, the order of description of the 4 possible ways of execution of\r\nthe Kwampirs dropper will follow that of an infection of this threat, instead of the number of parameters\r\nincrementally:\r\nExecution with a parameter\r\nThe logic that contains the section of code that is executed when it receives a single parameter, is that of a\r\nhypothetical installation of the threat, manually, or through a dropper.\r\nIt should be noted that this section is completely dependent on having administrator privileges, and in case of not\r\nhaving them, in many points of the execution jumps directly to the end of the logic, thus ending its execution.\r\nFirst, check the existence of the file “C:\\Windows\\inf\\IE11.PNF”, its size (66Bytes) and if it has enough privileges\r\nto access it.\r\nIf it detects that it already exists (which would indicate that the computer is already infected) or that it does not\r\nhave enough privileges (which would prevent it from performing the rest of the logic) it ends the execution. If it\r\ndoes not exist and has sufficient privileges, it creates the persistence service.\r\nThis service generates it with a hardcoded name and data in the strings that it has decrypted at the beginning of its\r\nexecution, and emphasizes that it points to an executable with the name it has at that moment, but in %System32%\r\neven though it has not been observed that it copies itself to that route at any time. This implies that along with\r\nbeing run with administrator privileges, it also requires having been installed on that route by other means.\r\nAfter creating the service, it starts it, this time without any parameter, which gives way to another execution path\r\nwithin its logic.\r\nFinally, it creates the file called ie11.PNF in which it writes 66 random bytes:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 2 of 25\n\nIn the previous capture, you can see how it creates a buffer of 66Bytes, which it fills with random bytes, and\r\npasses it as a parameter to a function that we have called “CreateFileWith2tmp” along with a string, which in this\r\ncase contains “C:\\Windows\\inf\\ie11.PNF”.\r\nThe function “CreateFileWith2tmp” uses it constantly for the creation of each one of the files related to this threat,\r\nand is in charge of generating two temporary files, in one it stores the first Byte of the buffer it receives as the\r\nsecond parameter, in the second file it stores the rest of the buffer, after which, it executes the following command\r\nto concatenate the content of both, and store it in a new file with the name that it has received as the third\r\nparameter.\r\nAfter generating this file, it finishes its execution, having started another instance of its own, as a service, and\r\nwithout parameters.\r\nExecution without parameters\r\nWhen the threat starts without parameters, after its first string decryption block and collection of system\r\ninformation, it makes a call to the Microsoft API “StartServiceCtrlDispatcherW” responsible for initiating the\r\nlogic of a Windows service, after which it ends. Therefore, if it is not started as a service, it is not able to perform\r\nany action.\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 3 of 25\n\nIf it is loaded as a service, after a first execution of its binary with a parameter, for example, the API\r\n“StartServiceCtrlDispatcherW” passes the execution flow of the application to a function of the binary.\r\nThis function consists in a first verification of the existence and capacity of access to the file\r\n“C:\\Windows\\inf\\mtmndkb32.PNF” if it finds a recent and accessible version of this one, it continues its normal\r\nexecution, in case of not finding it or having problems of access to it, it goes through the processes in search of the\r\ncopies of itself that it generates to run with 2 and 3 parameters, and in search of its modules to finish these\r\nprocesses and later, to eliminate these executables, as a cleanup.\r\nRegardless of whether it finds the PNF file or not, it enters an infinite “while (! 0)” loop, which is in charge of\r\nkeeping its module in DLL format running and maintaining a copy of itself, running with two parameters, which is\r\nin charge of the lateral movement by SMB of the threat.\r\nThe infinite loop, first, looks for instances of its module in DLL format in execution, in case of not finding it, it\r\ncalls a function that takes charge of extracting from its resources the image mentioned at the beginning of the\r\nreport, trimming the corrupt section, decrypting it with an XOR key of 16Bytes, using the following algorithm:\r\nand store the result in System32 with one of the following names with extension “.dll”:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 4 of 25\n\nOnce you have the module on disk, run it through Microsoft executable “rundll32.exe” passing the following\r\nparameters:\r\nIt then calls a function whose sole purpose is to call a one-minute “Sleep” 20 times, causing his execution to pause\r\nfor a period of 20 minutes.\r\nAfter 20 minutes, it makes a call to a function that if it does not find an instance of itself running with 2\r\nparameters, it makes a copy of its own binary with one of the following names:\r\nAnd it executes it with two parameters using the Microsoft API CreateProcessAsUserW, which allows it to add the\r\ntoken of the current user as the creator of the process, so that the process is executed in its session:\r\nAfter this, it performs a Sleep with a random value between 1 and 3 minutes, and repeats the same execution flow,\r\nthus ensuring that both its module in DLL format and its replica running with two parameters are kept running.\r\nAt this point, we are running the process of the main Kwampirs dropper, loaded as System by the persistence\r\nservice, an instance of rundll32, also as System generated by the process itself without parameters, and a second\r\ninstance of the executable, this time with the credentials of the user who has logged in, thanks to the use of the\r\n“CreateProcessAsUserW” API for its creation:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 5 of 25\n\nExecution with 2 parameters\r\nWhen the threat is executed with two parameters, after its first string decryption block and collection of system\r\ninformation, it goes directly to a function in charge of scanning private IPs, which it tries to access by SMB in\r\norder to check its access and infection capacity.\r\nTo do this, it first generates a Thread, which through the Microsoft API “GetTcpTable” obtains the list of IPv4\r\nconnections of the system, from which it filters all those that are through ports 445 and 138, so it is able to isolate\r\nthose related to SMB traffic, afterwards it tries to infect these IPs directly.\r\nTo make sure it does not miss any computer to which the user has access, but which is not found on the table, the\r\nmain thread of the threat scans the entire subnet of the computer, trying to infect all its possible IP addresses.\r\nWhen the main Thread finishes scanning the computer’s subnet. It enters a last zone of code, which generates\r\nrandom private “/ 24” subnets and scans them completely, in order to try to access subnets different from that of\r\nthe infected computer, but accessible by it.\r\nEach of the IP addresses generated by these three subnet scan approaches is passed to a function that attempts to\r\ninfect them by trying to access any of the following units via SMB:\r\nADMIN$\r\nC$\\WINDOWS\r\nD$\\WINDOWS\r\nE$\\WINDOWS\r\nTo do this, it makes a call to the “CreateFile” API, passing as the file path the IP address to be infected with the\r\nfollowing path “[IP]\\ ADMIN $ \\ system32 \\ csrss.exe” replacing the first element after the IP address for each of\r\nthe strings of the previous list, generating the following network traffic:\r\nIf it gets access to this file on any computer, it checks the existence of ie11.PNF, to see if it is already infected,\r\notherwise it creates a new one on that computer and gives the date and time extracted from User32.dll :\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 6 of 25\n\nIf it is able to create that file, it tries to copy itself, for which it chooses some of the hardcoded names it has in its\r\nstrings:\r\nwmiapsrvce.exe\r\nwmiapsvrce.exe\r\nwmiapsvre.exe\r\nwmiapvsre.exe\r\nwmiaprvse.exe\r\nwmiapsrve.exe\r\nwmiapsrvcx.exe\r\nAnd it generates a copy of itself with that name, on the remote computer through SMB:\r\nEach time it is able to create both ie11.PNF and the Kwampirs executable, it calls a function that, depending on\r\nthe SMB scanning routine used to generate it, passes a number to it as a parameter. If it has reached this IP from\r\nthe scanning logic of the system subnet, it passes it a 0, if it has done it through the scanning routine of random\r\nprivate networks, it passes a 1, if it has reached this address to through the thread, it passes a 2.\r\nThis function generates a string like the following:\r\n“Lucas-PC\\Lucas\\192.168.19.2\\0\\Mon Dec 03 17:38:27 2018”\r\nThe string consists of the user and domain with which the other system has been infected, the IP address of the\r\ninfected victim computer, the number that it has received as a parameter and that identifies the SMB scanning\r\nalgorithm that detected the victim, and the date and time of infection. This string encrypts it with an XOR\r\nalgorithm using a 203-byte hardcoded key and adds it to a temporary file called “Lb978YTy.tmp”\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 7 of 25\n\nFinally, it creates a new copy of itself in System32 of the local computer, and executes it this time with 3\r\nparameters, to which it passes, firstly the IP address of the computer it has just infected, and then two more\r\nparameters, similar to those it has received in its execution.\r\nExecution with 3 parameters\r\nThis last branch of execution of the Kwampirs dropper, is in charge of generating persistence in remote computers\r\ninfected by its replica executed with two parameters, and is also in charge of the execution of this persistence,\r\nwhich corresponds to the service called “WmiApSrvEx”.\r\nTo do this, it first extracts the last character from its second and third parameters, and passes it from “char” to\r\n“int”. The second parameter, can be a value between 0 and 3, (if it is something different, its execution ends). This\r\nvalue corresponds to the remote directory to which it has been able to access its replica of two parameters, thus\r\nobtaining the accessible remote path:\r\n0 = ADMIN$\r\n1 = C$\\WINDOWS\r\n2 = D$\\WINDOWS\r\n3 = E$\\WINDOWS\r\nThe third parameter, can be a number between 0 and 6, and corresponds to the name that has put the copy of itself\r\nin the remote computer, as follows:\r\n0 = wmiapsrvce.exe\r\n1 = wmiapsvrce.exe\r\n2 = wmiapsvre.exe\r\n3 = wmiapvsre.exe\r\n4 = wmiaprvse.exe\r\n5 = wmiapsrve.exe\r\n6 = wmiapsrvcx.exe\r\nWith this, and the address of the remote computer that has as its first parameter, tries to create and start the service\r\n“WmiApSrvEx” on the remote computer, generating traffic like the following:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 8 of 25\n\nDepending on whether it is capable of generating and executing the service or not, it makes a call to the\r\nregistration function in the “Lb978YTy.tmp” log of infected remote computers, but this time, the parameter can be\r\na 3 if everything went well, or a 4 if it has not been able to generate or initiate persistence. Thus leaving in the\r\n“.tmp” file registry a record of the computers to which he has had access (logs with 0.1 or 2) and if it has been\r\nable to infect them or not with (3 or 4) logs.\r\nIf it is not able to infect the computer, it tries to eliminate the remote ie11.PNF file, obtaining in this way for it to\r\ntry again to infect said computer in a future execution.\r\nTechnical analysis of Kwampirs RAT\r\nOrangeWorm within its arsenal has a RAT in Dll format (from now on Kwampirs) that is executed by “Kwampirs\r\nDropper”. This device has the following static characteristics:\r\nIn all the samples analyzed the ControlTrace () function is exported. This has not changed since the Symantec\r\nreport. Kwampirs RAT depending on the number of parameters will have a different behavior. The possibilities\r\nimplemented on this occasion are two, when three parameters and when four parameters are passed to the\r\nfunction.\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 9 of 25\n\nThe analysis will describe the behavior of Kwampirs RAT in each of the two existing execution branches:\r\nExecution with three parameters\r\nThe actions that Kwampirs RAT performs once it starts with three parameters are:\r\n1. The first thing it does is to decipher the compromise indicators (IOCs from now on). Once deciphered we\r\nwill see them reflected in memory:\r\nIn the image above you can see the memory segment with all the URIs that the malware will try in order to\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 10 of 25\n\ncommunicate. To decipher the IOCs the malware uses the following logic:\r\n2. The next step is to obtain the MACTimes of the user32.dll Dll. This group modifies the times of certain\r\nfiles that it creates on the disk and fixes the times of the user32.dll Dll, as already mentioned “Kwampirs\r\nDropper”. This is a measure to hinder the subsequent forensic analysis. In the example below we can see\r\nthe file 3.tmp (random name) on the left, created by Kwampirs to store the identifiers of the handlers of the\r\nNamed Pipes that it has created, and on the right the user32.dll dll of the system. If we look carefully, we\r\nsee how the modification time coincides exactly:\r\n3. In the mtmndkb32.PNF file, a generated value is saved from the system date at the time of execution. In\r\neach execution (Kwampirs Dropper as Kwampirs RAT) it checks the exact date the file was created and if\r\nnot enough time has passed since the file was created, it does not run again. This is already described by\r\nSymantec in its report and the “current” samples have not changed their behavior.\r\n4. In the event that Kwampirs RAT is downloaded, a module interacts with the mkdiawb3.PNF file before\r\nentering the network communication execution flow. This file stores hashes in md5 of the modules. An\r\nexample of the file with the hash of the encrypted and unencrypted module can be seen below:\r\nThis group calculates the hash on the file (module) after encrypting it and coding it in base64.\r\nIf we do a hash to the downloaded module we will see how it matches with what is stored:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 11 of 25\n\n5. Kwampirs RAT creates different files with extension “.TMP” in the temporary directory of the user and in\r\nthe case of being executed with a user with administrator privileges renames the files and places it in the\r\ndirectory C:\\windows\\inf with extension PNF (of which we have spoken previously). To copy them, it uses\r\nthe cmd.exe command as shown below in an execution:\r\n6. After moving the files, it launches a thread that contacts the command and control server (C2 from now\r\non). This thread invokes the StartProcess () function. This thread receives modules from C2 with the hash\r\nof the signed module and checks it before executing them. During this thread, a temporary file is generated\r\nwhere information of the computer is stored and then used in the requests. This file is called digirps.PNF.\r\nOnce the digirps.PNF file is decrypted you can see how it stores computer information such as the MAC\r\nAddress:\r\nAgain to decrypt the file we use the same algorithm but with a different key and the MAC of the computer\r\nwhere the sample was executed is indeed obtained. The analysis carried out has not shown that a first\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 12 of 25\n\ninteraction with this file adds more useful information than the MAC Address.\r\nAs already mentioned, network communications to C2 are performed in this function. Until it receives a\r\n“good” response, Kwampirs RAT sends the following type of packets (in this case you can see how a C2\r\nsends a successful response):\r\nWe see how the C2 has returned a code {XXX}: hash_md5_modulo. After receiving the module hash, the\r\nC2 sends it to the next GET:\r\nIn this case what it has returned is a module (Dll as well) that it injects in memory and launches as a new\r\nthread of execution (these modules are not dumped to disk). In this case, the module allows executing\r\ncommands in the operating system. In a first iteration the module executes commands to gather\r\ninformation:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 13 of 25\n\nThe module that Kwampirs RAT has downloaded is mapped into memory as follows:\r\nAfter loading it, a thread starts invoking a function named CF. For this sample it is necessary that all the\r\nmodules come with the function CF () to start the logic. The name of the DLL once mapped on this\r\noccasion is cmdDLL.dll which confirms that it is a module ready to execute commands.\r\nNext you can see the module’s loop that reads the .data section with the commands and that will be\r\nlaunched with cmd.exe:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 14 of 25\n\nAnd the following screenshot shows the part of the network that sends the POST request of the module\r\nwhose capture of the network traffic was seen before:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 15 of 25\n\n7. After exiting the thread, the Sleep () function is executed with a random time and returns to point 5 to\r\nrepeat the process.\r\nWhen the Kwampirs RAT is executed with three parameters, the API that makes the HTTP request sometimes\r\nreturns error 12029 (it could not establish the HTTP connection). In this case Kwampirs RAT will try to boot the\r\nmalware with the CreateProcessAsUser () function as follows:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 16 of 25\n\nIt looks like there are two instances of Kwampirs, but one with the user SYSTEM and another with the user\r\nLucas. This makes sense since there are occasions where the user SYSTEM cannot exit through the proxy of the\r\norganization and with this technique aims to take the user who may have configured the proxy and thus exit. The\r\nuser instance tries again to launch the HTTP requests.\r\nExecution with four parameters\r\nKwampirs RAT when booted with 4 parameters is used to communicate through Named Pipes with another\r\ninstance of Kwampirs RAT.\r\nThe last parameter is the one that will give the name to the file that will store the handles of the named pipes\r\ncreated by that same instance. When booting with this amount of parameters, it calls the CreatePipe () function\r\ntwice to create two Named Pipes. The pipe handlers (in decimal) are stored in a file created in C:\\Windows\\Temp:\r\n232 = E8\r\n228 = E4\r\nThe handles of the process show that e8 and e4 are File handles:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 17 of 25\n\nThis mode of operation, as seen during the analysis, is used to communicate the Kwampirs RAT process started as\r\nSYSTEM (starting with the service) with the process started as the user owner of the current session of the\r\nmachine.\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 18 of 25\n\nIn the previous screenshot you can see how the process rundll32.exe (starting with SYSTEM, in this case it would\r\nbe the master) that could not go to the internet is about to write in a pipe to send the data to the process that has\r\nbeen created with the CreateProcessAsUser () function. This data as you can see in the image is a numerical value\r\nand a URI. It is seen in the image how the handler where you write WriteFile () is 0x240 (it is seen at the top of\r\nthe stack) that if we open the handles of the rundll32 master process we see that it is a Named Pipe:\r\nIf the handles of the rundll32 master process are opened with a tool like ProcessHacker, it will be seen how it has\r\nan open handle on the rundll32 process, created with the user without privileges (from now on rundll32 slave):\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 19 of 25\n\nAnother similar situation that occurs during execution to the previous one is when the master rundll32.exe opens\r\nthe explorer.exe process. This is done with the OpenProcess () api and then OpenProcessToken () in order to\r\nobtain the token from the explorer.exe process (normally the owner of this process is the authenticated user and is\r\nthe one most likely to have the configured proxy):\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 20 of 25\n\nThe following is a description of the entire sequence of actions carried out for the rundll32 master process to send\r\ninformation to the rundll32 slave after having seen some peculiarities previously. The following image shows the\r\nmaster process rundll32.exe that just opened the slave process with the OpenProcess and will open a temporary\r\nfile with wfopen:\r\nThe temporary file contains the identifiers of the handles created in the rundll32 SLAVE process:\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 21 of 25\n\nIn memory of the master process we will find those handles in their hexadecimal value:\r\nOnce these handles are located, the master intends to duplicate them in order to obtain access to those handles in\r\ntheir process and that correspond to those of the slave process to communicate with each other:\r\nIn this execution, the value of lpTargetHandle was 0x290 and it is linked (or duplicated) with one of the\r\nrundll32.exe slave processes that it just read from the temporary file.\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 22 of 25\n\nSumming up the operation, the master rundll32.exe opens the slave process. Then it reads the temporary one\r\nwhere the handles are (in decimal) of type pipe that the slave has created. The master makes a duplicate handle of\r\nthe two pipes of the slave in its process and thus pass all the information through these pipes. A situation where\r\nthis logic is used is when the master process initiated by the service cannot navigate. In this case, it creates the\r\nslave with the token of the user who owns the explorer.exe and tries to navigate with the URIs provided by the\r\nmaster due to the pipes created.\r\nReferences\r\n[1] https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia\r\n[2] https://content.connect.symantec.com/sites/default/files/2018-04/Orangeworm%20IOCs.pdf\r\n[3] https://www.ccn-cert.cni.es/ca/seguretat-al-dia/noticies-d-actualitat/6156-orangeworm-apt-orientada-al-sector-medico.html\r\nCompromise indicators\r\nIOC Tipo\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 23 of 25\n\n07f5fa96d31ed75edba8699f53a75502ade214b34469163011ced5b94e393f32\r\n12c6c48e1e52ebca20f4b890922fb31965317865d35ac04d216ad8b78f866999\r\n1486746bdba1161cfc15f37011c815911c33a2abd657198b835ac5f8eede663c\r\n281c2ad26346305dac90ce33c2c417b6a7271f990ba9fa5c7db65d6f2e501e94\r\n2d801f75a52f65ffb053ae052cad45a919afd431f5ca46e86abe3d9274c903e4\r\n2f04f6b04a735d4ccbc196942acbd3f7a64bc588a0107fc9e344df62a41ad85d\r\n303379ebb41bcb39bc8c5b7c102cff1a90a2ee207a51e0c0fd83c0348ea436a5\r\n34ce48c7481118aac4b5d772a64e0edf8e107a7f606913c49493d5dbc06f96d7\r\n39f8dd73baa0dd67607784b40fb4ad5881b50bb69a59eee2a844b615753062ed\r\n3b3c9a372188fea46b05e9253e03473fda963aaa76fdd459590ecca9db5af9fb\r\n3d0dbd119e9f1dd57db3331834c5206c4df321f3f6799c9a622f1a8abe462b2d\r\n64defebf7e600d92685672c4b4d3d2ed3fc6cca27663a65c42df61843573297b\r\n75d93cd55d54a38a9ec47efe26f4a2c4c8c14328175fdd8d69efc0187cef6a2e\r\n768fab04b19c18e375183bd762eda75359da3a964aa97000639cdfdd066f6edd\r\n7f9531e47146095f681564cfd5d322af3def6468202f62c6215af29c0453fb0a\r\n83a0b4476a0f50321308e4e1b4d680430e29a53b9669174d8113d6dcbca817e2\r\n85f8fa27a5f013d38a3c4a3742fbc43df90196326110fda9ad05ac2366d3e525\r\n908d608f2b39b37a2a72cbdd96476acc1159341927d41103370432ddf148b4d9\r\n97dd250670cef14e04db0145efe7fcfc945018b681e87e48a6f012fd7f79d02e\r\na2d2584e1c46bc2954aaf47957f7fb48bc8209cdf04c1ccd226d689094a2b761\r\nb489e5469938f1410a955ab26dc2cb2c81923c75f545df3c351767d5f13b728d\r\nb570b07b43cdef3fe2f636a9db6da3dd1e2cb68d980a5fe5b3225713d4ce3e8f\r\nc783f6180147abfa55e8c6dc137b506b595ea111589a1ba4a870778b1f309b8c\r\ncade857aa5735467a69af2267f6c6179286bd5d1ad61b60332a21527b69d9736\r\nced9a61ebaa8de7aa360ad2d24be26e2474fa4164118f8e32f4e2b2aba6ce511\r\nd1953d2c07d0572063364f34de99950407d07bd376dd9817ac799d5628ae5339\r\nHashes analyzed\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 24 of 25\n\nd881198d26d10fc3a3ace876d4ef0db373b586de28a8b489248f3ea1840ba683\r\ne3bc08f7a12f9b68a73de99ecd0aaef1447bbbba9e35f518d42fd0e751be858f\r\nf8eb3a2054d6bc51fc0a127f9c01c4aaf238c0c681c36164a716268dc452ff91\r\nSource: https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nhttps://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/\r\nPage 25 of 25\n\n https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/ \nThis mode of operation, as seen during the analysis, is used to communicate the Kwampirs RAT process started as\nSYSTEM (starting with the service) with the process started as the user owner of the current session of the\nmachine. \n Page 18 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/" ], "report_names": [ "orangeworm-group-kwampirs-analysis-update" ], "threat_actors": [ { "id": "c4acd072-595e-4d33-9ce9-bbf41010bb1a", "created_at": "2023-01-06T13:46:38.751893Z", "updated_at": "2026-04-10T02:00:03.088252Z", "deleted_at": null, "main_name": "Orangeworm", "aliases": [], "source_name": "MISPGALAXY:Orangeworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e0bc1b7-0dd7-444a-964b-64dfb5145c8f", "created_at": "2022-10-25T15:50:23.413202Z", "updated_at": "2026-04-10T02:00:05.388465Z", "deleted_at": null, "main_name": "Orangeworm", "aliases": [ "Orangeworm" ], "source_name": "MITRE:Orangeworm", "tools": [ "Kwampirs", "netstat", "ipconfig", "cmd", "Arp", "Systeminfo" ], "source_id": "MITRE", "reports": null }, { "id": "6a60b1ba-609f-4bed-b15b-3ffc050d2ac6", "created_at": "2022-10-25T16:07:24.033083Z", "updated_at": "2026-04-10T02:00:04.846068Z", "deleted_at": null, "main_name": "Orangeworm", "aliases": [ "G0071" ], "source_name": "ETDA:Orangeworm", "tools": [ "Kwampirs", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434088, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/14470e0b48bd93938da124484a61e7da6d2298a5.pdf", "text": "https://archive.orkl.eu/14470e0b48bd93938da124484a61e7da6d2298a5.txt", "img": "https://archive.orkl.eu/14470e0b48bd93938da124484a61e7da6d2298a5.jpg" } }