{ "id": "fbe0552b-fe34-46d5-8bd7-181333d4ee2a", "created_at": "2026-04-06T00:09:18.006456Z", "updated_at": "2026-04-10T03:37:17.336249Z", "deleted_at": null, "sha1_hash": "288da05e84bd9da96ab02b3b2a221842e9fb54e2", "title": "MAR-10296782-3.v1 – WELLMAIL | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83245, "plain_text": "MAR-10296782-3.v1 – WELLMAIL | CISA\r\nPublished: 2020-07-16 · Archived: 2026-04-05 13:54:09 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThe Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security\r\nAgency (CISA). This malware has been identified as WELLMAIL. Advanced persistent threat (APT) groups have been\r\nidentified using this malware. For more information regarding this malware, please visit:\r\nhttps://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development\r\nThis report analyzes two unique files. The files are a variant of the WellMail implant. The malware provides remote operator\r\nencrypted C2 sessions and the ability to dynamically run executable scripts on infected systems.\r\nFor a downloadable copy of IOCs, see MAR-10296782-3.v1.stix.\r\nSubmitted Files (2)\r\n0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494 (0c5ad1e8fe43583e279201cdb1046a...)\r\n83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18 (83014ab5b3f63b0253cdab6d715f59...)\r\nIPs (1)\r\n119.81.184.11\r\nFindings\r\n0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\r\nTags\r\ntrojan\r\nDetails\r\nName 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\r\nSize 6366794 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (SYSV)\r\nMD5 01d322dcac438d2bb6bce2bae8d613cb\r\nSHA1 8830e9d90c508adf9053e9803c64375bc9b5161a\r\nSHA256 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\r\nSHA512 3705b5ceb4ea06370da2a0d73b60e776c9528545704442d0872b75d8593966905eb2ad6a4edddec42bed2115bcd22a37154079c73c26d0a9\r\nssdeep 49152:RXKUBXE/J9KhwyXGHjKRwpEcWDm4grE/jwgQbl+8cUiFNj8hqTQqc5Y4lZT3iDS7:ZK34fLjLU0xQq2YRQD\r\nEntropy 6.084206\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nPage 1 of 10\n\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\n    SHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\n    $1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nPage 2 of 10\n\n$21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\n    $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n0c5ad1e8fe... Connected_To 119.81.184.11\r\nDescription\r\nThis artifact is an ELF 64-bit file written in Go. This file has been identified as a variant of the malware family known as\r\nWellMail.\r\nWhen executed, it attempts to collect the following data from the victim's system:\r\n—Begin Data Collected —\r\nIP address of the victim system\r\nCurrent username\r\n—End Data Collected—\r\nThe data is stored in the following format:\r\n—Begin format—\r\n\"200.200.200.150|root|50d3a7116bf847c869f71ecc08eb124a\"\r\n—End format—\r\nIt will attempt to send the above data to its C2 server at the IP address, 119.81.184.11:25 over TCP port 25 with the User-Agent string \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0\r\nSafari/537.36\".\r\nThe following key and certificates are used to create the secure connection:\r\n—Begin Key and Certificates—\r\n—Begin Certificate—\r\nMIIDHzCCAgegAwIBAgICBnowDQYJKoZIhvcNAQELBQAwNzELMAkGA1UEBhMCVVMx\r\nHDAaBgNVBAoTE0dNTyBHbG9iYWxTaWduLCBJbmMxCjAIBgNVBAMTASowHhcNMTgw\r\nNTExMjE1OTEzWhcNMjgxMjExMjI1OTEzWjArMQswCQYDVQQGEwJVUzEcMBoGA1UE\r\nChMTR01PIEdsb2JhbFNpZ24sIEluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\r\nAQoCggEBANf06onDYhHc7h5msEdruHffSx78EyNhAR08MrF8Zvlyq6BtsRfxscJ6\r\ndcYxV18o5Nd5SXEu80wAz0+GBk+jN90mCz/54MtSMii4CnbCCxFd2Rs7ibMsnd/w\r\nOiZRyiWTpAQ0dc+Kp2YIT0icEIJQ5bXauqRPHKyYfcJcJNSPxkMswnfaYYOIyGqJ\r\nxGmBepBOyl8AVP7EizeaAL+4WoejHAW37hSeTJmmwpqojGeGEgTl5IU/QUNlTnDE\r\na8VlnJ6H3fCU6irCRp5RZeE87fHt10rOiIlqMg8DDz8RHytLGlaO3SCXXzoJvzD8\r\nzaHaD3nWnFkeKhYxg0LJUYM9rl7LkNkCAwEAAaNBMD8wDgYDVR0PAQH/BAQDAgeA\r\nMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ4EBwQFAQIDBAYw\r\nDQYJKoZIhvcNAQELBQADggEBANTxGwoIup6pfoABqlS8VOSz8qPDSAaTMZSawmyc\r\nf5MgN9IdI+9vtl391qSxPYE21fRM0qAW620YVIM1Io42fEx+Ncou+35T/dAmbcUG\r\nwmT2b5ipg079lBwR2MeV+2DgS/Es7ICfKyXN5Y3aRfZo3gN/MGJ+1HIjvLK9b7dl\r\nJ0HLvcViFuCHlikw+woGl9WZIAzu2Za6P87tf9kSlBhfpOGvHG5p/lnw+rRRvsoW\r\nN8HqZsAELwK9YqKohHoQ4K8VpoocmtnOpJ4bXIGwd0trM0ha6zKgcUWiHFOPTgdB\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nPage 3 of 10\n\n9gheCTIR7uhsXkw/gsG/Qn4FO/bY13ptI/0lQe3FZEVivTU=\r\n—End Certificate—\r\n—Begin Certificate—\r\nMIIDLDCCAhSgAwIBAgICBnUwDQYJKoZIhvcNAQELBQAwNzELMAkGA1UEBhMCVVMx\r\nHDAaBgNVBAoTE0dNTyBHbG9iYWxTaWduLCBJbmMxCjAIBgNVBAMTASowHhcNMTgx\r\nMjAxMjI1ODAyWhcNMjgxMjExMjI1ODAyWjA3MQswCQYDVQQGEwJVUzEcMBoGA1UE\r\nChMTR01PIEdsb2JhbFNpZ24sIEluYzEKMAgGA1UEAxMBKjCCASIwDQYJKoZIhvcN\r\nAQEBBQADggEPADCCAQoCggEBAPEgxGDxc/86bPDopIUb79TW6IJct4xJ9oK+ebSV\r\nkEa2E0dIqg/nw3i+zbU0cQW+MMTVrSD9K9h6lkqhuXtXTyev+ewVNFJHTBpPY2rp\r\nzDE/oYwqp1zuFxjL5yvCJIMKrvBwvZkpzO4jxGGm4XllRMugzPGJ48HBDYkNJvyF\r\nmkABtgAfR+FF8ecQx5Hy250ELgHnvBL9YwD7sd+5/gSCgWMfTju1TazC1qS6xoFO\r\nXb9Dgp9ax8+UFVsL2lQkkt0O2GQ1rYvanc4ccsJmd4H0VtOm5C6VBQP8o1MVkOKA\r\nv4dop+Tu694Wbv6M55VrgAtz/XPjTvzrCewl0QLIwHmevm8CAwEAAaNCMEAwDgYD\r\nVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNV\r\nHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBLrN+wxjxk4YsqPQ7YUSWd\r\nVpSQHp2WN6m6R4hfsjPoGSy5U36xygHq7fVkqh+nrOQfGjTps/7rFRLGAIoSjTWH\r\nLisO1rEhpIduahWOdT4NxgeWBKUGCzwX2f7DcJ08uJwupGpzqxZh73LD+ox+6suL\r\nYZP5g00kM0yPfTcDSKLkdFcPCRGCxtCBB9oW+dSzDEaVCSY5RjEHsbRLn4GRYv+V\r\n96H9rbFHb80wofJvUYAdrFl6dRNty1QgCp1s9rZEFxdIzTQsuaVsi2zN/xARPP30\r\nS+I+9FfdRr0zJdks7eEXQNKBijzRQPVahfBwUEkjbapUOAQIX3xR2a50d88BZybm\r\n—End Certificate—\r\n—Begin RSA Private Key—\r\nMIIEowIBAAKCAQEA1/TqicNiEdzuHmawR2u4d99LHvwTI2EBHTwysXxm+XKroG2x\r\nF/Gxwnp1xjFXXyjk13lJcS7zTADPT4YGT6M33SYLP/ngy1IyKLgKdsILEV3ZGzuJ\r\nsyyd3/A6JlHKJZOkBDR1z4qnZghPSJwQglDltdq6pE8crJh9wlwk1I/GQyzCd9ph\r\ng4jIaonEaYF6kE7KXwBU/sSLN5oAv7hah6McBbfuFJ5MmabCmqiMZ4YSBOXkhT9B\r\nQ2VOcMRrxWWcnofd8JTqKsJGnlFl4Tzt8e3XSs6IiWoyDwMPPxEfK0saVo7dIJdf\r\nOgm/MPzNodoPedacWR4qFjGDQslRgz2uXsuQ2QIDAQABAoIBAGwOSCyWbsOxYBQm\r\nHZ4e8DZKrDPcvVa+eug97r+QF5ZJIkcrm6j3bpJ44+U/WxBqTdbjATR44ZPt880+\r\nqnm+mX02Q/rG9QvHHQHy1ImHnjIaWz+dEtFsSbJ7aR0zX4pdzXutJCWsowYSslkK\r\nfdg20jmkMC92xko2IvbVVDhnmDSTjYJv3t8ErUgQqGTWnIluIsVJtUfdtZE62Wqj\r\nETW7N09mgFZ6DkAWwi6GqM6R0h5assf9an+IRjdEvh0yAdgdeeGYugyxg4QsQaBP\r\nz/8Nc+0MsljNOJ3l9mGvv5Le9lrkdQo4/LEinuq5EQCasDnhUAEa3ure8+iNwv7C\r\nBjGQqYECgYEA78II0db0DrMjKK+lqvTRaWgjlGMUyc93datTipiCR2LCulipv2OE\r\nQ7D9thg2dBvY+87mSoFFgJyhGl1nEtj23IsnJSfg8wrrOPGbHGROa3Hh7Yr/S1vk\r\ncodyakjfQ2+ShiiqEZHNfxyxV26A0dLFcKxI8e8HBI1oadJo5teh1MUCgYEA5pYc\r\nvvXv4Aa72tMJFF6Dd2vN3kL6aIrrMCp3tLKjUhYz+H0bjHH9QVqj+O5cihxppQ2o\r\nMuzyOuCbEDBYusgh4j0gHEetTOlGh0WO1H9XM25/ULFaNv3TckBI0neiyiWq9lyu\r\nW6Fe6XnYdFBca2VaaixHkqq2FvnQu6AN4urZVQUCgYEAhuX7pGV3SFYOcDPz2K6K\r\nrO4FJtZgufPbWP+er5qDorq0qbh9Ocw6fQO2nKAe81E/0t5kwILfoi9+jaED/5zH\r\nuOsqiUNY1CbOlmmKRn1Bij63SbotTi9T6ATBoX+C7yR1orp6hgwtPVndhj4MiQI4\r\nSN8G4+kDX9JYb0IN9+RXj6kCgYByhVlviiwBoraH/soCoNJAbH1JhxBg/aXDPURI\r\nrXQp37ceEdytyytR2xeXGaNCQMxDWl4QNNg1X7oDt09KLP2PJHafNQYgLbeGlYhT\r\nh48ijx2SURMSPsxWcRD53ssuBLk9NFiwT5wY7xgO5J6SBDt8gdNmR3y6OoZtuRdM\r\nfQFFlQKBgCQ6qBuKHdNdriG1t7yo6kXBTGvNxhpq+MczIcHIr1g6u9SC2nrrEE+n\r\nLF9EaHQT98PKqsO/8AFUkpwPpTftg6v4E2fKtU3WAvTOz3rydWvc00qSfTeBRQ2/\r\nypF1hXBXYRIil4qsX1xQRw2k+K+Mw+/I5CErVVNQ9aAvxNLwEKc7\r\n—End RSA Private Key—\r\n—End Key and Certificates—\r\nScreenshots\r\nFigure 1 - This WellMail implant contains a structure similar to the Work function contained within the WellMess implant\r\n(47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854), detailed within MAR-10296782.r2.v1.WHITE. This structure parses out executable scripts from data provided via a remote operator. In this case,\r\nthe REGEX value indicates this implant will receive scripts compressed (tar files). The malware will then decompress them\r\nbefore executing the embedded script. Analysis indicates the WellMail implant is similar in design and structure to the\r\nWellMess implant -- and both accept and execute shell scripts from a remote operator.\r\n119.81.184.11\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nPage 4 of 10\n\nTags\r\ncommand-and-control\r\nPorts\r\n25 TCP\r\nWhois\r\nQueried whois.apnic.net with \"119.81.184.11\"...\r\n% Information related to '119.81.184.0 - 119.81.184.31'\r\n% Abuse contact for '119.81.184.0 - 119.81.184.31' is 'abuse@softlayer.com'\r\ninetnum:        119.81.184.0 - 119.81.184.31\r\nnetname:        NETBLK-SOFTLAYER-APNIC-CUST-AW717-AP\r\ndescr:         Sharenet Limited\r\ncountry:        NZ\r\nadmin-c:        AW717-AP\r\ntech-c:         AW717-AP\r\nstatus:         ASSIGNED NON-PORTABLE\r\nmnt-by:         MAINT-SOFTLAYER-AP\r\nmnt-irt:        IRT-SOFTLAYER-AP\r\nlast-modified: 2015-01-12T14:07:06Z\r\nsource:         APNIC\r\nirt:            IRT-SOFTLAYER-AP\r\naddress:        Keplerstaat 34, 1171CD Badhoevedorp\r\ne-mail:         abuse@softlayer.com\r\nabuse-mailbox: abuse@softlayer.com\r\nadmin-c:        SDHB1-AP\r\ntech-c:         SDHB1-AP\r\nauth:         # Filtered\r\nremarks:        abuse@softlayer.com was validated on 2020-01-29\r\nmnt-by:         MAINT-SOFTLAYER-AP\r\nlast-modified: 2020-01-29T23:08:58Z\r\nsource:         APNIC\r\nperson:         Anthony Walker\r\naddress:        Unit 1246,\r\n               24B Moorefield Rd Wellington 6037 NZ\r\ncountry:        NZ\r\nphone:         +1.866.398.7638\r\ne-mail:         anthony@sharenet.co.nz\r\nmnt-by:         MAINT-SOFTLAYER-AP\r\nnic-hdl:        AW717-AP\r\nabuse-mailbox: anthony@sharenet.co.nz\r\nlast-modified: 2015-01-12T14:06:59Z\r\nsource:         APNIC\r\n% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US3)\r\nRelationships\r\n119.81.184.11 Connected_From 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\r\n119.81.184.11 Connected_From 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\r\nDescription\r\n83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18 and\r\n0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494 attempt to connect to the IP address.\r\n83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nPage 5 of 10\n\nTags\r\ntrojan\r\nDetails\r\nName 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\r\nSize 2214184 bytes\r\nType ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux)\r\nMD5 8777a9796565effa01b03cf1cea9d24d\r\nSHA1 53098b025a3f469ebc3e522f7b0999011cafb943\r\nSHA256 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\r\nSHA512 e9c2bdcd2b298456726f0fc15ecf3cbfd667a7f0196bd42ecde1058dbfe33aeccb1626a462797cdaf1f32e2515ce08f0fa2d46e34833e0ac0980\r\nssdeep 49152:xtt6IZ6yPcb6MSsGN4aftKLK8Fa0Bpmy8TxQbjtHpbJ4E:xttn7Pc/Sjb5GpmyWxQVJbJ4E\r\nEntropy 7.892960\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nrule CISA_10296782_01 : trojan WELLMESS\r\n{\r\nmeta:\r\n    Author = \"CISA Code \u0026 Media Analysis\"\r\n    Date= \"2020-07-06\"\r\n    Last_Modified=\"20200706_1017\"\r\n    Actor=\"n/a\"\r\n    Category=\"Trojan\"\r\n    Family=\"WellMess\"\r\n    Description = \"Detects WellMess implant and SangFor Exploit\"\r\n    MD5_1 = \"4d38ac3319b167f6c8acb16b70297111\"\r\n    SHA256_1 = \"7c39841ba409bce4c2c35437ecf043f22910984325c70b9530edf15d826147ee\"\r\n    MD5_2 = \"a32e1202257a2945bf0f878c58490af8\"\r\n    SHA256_2 = \"a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064\"\r\n    MD5_3 = \"861879f402fe3080ab058c0c88536be4\"\r\n    SHA256_3 = \"14e9b5e214572cb13ff87727d680633f5ee238259043357c94302654c546cad2\"\r\n    MD5_4 = \"2f9f4f2a9d438cdc944f79bdf44a18f8\"\r\n    SHA256_4 = \"e329607379a01483fc914a47c0062d5a3a8d8d65f777fbad2c5a841a90a0af09\"\r\n    MD5_5 = \"ae7a46529a0f74fb83beeb1ab2c68c5c\"\r\n    SHA256_5 = \"fd3969d32398bbe3709e9da5f8326935dde664bbc36753bd41a0b111712c0950\"\r\n    MD5_6 = \"f18ced8772e9d1a640b8b4a731dfb6e0\"\r\n    SHA256_6 = \"953b5fc9977e2d50f3f72c6ce85e89428937117830c0ed67d468e2d93aa7ec9a\"\r\n    MD5_7 = \"3a9cdd8a5cbc3ab10ad64c4bb641b41f\"\r\n    SHA256_7 = \"5ca4a9f6553fea64ad2c724bf71d0fac2b372f9e7ce2200814c98aac647172fb\"\r\n    MD5_8 = \"967fcf185634def5177f74b0f703bdc0\"\r\n    SHA256_8 = \"58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2\"\r\n    MD5_9 = \"c5d5cb99291fa4b2a68b5ea3ff9d9f9a\"\r\n    SHA256_9 = \"65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75\"\r\n    MD5_10 = \"01d322dcac438d2bb6bce2bae8d613cb\"\r\n    SHA256_10 = \"0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\"\r\n    MD5_11 = \"8777a9796565effa01b03cf1cea9d24d\"\r\n    SHA256_11 = \"83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\"\r\n    MD5_12 = \"507bb551bd7073f846760d8b357b7aa9\"\r\n    SHA256_12 = \"47cdb87c27c4e30ea3e2de620bed380d5aed591bc50c49b55fd43e106f294854\"\r\nstrings:\r\n    $0 = \"/home/ubuntu/GoProject/src/bot/botlib/chat.go\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nPage 6 of 10\n\n$1 = \"/home/ubuntu/GoProject/src/bot/botlib.Post\"\r\n    $2 = \"GoProject/src/bot/botlib.deleteFile\"\r\n    $3 = \"ubuntu/GoProject/src/bot/botlib.generateRandomString\"\r\n    $4 = \"GoProject/src/bot/botlib.AES_Decrypt\"\r\n    $5 = { 53 00 63 00 72 00 69 00 70 00 74 00 00 0F 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 07 2F 00 63 }\r\n    $6 = { 3C 00 6E 00 77 00 3E 00 2E 00 2A 00 29 00 00 0B 24 00 7B 00 66 00 6E 00 7D }\r\n    $7 = { 7B 00 61 00 72 00 67 00 7D 00 00 0B 24 00 7B 00 6E 00 77 00 7D }\r\n    $8 = { 52 61 6E 64 6F 6D 53 74 72 69 6E 67 00 44 65 6C 65 74 65 46 69 6C 65 }\r\n    $9 = \"get_keyRC6\"\r\n    $10 = { 7D A3 26 77 1D 63 3D 5A 32 B4 6F 1F 55 49 44 25 }\r\n    $11 = { 47 C2 2F 35 93 41 2F 55 73 0B C2 60 AB E1 2B 42 }\r\n    $12 = { 53 58 9B 17 1F 45 BD 72 EC 01 30 6C 4F CA 93 1D }\r\n    $13 = { 48 81 21 81 5F 53 3A 64 E0 ED FF 21 23 E5 00 12 }\r\n    $14 = \"GoProject/src/bot/botlib.wellMess\"\r\n    $15 = { 62 6F 74 6C 69 62 2E 4A 6F 69 6E 44 6E 73 43 68 75 6E 6B 73 }\r\n    $16 = { 62 6F 74 6C 69 62 2E 45 78 65 63 }\r\n    $17 = { 62 6F 74 6C 69 62 2E 47 65 74 52 61 6E 64 6F 6D 42 79 74 65 73 }\r\n    $18 = { 62 6F 74 6C 69 62 2E 4B 65 79 }\r\n    $19 = { 7F 16 21 9D 7B 03 CB D9 17 3B 9F 27 B3 DC 88 0F }\r\n    $20 = { D9 BD 0A 0E 90 10 B1 39 D0 C8 56 58 69 74 15 8B }\r\n    $21 = { 44 00 59 00 4A 00 20 00 36 00 47 00 73 00 62 00 59 00 31 00 2E }\r\n    $22 = { 6E 00 20 00 46 00 75 00 7A 00 2C 00 4B 00 5A 00 20 00 33 00 31 00 69 00 6A 00 75 }\r\n    $23 = { 43 00 31 00 69 00 76 00 66 00 39 00 32 00 20 00 56 00 37 00 6C 00 4F 00 48 }\r\n    $24 = { 66 69 6C 65 4E 61 6D 65 3A 28 3F 50 3C 66 6E 3E 2E 2A 3F 29 5C 73 61 72 67 73 3A 28 3F 50 3C 61\r\n72 67 3E 2E 2A 3F }\r\n    $25 = { 5C 00 2E 00 53 00 61 00 6E 00 67 00 66 00 6F 00 72 00 55 00 44 00 2E 00 73 00 75 00 6D }\r\n    $26 = { 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 5F 67 61 22 3B 20 66 69 6C 65 6E 61 6D 65 3D }\r\n    $27 = { 40 5B 5E 5C 73 5D 2B 3F 5C 73 28 3F 50 3C 74 61 72 3E 2E 2A 3F 29 5C 73 27 }\r\ncondition:\r\n   ($0 and $1 and $2 and $3 and $4) or ($5 and $6 and $7 and $8 and $9) or ($10 and $11) or ($12 and $13) or ($14)\r\nor ($15 and $16 and $17 and $18) or ($19 and $20) or ($21 and $22 and $23) or ($24) or ($25 and $26) or ($27)\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n83014ab5b3... Connected_To 119.81.184.11\r\nDescription\r\nThis artifact is an ELF 64-bit file written in GO language. This file has been identified as a variant of the WellMail malware\r\nfamily. The program is capable of archiving files and sending and receiving files and messages. It is also capable of\r\nreceiving and executing shell scripts on target systems. The following is a list of the malware’s capabilities:\r\n—Begin Malware Capabilities—\r\nmain.zipit\r\nmain.buildFileName\r\nmain.getIP\r\nmain.setParameters\r\nmain.GetRandomBytes\r\nmain.transport\r\nmain.send\r\nmain.receieve\r\nmain.hello\r\nmain.scheduler\r\nmain.runscript\r\nmain.main\r\nmain.zipit.func1\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nPage 7 of 10\n\nmain.init\r\n—End Malware Capabilities—\r\nWhen the program is executed, it will attempt to contact its C2 at the IP address, 119.81.184.11 over TCP port 25.\r\nNote: TCP port 25 is commonly used for email (SMTP), however, the malware is only using the port for secure\r\ncommunications, because of the likelihood that the port will be open on the router.\r\nWhen the C2 is first contacted, the program collects the IP address of the victim machine and the current user and appends\r\nthis data with a unique 128-bit hash. The following is an example of the string format:\r\n—Begin String Format—\r\n200.200.200.251|user|ec30305f04f4552c452c3596c88a8f2f\r\n—End String Format—\r\nCommunication session are initiated with a hello packet with a payload formatted in the following manner:\r\n—Begin Hello Packet—\r\ncookie first = HgQdbx4qRNv/7c6750dc5f21bb24f2c5d1d734fc2eca\r\n—End Hello Packet—\r\nThe following key and certificates are used for secure communications with the C2:\r\n—Begin Key and Certificates—\r\n—Begin Certificate—\r\nMIIDHzCCAgegAwIBAgICBnowDQYJKoZIhvcNAQELBQAwNzELMAkGA1UEBhMCVVMx\r\nHDAaBgNVBAoTE0dNTyBHbG9iYWxTaWduLCBJbmMxCjAIBgNVBAMTASowHhcNMTgw\r\nNTExMjE1OTEzWhcNMjgxMjExMjI1OTEzWjArMQswCQYDVQQGEwJVUzEcMBoGA1UE\r\nChMTR01PIEdsb2JhbFNpZ24sIEluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\r\nAQoCggEBANf06onDYhHc7h5msEdruHffSx78EyNhAR08MrF8Zvlyq6BtsRfxscJ6\r\ndcYxV18o5Nd5SXEu80wAz0+GBk+jN90mCz/54MtSMii4CnbCCxFd2Rs7ibMsnd/w\r\nOiZRyiWTpAQ0dc+Kp2YIT0icEIJQ5bXauqRPHKyYfcJcJNSPxkMswnfaYYOIyGqJ\r\nxGmBepBOyl8AVP7EizeaAL+4WoejHAW37hSeTJmmwpqojGeGEgTl5IU/QUNlTnDE\r\na8VlnJ6H3fCU6irCRp5RZeE87fHt10rOiIlqMg8DDz8RHytLGlaO3SCXXzoJvzD8\r\nzaHaD3nWnFkeKhYxg0LJUYM9rl7LkNkCAwEAAaNBMD8wDgYDVR0PAQH/BAQDAgeA\r\nMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ4EBwQFAQIDBAYw\r\nDQYJKoZIhvcNAQELBQADggEBANTxGwoIup6pfoABqlS8VOSz8qPDSAaTMZSawmyc\r\nf5MgN9IdI+9vtl391qSxPYE21fRM0qAW620YVIM1Io42fEx+Ncou+35T/dAmbcUG\r\nwmT2b5ipg079lBwR2MeV+2DgS/Es7ICfKyXN5Y3aRfZo3gN/MGJ+1HIjvLK9b7dl\r\nJ0HLvcViFuCHlikw+woGl9WZIAzu2Za6P87tf9kSlBhfpOGvHG5p/lnw+rRRvsoW\r\nN8HqZsAELwK9YqKohHoQ4K8VpoocmtnOpJ4bXIGwd0trM0ha6zKgcUWiHFOPTgdB\r\n9gheCTIR7uhsXkw/gsG/Qn4FO/bY13ptI/0lQe3FZEVivTU=\r\n—End Certificate—\r\n—Begin Certificate—\r\nMIIDLDCCAhSgAwIBAgICBnUwDQYJKoZIhvcNAQELBQAwNzELMAkGA1UEBhMCVVMx\r\nHDAaBgNVBAoTE0dNTyBHbG9iYWxTaWduLCBJbmMxCjAIBgNVBAMTASowHhcNMTgx\r\nMjAxMjI1ODAyWhcNMjgxMjExMjI1ODAyWjA3MQswCQYDVQQGEwJVUzEcMBoGA1UE\r\nChMTR01PIEdsb2JhbFNpZ24sIEluYzEKMAgGA1UEAxMBKjCCASIwDQYJKoZIhvcN\r\nAQEBBQADggEPADCCAQoCggEBAPEgxGDxc/86bPDopIUb79TW6IJct4xJ9oK+ebSV\r\nkEa2E0dIqg/nw3i+zbU0cQW+MMTVrSD9K9h6lkqhuXtXTyev+ewVNFJHTBpPY2rp\r\nzDE/oYwqp1zuFxjL5yvCJIMKrvBwvZkpzO4jxGGm4XllRMugzPGJ48HBDYkNJvyF\r\nmkABtgAfR+FF8ecQx5Hy250ELgHnvBL9YwD7sd+5/gSCgWMfTju1TazC1qS6xoFO\r\nXb9Dgp9ax8+UFVsL2lQkkt0O2GQ1rYvanc4ccsJmd4H0VtOm5C6VBQP8o1MVkOKA\r\nv4dop+Tu694Wbv6M55VrgAtz/XPjTvzrCewl0QLIwHmevm8CAwEAAaNCMEAwDgYD\r\nVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNV\r\nHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBLrN+wxjxk4YsqPQ7YUSWd\r\nVpSQHp2WN6m6R4hfsjPoGSy5U36xygHq7fVkqh+nrOQfGjTps/7rFRLGAIoSjTWH\r\nLisO1rEhpIduahWOdT4NxgeWBKUGCzwX2f7DcJ08uJwupGpzqxZh73LD+ox+6suL\r\nYZP5g00kM0yPfTcDSKLkdFcPCRGCxtCBB9oW+dSzDEaVCSY5RjEHsbRLn4GRYv+V\r\n96H9rbFHb80wofJvUYAdrFl6dRNty1QgCp1s9rZEFxdIzTQsuaVsi2zN/xARPP30\r\nS+I+9FfdRr0zJdks7eEXQNKBijzRQPVahfBwUEkjbapUOAQIX3xR2a50d88BZybm\r\n—End Certificate—\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nPage 8 of 10\n\n—Begin RSA Private Key—\r\nMIIEowIBAAKCAQEA1/TqicNiEdzuHmawR2u4d99LHvwTI2EBHTwysXxm+XKroG2x\r\nF/Gxwnp1xjFXXyjk13lJcS7zTADPT4YGT6M33SYLP/ngy1IyKLgKdsILEV3ZGzuJ\r\nsyyd3/A6JlHKJZOkBDR1z4qnZghPSJwQglDltdq6pE8crJh9wlwk1I/GQyzCd9ph\r\ng4jIaonEaYF6kE7KXwBU/sSLN5oAv7hah6McBbfuFJ5MmabCmqiMZ4YSBOXkhT9B\r\nQ2VOcMRrxWWcnofd8JTqKsJGnlFl4Tzt8e3XSs6IiWoyDwMPPxEfK0saVo7dIJdf\r\nOgm/MPzNodoPedacWR4qFjGDQslRgz2uXsuQ2QIDAQABAoIBAGwOSCyWbsOxYBQm\r\nHZ4e8DZKrDPcvVa+eug97r+QF5ZJIkcrm6j3bpJ44+U/WxBqTdbjATR44ZPt880+\r\nqnm+mX02Q/rG9QvHHQHy1ImHnjIaWz+dEtFsSbJ7aR0zX4pdzXutJCWsowYSslkK\r\nfdg20jmkMC92xko2IvbVVDhnmDSTjYJv3t8ErUgQqGTWnIluIsVJtUfdtZE62Wqj\r\nETW7N09mgFZ6DkAWwi6GqM6R0h5assf9an+IRjdEvh0yAdgdeeGYugyxg4QsQaBP\r\nz/8Nc+0MsljNOJ3l9mGvv5Le9lrkdQo4/LEinuq5EQCasDnhUAEa3ure8+iNwv7C\r\nBjGQqYECgYEA78II0db0DrMjKK+lqvTRaWgjlGMUyc93datTipiCR2LCulipv2OE\r\nQ7D9thg2dBvY+87mSoFFgJyhGl1nEtj23IsnJSfg8wrrOPGbHGROa3Hh7Yr/S1vk\r\ncodyakjfQ2+ShiiqEZHNfxyxV26A0dLFcKxI8e8HBI1oadJo5teh1MUCgYEA5pYc\r\nvvXv4Aa72tMJFF6Dd2vN3kL6aIrrMCp3tLKjUhYz+H0bjHH9QVqj+O5cihxppQ2o\r\nMuzyOuCbEDBYusgh4j0gHEetTOlGh0WO1H9XM25/ULFaNv3TckBI0neiyiWq9lyu\r\nW6Fe6XnYdFBca2VaaixHkqq2FvnQu6AN4urZVQUCgYEAhuX7pGV3SFYOcDPz2K6K\r\nrO4FJtZgufPbWP+er5qDorq0qbh9Ocw6fQO2nKAe81E/0t5kwILfoi9+jaED/5zH\r\nuOsqiUNY1CbOlmmKRn1Bij63SbotTi9T6ATBoX+C7yR1orp6hgwtPVndhj4MiQI4\r\nSN8G4+kDX9JYb0IN9+RXj6kCgYByhVlviiwBoraH/soCoNJAbH1JhxBg/aXDPURI\r\nrXQp37ceEdytyytR2xeXGaNCQMxDWl4QNNg1X7oDt09KLP2PJHafNQYgLbeGlYhT\r\nh48ijx2SURMSPsxWcRD53ssuBLk9NFiwT5wY7xgO5J6SBDt8gdNmR3y6OoZtuRdM\r\nfQFFlQKBgCQ6qBuKHdNdriG1t7yo6kXBTGvNxhpq+MczIcHIr1g6u9SC2nrrEE+n\r\nLF9EaHQT98PKqsO/8AFUkpwPpTftg6v4E2fKtU3WAvTOz3rydWvc00qSfTeBRQ2/\r\nypF1hXBXYRIil4qsX1xQRw2k+K+Mw+/I5CErVVNQ9aAvxNLwEKc7\r\n—End RSA Private Key—\r\n—End Key and Certificates—\r\nRelationship Summary\r\n0c5ad1e8fe... Connected_To 119.81.184.11\r\n119.81.184.11 Connected_From 83014ab5b3f63b0253cdab6d715f5988ac9014570fa4ab2b267c7cf9ba237d18\r\n119.81.184.11 Connected_From 0c5ad1e8fe43583e279201cdb1046aea742bae59685e6da24e963a41df987494\r\n83014ab5b3... Connected_To 119.81.184.11\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nPage 9 of 10\n\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or SayCISA@cisa.dhs.gov .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nRevisions\r\nJuly 16, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" ], "report_names": [ "ar20-198c" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434158, "ts_updated_at": 1775792237, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/288da05e84bd9da96ab02b3b2a221842e9fb54e2.pdf", "text": "https://archive.orkl.eu/288da05e84bd9da96ab02b3b2a221842e9fb54e2.txt", "img": "https://archive.orkl.eu/288da05e84bd9da96ab02b3b2a221842e9fb54e2.jpg" } }