{
	"id": "85ed5859-5a98-4beb-9c28-32cdb6910ae7",
	"created_at": "2026-04-06T00:07:30.052452Z",
	"updated_at": "2026-04-10T03:21:58.179473Z",
	"deleted_at": null,
	"sha1_hash": "5e80db3ce19a360622fd2ac87f1e8a72e29dc47a",
	"title": "LOLSnif Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2839238,
	"plain_text": "LOLSnif Malware\r\nBy Vishal Thakur\r\nPublished: 2021-07-13 · Archived: 2026-04-05 23:10:52 UTC\r\n9 min read\r\nJul 28, 2020\r\nA boringly deep analysis of a very complex VBS Malware dropper\r\nIf you want to support me, follow me on Patreon: https://www.patreon.com/malienist\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nA code snippet of the script\r\nLOLSnif is a new(ish) variant of the common trojan Ursnif.\r\nHere, we take a look at the very complex and heavily encoded/obfuscated script that drops the malicious DLL on the victim\r\nmachine.\r\nApologies if it gets a bit boring, I’ve crammed in too much stuff here. Feel free to skip sections that are of\r\nIt all starts the usual way, phishing email brings in a link that serves the initial script. The script itself has the malware in it,\r\nwhich is dropped on the victim machine on successful execution.\r\nThis script has a lot of anti-analysis, anti-sandbox features that are clever and heavily encoded which makes them well-hidden.\r\nLet’s take a step-by-step look at this malware:\r\nThere are more than 500 lines of code in the script and most of those lines have thousands of chars in them. This is a very\r\nlong script, based on those numbers alone.\r\nhttps://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63\r\nPage 1 of 9\n\nA lot of that is garbage, as is common with scripting malwares. What makes this one more complex than your average\r\nmalware, is the lengths this author(s) has gone to in order to hide the code and make it hard to analyse.\r\nFor the purpose of this analysis (as with most of my work), we will analyse it dynamically and we’ll be clever in our\r\napproach. We will disable the anti-analysis features one by one and then make the malware execute the way we want. We\r\nwill then record all the relevant actions and examine the results to form a complete analysis for Incident Response.\r\nAnti-Sandbox features\r\nThis malware has a few tricks that allow it determine if it’s being executed in a sandbox — these are highly effective tricks\r\nand I can confirm that it evades analysis by major sandboxing solutions available in the market.\r\nCores\r\nPress enter or click to view image in full size\r\nLet’s take a look at the function above.\r\nThe malware creates a WMI instance to query information in the cimv2 category for the local machine. This can be used to\r\nrun queries on WMI, which is structured in classes.\r\nNext, it uses a select statement to extract all info from the Win32_Processor class (table) and then goes ahead with querying\r\nthe ‘NumberOfCores’ field.\r\nThe malware is trying to query the number of cores on the victim machine. Once it has that number, it runs it against am If\r\nstatement:\r\nIf luck.NumberOfCores \u003c (95 + (-((10 + 138.0) - (81 + (-25.0))))) Then\r\nonomatopoeia = True\r\nEnd If\r\nNext\r\nIf onomatopoeia Then\r\nDCZwCUL\r\nEnd If\r\nFrom the code snippet above, (95 + (-((10 + 138.0) — (81 + (-25.0))))) equals ‘3’.\r\nSo if the number of cores is less than 3, the condition is ‘True’. If true, the program runs the function ‘DCZwCUL’, which\r\n(we’ll see later) exits the program. It gives you a fake message about a missing ‘MSVCR102.dll’ which in reality doesn’t\r\nexists (try googling it).\r\nTip: Increase the number of cores to your VM to 4 or more and you'll bypass this feature.\r\nMemory\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63\r\nPage 2 of 9\n\nIn this function, the malware tries to query the physical memory of the victim machine. It again uses the WMI classes for\r\nthis purpose.\r\nThis time it queries the ‘Win32_ComputerSystem’ field.\r\nIf the physical memory is less than 1030 Mb, it terminates execution.\r\nTip: increase the memory of your VM to more than 1030 and you'll successfully bypass this feature.\r\nCommon Analysis Tools\r\nPersonally, I like this list of common tools these malware authors use for anti-analysis techniques. I get to see a few new\r\nones every now and then and I add them to my arsenal :)\r\nPress enter or click to view image in full size\r\nAs you can see, the list above is quite comprehensive. Basically, the malware checks if you’ve got any of these tools running\r\non your analysis machine and if it finds any of the ones listed in the function’s array, it terminates execution.\r\nThis function works flawlessly. I tested it by running a couple of these tools on the machine (procmon, procexp) and it\r\nidentified those and terminated the program.\r\nTip: You can have these tools on your analysis machine, just make sure they are not running at the time of ana\r\nLogical Volume Size\r\nPress enter or click to view image in full size\r\nAnother trick the malware uses is the size of the logical volumes on your analysis machine. In the above code snippet, you\r\ncan see that the malware terminates execution if the size is less than 60 Gb. Most VM’s are less than that (especially in\r\ncommercial cloud-based sandboxes).\r\nTip: If you can have a vm with a logical volume size of more than 60 Gb, you'll be able to bypass this feature\r\nNumber of files in certain folders\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63\r\nPage 3 of 9\n\nThis is another neat trick by the authors. The malware checks a couple of directories to see how many files are in them to\r\nmake sure it’s not an analysis machine the malware is running on.\r\nThe two directories it checks are:\r\n\\temp\\\\Downloads\\\r\nHere’s how it works:\r\nThe function declares two variables, to be used for comparison purposes later in the function.\r\nPsRTozXY = (622 — ((10 + (39 + 2901.0)) — 2331.0))\r\n(622 — ((10 + (39 + 2901.0)) — 2331.0)) = 3\r\nPsRTozXY = 3\r\nPsRTozXY_download = (397 — ((88 + (-25.0)) + (81 + 250.0)))\r\n(397 — ((88 + (-25.0)) + (81 + 250.0))) = 3\r\nPsRTozXY_download = 3\r\nIf CreateObject(\"Scripting.FileSystemObject\").GetFolder(ibrdYdE).Files.Count \u003c PsRTozXY Then\r\nDCZwCUL\r\nEnd If\r\nibrdYdE refers to another function in the program:\r\nFunction ibrdYdE()\r\nibrdYdE = CStr(WScript.CreateObject(“Scripting.FileSystemObject”).GetSpecialFolder(((16 + (-11.0)) + (-((81 +\r\nEnd Function\r\nibrdYdE returns the special folder — ‘\\temp\\’ based on the function above.\r\nGetSpecialFolder(((16 + (-11.0)) + (-((81 + (-49.0)) + (-29.0))))) + “\\”)\r\n‘(((16 + (-11.0)) + (-((81 + (-49.0)) + (-29.0)))))’ = 2; 2 returns ‘\\temp’\r\nSo, if there are less than 3 files in the ‘temp’ folder, terminate execution.\r\nGet Vishal Thakur’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe second folder is the \\Downloads\\ folder, which is easier to see in the code itself:\r\nsallow = fkvQdFqe.ExpandEnvironmentStrings(\"%USERPROFILE%\") + \"\\Downloads\\\"\r\nAgain, if there are less than 3 files in the Downloads folder, terminate execution.\r\nTip: Just put some random files in the Downloads folder, the malware just checks the number of files not the t\r\nSo, as you can see, quite a few anti-analysis, anti-sandbox features in this malware and all well-written.\r\nTerminate Function\r\nNow that we’ve had a look at all the anti-analysis functions in the malware, let’s quickly take a look at the function that is\r\nused to terminate execution of the malware.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63\r\nPage 4 of 9\n\nFrom the code above, you can see that once the function is called, it calls three other functions and then terminates the\r\nprogram using ‘WScript.Quit’\r\nThe first function it calls is Crete():\r\nThis function doesn’t lead to anything, no requests are made.\r\nThe second function is kZDlOhis():\r\nPress enter or click to view image in full size\r\nThis function deletes the malware from the temp folder.\r\nThe last function is frank():\r\nThis function displays a misleading message, about a missing DLL that actually doesn’t exists, its a made-up file.\r\nPress enter or click to view image in full size\r\nAfter this, the program terminates.\r\nExecution after bypassing the anti-analysis checks\r\nNow that we know how to bypass the anti-analysis checks, let’s take a look at how the malware actually executes.\r\nThis function does most of the work for the malware:\r\nPress enter or click to view image in full size\r\nWhat’s happening in this function is this:\r\n1. Create the Object ‘ADODB.Stream’ — which in this case is used to write the binary data (the actual malware DLL)\r\nto the disk.\r\n2. Define the Charset of the data to be written\r\n3. Read through all the arrays supplied in the script with the binary data\r\n4. Write all that data to the file “planetariam.zip” using the ‘SaveToFile’ function\r\n5. Position is ‘0’ which means, re-write if file already exists\r\n6. Close the file\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63\r\nPage 5 of 9\n\nThe archived files dropped on the disk as ‘planetarium.zip’\r\nAs you can see, all the values in Array are the arrays in the script, with the data to be written. Here’s an example:\r\nPress enter or click to view image in full size\r\nThis is the function that loads the DLL and executes it:\r\nPress enter or click to view image in full size\r\nAs you can see, it uses rundll32 to load the malicious dll. The malicious dll is ‘do343.scss’.\r\nThe malware also creates a URL file in the temp folder — this can be used as an IOC. It is linked to adobe.com\r\nPress enter or click to view image in full size\r\nMalware DLL\r\nNow that we know how to bypass all the anti-analysis techniques this malware uses and how to execute the malware in our\r\nanalysis machine, let’s get to the final DLL that is the malware LOLSnif.\r\nAmong other commonly seen malware functions, this malware also reaches out to the C2 and tries to post the victim\r\nmachine information.\r\nPress enter or click to view image in full size\r\nSystem Info being sent to the C2\r\nhttps://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63\r\nPage 6 of 9\n\nThe DLL in this case works with DGA as we can see with all these requests that are being made:\r\nPress enter or click to view image in full size\r\nC2 connections\r\nConclusion\r\nThe dropper for this malware is very complex. The authors have gone to great lengths to make it as hard as possible to\r\nanalyse the code. There are layers and layers of encoding and obfuscation. To analyse it, you need to peel back each layer\r\none by one, right to the end where it reveals the final payload, the malicious DLL.\r\nAppendix\r\nIOC:\r\nAt the time of this publishing, these are some of the Hashes for the LOLSnif DLLs:\r\n9d55833324c088cf385ce6ae914ef21a\r\ne65c0ac2d6964f5866eb9eddf8654f3f\r\n654121216d3c75c83ef202785d5cc0ef\r\n894877146bb0b8ea8adf0ee26e52c1d7\r\n4549708f2a9c381890a5558b2036bc49\r\ndcf79f6af5b4b2b9d46b8a4e0b09b7bd\r\nfaa84b171f792d7154d9e38e94199100\r\n948e548aed01218c784b767b91504d18\r\n048b1b3e0781ab1a2f93b0e27644fde0\r\n28b17df90fb856d7e4540ac799094675\r\n057065c30188f1c4c7974946acade6da\r\n52b26eff6f2d5e2763fad705c4204016\r\n059514bbe7fcbe147cdd0ece92172f66\r\ne6be61c83d5d47576963a26f2301c08a\r\n0078f7e4b72461c7e16179c619c15ad8\r\n3f1c0646141e053865a4214108c74068\r\n3b98f77f08f7849e84634b36b77b27b9\r\n44de95961cc70cf2109b01951478e3f2\r\n8930e46553122ff4f3527ec437c8c4c5\r\nbf4af57d8668f8a7f64538b3b5b69e28\r\ned196535f294b9b7e36ebeb64cf06a68\r\n7dd011fc8fb66696593c532866ff5289\r\n710b94a1accbb727e6fa96f75bde769c\r\nf2468454850c605558c6e959e07483b8\r\ncbf550e52f40c94d791aa44ab40d2e14\r\n30f6d63ae1414f03d8cc48c0b8586515\r\n4e4574bf57096ce027bc92366d0abb10\r\n69c72e594f33f7d5ea82cdccc0222f26\r\nde25f443cc3bd5ccf14d1b514e909bb3\r\n0eee43e53dc9aa16e74f65ad09c5e82b\r\nd9efe81f4a58efa16158a73b1449b803\r\n9661df852aeeff9650fe8ac1a7412c39\r\n5c7bfc85f733cec1370ac6ebbded4762\r\nhttps://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63\r\nPage 7 of 9\n\nf7aeb4e1e0576d5a3d60db750282cbb5\r\n1f542cf3e1a239f001bc0c421550ca6a\r\ne35ac0d74c0c1e03b91a4c3083c767f1\r\n02818a3bf4231a7a0a9ce6704a0d9ed0\r\n6abe5757ed3098a45370453280b2864d\r\n6eabc4a1ca7f4e62476a7a52c8be0421\r\n8bbeae7c6067e2da6f5cdc232e271f8a\r\nf41c55c4588a9c37a1ac0eac366ac289\r\nb3af7dd2a66725fb34993083b1c8d005\r\nd6c361f547a7c56c40791098cec92186\r\n79c0cd43ee3fef2daf8c997ddb435a3f\r\n867e462ffcbe4510e03db3b93d846765\r\n4ce855d6e159db31376fd22b264018c8\r\n51303064fdcc6f69898e9f20ed0dde74\r\nb123fb543768cf6946b2be1e0af001ec\r\n784a48688f137a570aad2f5e396f1787\r\nef75f86a924894fec1dac693d329a7ab\r\n3881063f31833e97c6d3537c098b16a9\r\n30dd0f30a35abf1e135932948d05251d\r\n7fdacd5458f03ea0d20283c5d92a3c4d\r\n1e81d417b57e45a9fc64ddbc64f0d319\r\n420accd30315d90055d902b8e5bef7ad\r\n90ff9d6855c24dacd066d5dce7542d20\r\n70ba2bfeb8b9464bc04b1a27b4b9fd60\r\n0e833ac74e16bb544f5bfbd7832a47f0\r\n50f6f5e7eed54c3d981f33fce45bcfe5\r\n7b97b9083c3a00bdd5f091909b760879\r\nRegistry:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835–0E21–4959-BA22–\r\n42B3008E02FF}\\iexplore\\Count\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835–0E21–4959-BA22–\r\n42B3008E02FF}\\iexplore\\NavTimeArray\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835–0E21–4959-BA22–\r\n42B3008E02FF}\\iexplore\\LoadTimeArray\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{B4F3A835–0E21–4959-BA22–\r\n42B3008E02FF}\\iexplore\\Time\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{72853161–30C5–4D22-B7F9–\r\n0BBC1D38A37E}\\iexplore\\Count\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{72853161–30C5–4D22-B7F9–\r\n0BBC1D38A37E}\\iexplore\\Blocked\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\{72853161–30C5–4D22-B7F9–\r\n0BBC1D38A37E}\\iexplore\\Time\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings\r\nURL Substring:\r\nThe best IOC to block if possible is this URL sub-string, it should cover the bulk of the campaign:\r\n*.at/api1/*\r\nURLs:\r\nThese are DGA generated so I’, putting these in here only for context.\r\nhttp://cdn.arsis.at/api1/wHyH_2FnTTF7N_/2FhXZmgpmphwk5O9OziQw/zEb_2B5DYgJbfBIm/FmRcBJ5rwr4t_2B/HXDzf2JBmaOIc2ppRr/qOk29WI0\r\nhttp://cdn.arsis.at/api1/Hmhc6xXo1ix/WZdv5_2FEhtQSj/8PneT9VWhkzZjfIVZm5eM/mVQ0wWySUq_2Bp2R/2EWTvs5RtU9bxlk/g0_2Fhxeii97r2IMw\r\nhttp://cdn.arsis.at/api1/bKijOolxcMo7NabTdIGI/4rnFi4WcpLgfUVCRHHL/DS1ei6d_2BqMqo3PW0RzIg/IfKJ_2FZcTlLE/ZdhKt7_2/B4QTgYOJWt3ga\r\nhttp://cdn.arsis.at/api1,\r\nhttp://cdn.arsis.at/api1/g3cND3rYwENplG_2/FeEyhEJ2FAwkN5K/GPZSnLOBECVSYcCWuF/LzVChCMTh/H26ASmZUHOLPoY8ynrbQ/FRNrYU8iw\r\nhttp://cdn.arsis.at/api1/7quspzaiotqt/kyl_2bz4b1j/rfygo2qzb_2bam/kdsiikjgxwrydnaudlqlz/kw6ajofjr1u4rccg/qzqkubzbmq0gvwx,\r\nhttps://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63\r\nPage 8 of 9\n\nhttp://cdn.arsis.at/api1/KptPXBVePWIw4eofz9MO1/K7ZRymXNuXRiFAEN/Kl_2FZTj9JanBu_/2FZjFImrYcR5hM_2BS/1H_2BgfMe/0BHr6BORQnpE\r\nhttp://cdn.arsis.at/api1/l2lqGv4pzkol3DfkaaG5r/fCBE8ZFyEf_2Br5X/YOPMxsMWm0eEWgL/wXM82u9kDgWKY9KFFb/OCGZZQlP1/p7EfQi_2B1Fu\r\nhttp://cdn.arsis.at/api1/EuwHWjjfklD4HW3/QOQQuWhTLTmMqf0I1t/gDDgSFwLa/DgWGeAQJTQZhYOVSzAae/bR69K8k0iA2TW4XXHD_/2By3S\r\nhttp://cdn.arsis.at/api1/xAoTEveG1GOmkrm/nYSMTm5K_2B3ivk_2B/aW44uzDni/rGzenJoOsx1ylMpGj8Fy/Ho823Z4Bu0n7YRE2QWU/z0Us1M_2FI\r\nhttp://cdn.arsis.at/api1/H_2Bh9rCYsD3etaukrm2/RByHpyc3FDpPSGayeJ8/drp8H1EloE0ocNfSkTyxXI/VvIT3FdJg_2Fw/DFjkaBgo/GEyHIuh_2FFnjWD\r\nhttp://cdn.arsis.at/api1/gUTsb0hTss1/Co2YYIgdYOteWU/qElHYaEtD_2FWkg0zjGQ2/azHRBwmvRKDPyCrj/D1fNAUBn8aAII_2/B17rzY3VvonNe62I\r\nhttp://cdn.arsis.at/api1/cVkjL_2FgOj/Axtod6Fmq1M7uV/HP0LZhtAOgdOD8Hyaxj3J/X5taQx9wI_2BCzAV/pc2nDrG3bK0BhUY/84vnlg8tiB4aJeaiaU/k\r\nhttp://cdn.arsis.at/api1/IBMv6_2BCok_2BLpBpO_/2B9v3Qm4_2FX45_2FeO/BcwXXX8AVKX_2FSJ_2F3B_/2F90ZMHaYC8V0/gMtHQcL8/8xhQYB\r\nhttp://cdn.arsis.at/api1/fgQ1NTCojxJDwC14E5DnwCl/KavCi1acDy/e13B21vM6MhLM4AIK/3f3Mi2QxzHgc/P0XZCdOs1js/5fN1p_2FTDkgeU/AqUsp\r\nhttp://cdn.arsis.at/api1/D2rtQw08vKM582WflpW/p2FmjhrjHMJenlrVhtAhxQ/hFGnSj1viaIep/SIxkDt2S/sSxf_2Fb_2FBwzYcEusQ7V_/2BmZ06zkmD/c\r\nhttp://cdn.arsis.at/api1/vmiHof0LS1v/Ku1jN794t4oF3a/njj1yuBR0Dt8TVoLZTTUp/bVL1a8e_2B2qVXAd/rTfw5jO6iECEV7V/YpYOTs77fnQLs8UGk5\r\nhttp://cdn.arsis.at/api1/WAGKecAj9Dbjs/7eV6fbXP/fzQ59RCdM17G9RqU7jWJvWm/sRRz9tvx61/C10gkyTA9lbvZjzdG/mGXGz8LelSla/KXZARkBTY\r\nhttp://cdn.arsis.at/api1/7quspzaiotqt,\r\nhttp://cdn.arsis.at/api1/yPY5GzJMXeLsnFQcULKL/M2xm0HOTahh6MI7zqaV/pU6AnHx2sZyMM_2BlFIOsd/aNXpV8Gm2fSNI/bdrfXDQ3/siBoMPGb\r\nhttp://cdn.arsis.at/api1/NlCQFOIF5RKo0fNM/wdxpwV2dHN3JvIt/ZE8M7iIF0R3GfMTcil/7HuauJIOy/oC8M61BnykzaA8dCVpBg/9fIti04JA1wUU6Eh\r\nhttp://cdn.arsis.at/api1/e7lXH69k5zpthIR1/f9kqN5i9Ck5iuSz/_2ByNUtaD1rDn6HMsv/bIFXaYH_2/Fu84pXWv5CavXOTyFNSk/1kUVRtSRjPURsuAnX\r\nhttp://cdn.arsis.at/api1/CvinmSSvODDZkdi/WXI0RTIaUCxAhJjBMP/IIPB_2Blp/txN_2BNWI_2FIqSsPuK5/eOrsWlwg61vbrpeZwoF/aWZ6q8jNAU3H\r\nhttp://cdn.arsis.at/api1/0QKQhv1lfODyyt_2BrVQ/bob1P6_2BI0ExeXGd58/VR_2BKrJYiSBk7c8rwACur/gl9xIc2_2FdsG/_2BUzWzx/_2BdWdnQ5HqO\r\nhttp://cdn.arsis.at/api1/H_2Bh9rCYsD3etaukrm2/RByHpyc3FDpPSGayeJ8/drp8H1EloE0ocNfSkTyxXI/VvIT3FdJg_2Fw/DFjkaBgo/GEyHIuh_2FFnjWD\r\nhttp://cdn.arsis.at/api1/j6mW9lD1FVMRxXSjvK0f3/djuTybikjF9pGuGs/xW5bTMUWxMhQ0op/OC8i6YfxaJy76FywQK/XO02QoLgr/_2BEMLgDyfBN\r\nhttp://cdn.arsis.at/,\r\nhttp://cdn.arsis.at/api1/H_2Bh9rCYsD3etaukrm2/RByHpyc3FDpPSGayeJ8/drp8H1EloE0ocNfSkTyxXI/VvIT3FdJg_2Fw/DFjkaBgo/GEyHIuh_2FFnjWD\r\nhttp://cdn.arsis.at/api1/5zN8rGv01dngHxTUFmR/2JFBCSlIZXxJJrgccwAuWY/5UqzTIh0fjIyB/sUMkLbE4/perxsUm8IpJ1X5elG7FsWyi/bEAn52E2U2/\r\nhttp://cdn.arsis.at/api1/g3cND3rYwENplG_2/FeEyhEJ2FAwkN5K/GPZSnLOBECVSYcCWuF/LzVChCMTh/H26ASmZUHOLPoY8ynrbQ/FRNrYU8iw\r\nhttp://cdn.arsis.at/api1/aEv1VWdHo/5XsTxwxgNxjOzoqYpJ8g/fLYR67E_2B38uvZEYnm/JtKkT5VISubU7di8NfdtCb/C3_2FsmGqQNkX/x2fNfAmU/u\r\nhttp://cdn.arsis.at/api1/Jc9GRErJhjX/sp0eY_2Fz9sMoq/INfGiH2aoUpN2utlWNAlT/uUP3Nsq5QSBTWnSo/hgkBlJHjuQhVUOO/JKQzOrlt3mUOBxQh\r\nhttp://cdn.arsis.at/api1/LdoC8y0TLbGdp5uNO/okN1YRVKJ_2F/3tqgLpdrfys/K7SOMU7v0ROu1p/eWodB6Xn7vym8WAlxfwH2/UOcQ5zwOuDKtb_2F\r\nhttp://cdn.arsis.at/api1/7quspzaiotqt/kyl_2bz4b1j/rfygo2qzb_2bam,\r\nhttp://cdn.arsis.at/api1/g3cnd3rywenplg_2/feeyhej2fawkn5k/gpzsnlobecvsyccwuf/lzvchcmth/h26asmzuholpoy8ynrbq/frnryu8iwt3yk0cl9br/lgafu_2f5h0r_\r\nhttp://cdn.arsis.at/api1/g3cND3rYwENplG_2/FeEyhEJ2FAwkN5K/GPZSnLOBECVSYcCWuF/LzVChCMTh/H26ASmZUHOLPoY8ynrbQ/FRNrYU8iw\r\nhttp://cdn.arsis.at/api1/g3cnd3rywenplg_2/feeyhej2fawkn5k/gpzsnlobecvsyccwuf/lzvchcmth/h26asmzuholpoy8ynrbq/frnryu8iwt3yk0cl9br/lgafu_2f5h0r_\r\nhttp://cdn.arsis.at/api1/SAAcuzOpfbMUoAhiH/m_2BrMu0SH96/skxXB3ysNuv/HBD0yGYmVf5D4l/jTt3m_2B7J75EKo8QDZh8/utk5MDA_2BNEhYQ\r\nhttp://cdn.arsis.at/api1/wX7K74Uxk/SNf1bOzWWC_2FrfBvEV8/t3Umjz6iuBtRPfEDzJM/pto5_2BHY19v0WRY89k2Ue/Lt1U7vOY37AP0/GBJC3_2B\r\nhttp://cdn.arsis.at/api1/,\r\nhttp://cdn.arsis.at/api1/2XdbqrGFM0J/zprSG103I4Jpnq/QodM_2Fb_2FAMY7mtlRUh/ZSlkOCmTPtrqFAO8/E6oZhqiq_2FRVyn/VoEfaka0YEykKS2CjJ\r\nhttp://cdn.arsis.at/api1/CGmNKJF1rvFYA9SPcsH6O/pJLsQY3Yzmsa6JsT/nE4s9mzNA76yQSR/OIxmBhVsIReEYPZQuH/jNm_2BJ8a/LRAN5qXNUV\r\nhttp://cdn.arsis.at/api1/oF6pYWXWnp3s7q/qSSOLKYW_2FfFVcmfQXrS/81vidnxgw1SLkB1O/hNTt3eBVPieCJ0L/IaZMzPDIYnA1B_2BHJ/5lMuNx_\r\nhttp://cdn.arsis.at/api1/g3cND3rYwENplG_2/FeEyhEJ2FAwkN5K/GPZSnLOBECVSYcCWuF/LzVChCMTh/H26ASmZUHOLPoY8ynrbQ/FRNrYU8iw\r\nhttp://cdn.arsis.at/api1/HC4EMEGb/ma9_2FcQMbbE1MEUzuPhlc3/HuxtC0ELL8/gBggc7AQN095TJAZc/yJbBXh822ZwJ/4D3wa4fw1VR/6dHNEU1A\r\nhttp://cdn.arsis.at/api1/zjc0OHx1dxbO_2BC/Z0W6WHf02Tgr8CF/P6U6VnRuAjgYgS7YLl/FKWxx80Ml/m_2F3_2FbtlG7X5iGOos/BGqdSnbysJt8Nure\r\nhttp://cdn.arsis.at/api1/Qi6rv8BTou3kF/p8AxlriL/Ya3MJ5FwEFHIHKYUX2HQ3Kn/PiXWBJwwZm/ZQDDwA7DtG1pu3AnV/LoYihqMZCfjG/tccd9zjT\r\nhttp://cdn.arsis.at/api1/tiZ1bgzLeqSPe_/2BbV_2FyzjxDJmEF4N28s/qmyqmpJjFx9rJgpg/VQkGYSc95fwf8cB/7G4SBIlQL3eMR8gt5C/5JyKg9wk4/I_2F\r\nhttp://cdn.arsis.at/api1/x3xoabxfe/m36ha01qzso_2bjhudn9/jmn_2fxzecqgwytustu/5qxbtdfibvfa3ipd71sin2/oamfzefsrxyb2/7f_2btbg/f_2bc52n9v4gquoyxq\r\nlink,ursnif,vbs,\r\nhttp://cdn.arsis.at/api1/zb8NtR0AhxP3f6S9VBW/RWPIgzxOtEj4nbciJA1qrq/NBo_2FvVgRVRO/y_2BC136/WXmjrLxAWby648dJ0tmlI4i/1kW0E6M8u\r\nhttp://cdn.arsis.at/api1/mbMl8_2BI8RGm_2BaK7yDye/1m1qN1n6yB/WDap0lzqbLndOuzgA/eMgDM_2FSRfU/7Nvkmt1i7Ov/XvudlCwAWAjW6m/Dz\r\nhttp://cdn.arsis.at/api1/fbhiiqtva3mmvkocd0y/ygykeoaudbvbiquy1hukqk/qjmuqtkaiicfi/vanyrf6s/6ydfg7utns_2b6gi0lbsdxm/dfaz00gbo4/y_2bbxbajmmnm\r\nhttp://cdn.arsis.at/api1/H_2Bh9rCYsD3etaukrm2/RByHpyc3FDpPSGayeJ8/drp8H1EloE0ocNfSkTyxXI/VvIT3FdJg_2Fw/DFjkaBgo/GEyHIuh_2FFnjWD\r\nhttp://cdn.arsis.at/api1/7quspzaiotqt/kyl_2bz4b1j,\r\nhttp://cdn.arsis.at/api1/AEApm14UVcYD3SWDG/favicon.ico,\r\nhttp://cdn.arsis.at/api1/l2lqGv4pzkol3DfkaaG5r/fCBE8ZFyEf_2Br5X/YOPMxsMWm0eEWgL/wXM82u9kDgWKY9KFFb/OCGZZQlP1/p7EfQi_2B1Fu\r\nhttp://cdn.arsis.at/api1/An0vCmUtPCRvXWxDp_/2BCA2e_2B/udkfSPeU879CSlL_2BbK/30ffSOza391MvNrTxzI/FQPIyJWbmEl8dJFwvATf6P/_2FZfS\r\nhttp://cdn.arsis.at/api1/l2lqGv4pzkol3DfkaaG5r/fCBE8ZFyEf_2Br5X/YOPMxsMWm0eEWgL/wXM82u9kDgWKY9KFFb/OCGZZQlP1/p7EfQi_2B1Fu\r\nhttp://cdn.arsis.at/api1/7quspzaiotqt/kyl_2bz4b1j/rfygo2qzb_2bam/kdsiikjgxwrydnaudlqlz/kw6ajofjr1u4rccg,\r\nhttp://cdn.arsis.at/api1/x3xoabxfe/m36ha01qzso_2bjhudn9/jmn_2fxzecqgwytustu/5qxbtdfibvfa3ipd71sin2/oamfzefsrxyb2/7f_2btbg/f_2bc52n9v4gquoyxq\r\nSource: https://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63\r\nhttps://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63"
	],
	"report_names": [
		"lolsnif-malware-e6cb2e731e63"
	],
	"threat_actors": [],
	"ts_created_at": 1775434050,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e80db3ce19a360622fd2ac87f1e8a72e29dc47a.pdf",
		"text": "https://archive.orkl.eu/5e80db3ce19a360622fd2ac87f1e8a72e29dc47a.txt",
		"img": "https://archive.orkl.eu/5e80db3ce19a360622fd2ac87f1e8a72e29dc47a.jpg"
	}
}