{ "id": "3aecafac-f982-4ff8-97d5-31ec97847570", "created_at": "2026-04-06T00:15:47.027729Z", "updated_at": "2026-04-10T03:37:08.88539Z", "deleted_at": null, "sha1_hash": "4c4ea650086c5cc430dcdd72ccea07c175b2f423", "title": "Deep Analysis Agent Tesla Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1021039, "plain_text": "Deep Analysis Agent Tesla Malware\r\nBy Gameel Ali\r\nPublished: 2022-01-21 · Archived: 2026-04-05 15:26:18 UTC\r\nAgent TeslaPermalink\r\nAgent Tesla is a keylogger and information stealer. Security researchers discovered it in late 2014, the malware\r\nwas sold in vinous forms and marketplaces and malware is owned by agentTesla.com. the malware has many\r\nfeatures like screen clogging, clipboard logging, screen capturing, extracting stored passwords from many\r\nbrowsers, it supports all versions of the Windows operating system, and it’s written in .NET\r\nInfect cyclePermalink\r\nAgent tesla infect victim’s machine in cycle infect, it starts with Email attachment and this is the most common\r\nvector to infect victims machine by using social engineering and after satisfying user to enable macro embedded\r\ninto an Email attachment. Malware will connect with c2 to download .Net malware into the system. .Net malware\r\ncan be packed and obfuscated to evasion anti-viruses and security solutions.\r\nFigure(1): How Malware Infect Machine.\r\nStage 1Permalink\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 1 of 20\n\nAritfactsPermalink\r\nNo. Description info\r\n1 MD5 Hash af98b88c0b5dc353fbe536bd6fb8c4ec\r\n2 SHA1 Hash 91dcc7418323004579a58f6fa3ea4f969127cde6\r\n3 File Size 200 KB\r\n4 VirusTotal Detection 55/70\r\nIdentify packedPermalink\r\nFrom some basic static analysis of the first stage, we can identify that the first stage is packed and we can see that\r\nwith Detect it Easy tool to identify entropy of malware in the next figure.\r\nFigure(2): Identify Packed Malware.\r\nUnpackingPermalink\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 2 of 20\n\nTo fast the process of unpacking, I will use UNPACME website to unpack the first stage of malware, UNPACME\r\nwill only extract packed or encrypted Windows Portable Executable (PE) files that are embedded in the\r\nsubmission.\r\nStage 2Permalink\r\nArtifactsPermalink\r\nNo. Description info\r\n1 MD5 Hash ee1aa7d0c4291a2bc16599b15d8664dc\r\n2 SHA1 Hash 5862a0b6f72530d3ece74e4252d10c95f51e1915\r\n3 File Size 216 KB\r\n4 VirusTotal Detection No Match\r\nThe malware starts to hide its configuration and uses a function in a lot of places into code to hide its information.\r\nFigure(3): Obfuscation Function.\r\nThen, it uses a decryption function to decrypt a lot of strings that are used by malware as configuration\r\ninformation to help malware in obfuscating itself and do not show any information about it till the user runs it.\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 3 of 20\n\nFigure(4): Encrypted Array With Decryption Algorithm.\nAfter that, we will use script python to extract the configuration of malware by simulation the process of\ndecryption of a large array.\nencrypted = b'\\x98\\x9b\\x99\\xd0\\xd7\\xd6\\xd5\\x80\\xef\\xee\\x8d\\xc5\\xc2\\x87\\xec\\xed\\x80\\xd6\\xd5\\x83\\xcd\\xcc\\xc5\\xc4\\\narray = bytearray(encrypted)\nfor counter,i in enumerate(array):\n bytearray1[counter] = (i ^ counter ^ 170) \u0026 0xff\nprint(bytearray1)\nWe can see the output of script (configrution).\n201yyyy-MM-dd HH:mm:ssyyyy_MM_dd_HH_mm_ss\n\n---\nObjectLengthChainingModeGCMAuthTagLengthChainingModeKeyDataBlo\nDeobfuscationPermalink\nI deobfuscate malware by using the de4dot tool to deobfuscate strings and we can take the first token for the first\nfunction and the last token for the last function\nFigure(5): First Token and Last Token.\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\nPage 4 of 20\n\nWe use a python script to print all tokens to use them into command, this command will help us to deobfuscate the\r\nmalware.\r\ntokens = \"\"\r\nfor i in range(0x0600022E,0x06000543):\r\n tokens += \" --strtok \"+ (hex(i))\r\ntokens2 = tokens.replace(\"0x\", \"\")\r\nprint(tokens2)\r\nAfter that, we can use this command to run it and we can get to the last stage.\r\nde4dot.exe last_payload --strtype delegate --strtok 600022e --strtok 600022f --strtok 6000230 --strtok 6000231\r\nFinal StagePermalink\r\nArtifactsPermalink\r\nNo. Description info\r\n1 MD5 Hash fbc921fbb1639073c30bbb19e68248fc\r\n2 SHA1 Hash 56e6b58a1d42459be3d0f46fe932c1ca12564d21\r\n3 File Size 183 KB\r\n4 VirusTotal Detection No Match\r\nDetermine the functionality of malwarePermalink\r\nAgent tesla starts to use some of the global Variables to determine the behaviour and functionality of malware and\r\nthe values for these variables can see them in the Configuration of malware and we can see that in the next figure\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 5 of 20\n\nFigure(6): Set Global Variables.\r\npersistencePermalink\r\nAgent tesla malware can achieve persistence by creating itself with the following registry keys and we can see the\r\nresults in the next figure\r\nFigure(7): Persistence.\r\nBrowser Stealing ActivitiesPermalink\r\nMalware will search for web browsers and we can see that malware has a large list of internet browser that\r\nmalware tries to find anything of them on the victim’s machine and if malware finds any browsers and successes\r\nto locate any browser, malware will go to steal stored credentials and send them attacker and we can see that in the\r\nnext figure..\r\nFigure(8): Search For Web Browsers.\r\nList Of BrowsersPermalink\r\nBrowsers\r\nCocCoc\r\nPale Moon\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 6 of 20\n\nFirefox\r\nWeb-browser\r\nFlock\r\nLieabao\r\nIridium\r\nChromePlus\r\nChromium\r\nOrbitum\r\nCoowon\r\n360Chrome\r\nSputnik\r\nAmigo\r\nOpera\r\n7Star\r\nTorch\r\nYandex\r\nSleipnir5\r\nVivaldi\r\nUran\r\nCentbrowser\r\nChedot\r\nBrave-browser\r\nElements\r\nWeb browser\r\nBlackHawk\r\nSeaMonkey\r\nCyberFox\r\nQQBrowser\r\nIceCat\r\nWaterfox\r\nWeb-bowser\r\nK-Meleon\r\nChrome\r\nIceDragon\r\nFalkon\r\nUCBrowser\r\nEdge\r\nCitrio\r\nEpic privacy browser\r\nKometa\r\nSafari\r\nQIP Surf\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 7 of 20\n\nEmail Stealing ActivitiesPermalink\r\nMalware will search on Victim’s machine for different email clients and if malware finds them, will steal\r\ncredentials and send them to the attacker and we can see that in the next figure.\r\nFigure(9): Search For Emails.\r\nFTP Utility Stealing ActivitiesPermalink\r\nMalware searches about FTP utilities to steal login credentials and if malware finds any FTP utilities, it attempts\r\nto get all information and can also target other information to a specific application, we can see the results in the\r\nfigure.\r\nFigure(10): Search For FTP Utilities.\r\nVPN Stealing ActivitiesPermalink\r\nMalware can search about VPN on Victim’s machine, if malware finds any VPN, it will steal VPN credentials and\r\nby using these credentials, malware can download tools and remote server applications and we can see that in the\r\nnext figure.\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 8 of 20\n\nFigure(11): Search For VPN Activities.\r\nWindows credentialsPermalink\r\nMalware can search about Windows Credentials on Victim’s machine, if malware finds any windows credentials,\r\nit will send them to the attacker and we can see that in the next figure\r\nFigure(12): Search For Windows Credentials Activities.\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 9 of 20\n\nVNC programs credentialsPermalink\r\nMalware can search about VNC on Victim’s machine, if malware find any VNC, it will steal VNC credentials and\r\nwe can see that in the next figure\r\nFigure(13): Search For VNC Activities.\r\nExfiltrationPermalink\r\nMalware can search about VNC on Victim’s machine, if malware find any VNC, it will steal VNC credentials, we\r\ncan see that in the figure\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 10 of 20\n\nFigure(14): Exfiltration.\r\nCommunicationsPermalink\r\nMalware can communicate with attackers over HTTP, FTP and SMTP and malware also can use Telegram to\r\ncommunicate with the attacker and we can see more information in the next lines\r\nHTTPPermalink\r\nSending compromised data to C@C and we can see the results in the next figure\r\nFigure(15): HTTP Communication.\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 11 of 20\n\nFTPPermalink\r\nMalware can upload data to send it to the attacker and we can see the results in the next figure\r\nFigure(16): FTP Communication.\r\nSMTPPermalink\r\nMalware Compromises email and after that utilizes it to exfiltrate information to a mail server that manages by the\r\nattacker and we can see that in the next figure\r\nFigure(17): SMTP Communication.\r\nTelegramPermalink\r\nTelegram Sends the exfiltrated data to a private Telegram chat room.\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 12 of 20\n\nDownloading and running filesPermalink\r\nDownloading and running files from [hxxp://CsQCyR.com] and we can see that in the next figure\r\nFigure(18): Downloading and running files.\r\nFingerprintingPermalink\r\nThe malware gathers information from the infected machine and we can see the following data that malware tries\r\nto collect.\r\nComputer Name, User NamePermalink\r\nthe malware collects ComputerName and UserName and we can see that in the next figure.\r\nFigure(19): Get ComputerName And UserName.\r\nExternal IPsPermalink\r\nMalware makes an HTTP request “hxxps://api.ipify.org” to get External IP and we can see that in the next figure.\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 13 of 20\n\nFigure(20): Get External IPs.\r\nMemoryPermalink\r\nMalware can collect information about Memory and we can see that in the next figure..\r\nFigure(21): Collect Information For Memory.\r\nProcessorPermalink\r\nMalware get information about the processor and we can see that in the next figure\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 14 of 20\n\nFigure(22): Collect Information For Porecessor.\r\nUninstallPermalink\r\nMalware can uninstall itself and we can see that in the next figure.\r\nFigure(23): Malware Able to Uninstall itself.\r\ncookies For BrowsersPermalink\r\nThe malware attempts to get cookies from a list of browsers after collecting the cookies, it communicates with\r\nC@C and sends them to the attacker and we can see the results in the next figure\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 15 of 20\n\nFigure(24): cookies For Browsers.\r\nCookies For SQLitePermalink\r\nThe malware collects Cookies for SQLite to send them to the attacker over C@C and we can see that in the next\r\nFigure(25): Cookies For SQLite.\r\nCookies For FTP ApplicationPermalink\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 16 of 20\n\nThe malware collects UserNames and PassWords for any FTP application and we can see that in the next figure\r\nFigure(26): Cookies For FTP Application.\r\nSearch UserName, Password for BrowserPermalink\r\nMalware searches for UserName and Password and we can see that in the next figure\r\nFigure(27): Collect UserNames, Passwords For Browsers.\r\nScreenshotsPermalink\r\nMalware captures images from the infected machine and sends these images to c@c\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 17 of 20\n\nFigure(28): Malware Takes Screenshots.\r\nKeystrokesPermalink\r\nKeystrokes are recorded and sent to the C2 server and we can see that in the next figure.\r\nFigure(29): Keystrokes.\r\nclipboardPermalink\r\nMalware Adds the specified window to the chain of clipboard viewers. So malware harvests data from the system\r\nclipboard and we can see that in the next figure.\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 18 of 20\n\nFigure(30): clipboard.\r\nTORPermalink\r\nMalware uses the Tor anonymizing network client and Tor is free and open-source software for enabling\r\nanonymous communication. It directs Internet traffic through a free, worldwide, volunteer overlay network,\r\nconsisting of more than six thousand relays.\r\nFigure(31): TOR.\r\nDeleting ADS (Zone identifier)Permalink\r\nMalware can delete ADS (Zone identifier) and we can see that in the next figure\r\nFigure(32): Deleting ADS (Zone identifier).\r\nSummeryPermalink\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 19 of 20\n\nStealingPermalink\r\nFTP services credentials\r\n30 different web browsers (logins/pass, cookies)\r\nWindows credentials\r\nMail clients credentials\r\nVPN clients credentials\r\nChat clients credentials\r\nVNC programs credentials\r\nCapabilitiesPermalink\r\nPersistence: “Software\\Microsoft\\Windows\\CurrentVersion\\Run”\r\n“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run”\r\nUsing “hxxps://api.ipify.org” to get External IP\r\nDownloading and running files from hxxp://CsQCyR.com\r\nPC name, processor, RAM, others…\r\nUninstalling itself\r\nDeleting ADS (Zone identifier)\r\nTaking screenshots\r\nKeylogging\r\nSocket communication\r\nWeb communication\r\nclipboard data\r\nTor browser client\r\nreferencesPermalink\r\nhttps://www.youtube.com/watch?v=BM38OshcozE\u0026t=2177s\r\nhttps://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware\r\nSource: https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nhttps://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/\r\nPage 20 of 20\n\n https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/ \n Figure(20): Get External IPs. \nMemoryPermalink \nMalware can collect information about Memory and we can see that in the next figure..\n Figure(21): Collect Information For Memory.\nProcessorPermalink \nMalware get information about the processor and we can see that in the next figure\n Page 14 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/" ], "report_names": [ "Deep-Analysis-Agent-Tesla" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434547, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c4ea650086c5cc430dcdd72ccea07c175b2f423.pdf", "text": "https://archive.orkl.eu/4c4ea650086c5cc430dcdd72ccea07c175b2f423.txt", "img": "https://archive.orkl.eu/4c4ea650086c5cc430dcdd72ccea07c175b2f423.jpg" } }