{
	"id": "42248bd0-06dd-4d2d-9e95-b56adb5e0e34",
	"created_at": "2026-04-06T00:11:57.880115Z",
	"updated_at": "2026-04-10T03:34:57.133201Z",
	"deleted_at": null,
	"sha1_hash": "610a7c5ce4ebd62b5097f680d66a87d57ee2cc07",
	"title": "Cmstar Downloader: Lurid and Enfal's New Cousin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 242684,
	"plain_text": "Cmstar Downloader: Lurid and Enfal's New Cousin\r\nBy Robert Falcone\r\nPublished: 2015-05-18 · Archived: 2026-04-05 21:52:47 UTC\r\nIn recent weeks, Unit 42 has been analyzing delivery documents used in spear-phishing attacks that drop a custom\r\ndownloader used in cyber espionage attacks. This specific downloader, Cmstar, is associated with the Lurid\r\ndownloader also known as ‘Enfal’. Cmstar was named for the log message ‘CM**’ used by the downloader.\r\nUnit 42 is aware of threat actors using two toolkits - MNKit and the Tran Duy Linh toolkit - to produce malicious\r\ndocuments that exploit CVE-2012-0158 in order to implant Cmstar. The Cmstar downloader itself has several\r\nunique and interesting features, as well as substantial infrastructure overlap with other tools worth discussing.\r\nManual Building of Import Address Table\r\nThe Cmstar downloader starts by manually building its import address table (IAT), much like shellcode would;\r\nhowever, it uses a rather unique technique. Instead of finding API function names based on their hashed values,\r\nthis malware enumerates libraries' export address table (EAT) and searches for the name of the API function the\r\npayload needs to load by using a character to offset array. The payload pairs several comma-separated lists of\r\ncharacters with comma-separated lists of numbers. Each list of characters consists of the set found within the API\r\nfunction name the payload seeks to add to its IAT, while the corresponding list of numbers specifies the offset in\r\nthe function name where those characters should be placed. For example, if the payload has \"D,e,A\" paired with\r\n\"0,5,19\", this results in the following mapping:\r\n\"D\" at offset 0 in API function name\r\n\"e\" at offset 5 in API function name\r\n\"A\" at offset 19 in API function name\r\nThe payload loads a specific Windows library's EAT by calling the ImageDirectoryEntryToData API function\r\nusing the IMAGE_DIRECTORY_ENTRY_EXPORT flag. It then enumerates the library's EAT to find exported\r\nfunction names by checking each function name for the character and the specific offset. Once found, the payload\r\nadds the address for the specific API function to its IAT. For instance, the payload checks the EAT of \"wininet.dll\"\r\nusing the comparisons mentioned above to find the address to the \"DeleteUrlCacheEntryA\" API function. One\r\nspecific Cmstar payload that we analyzed used the character/offsets seen in Figure 1 to locate the API functions\r\nwithin three different Windows libraries to build its IAT.\r\nLibrary Characters Offsets Function Name\r\nwininet.dll D,e,A 0,5,19 DeleteUrlCacheEntryA\r\ne,O,A 3,8,12 InternetOpenA\r\ne,C,A 3,8,15 InternetConnectA\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 1 of 14\n\np,O,A 3,4,15 HttpOpenRequestA\r\np,S,A 3,4,15 HttpSendRequestA\r\np,E,A 3,4,14 HttpEndRequestA\r\np,Q,A 3,4,13 HttpQueryInfoA\r\ne,R,e 3,8,15 InternetReadFile\r\ne,C,e 3,8,18 InternetCloseHandle\r\nadvapi32.dll\r\nS,V,A 3,6,13 RegSetValueExA\r\nC,s,y 3,6,10 RegCloseKey\r\nO,K,A 3,7,12 RegOpenKeyExA\r\nD,K,A 3,9,12 RegDeleteKeyA\r\nD,V,A 3,9,14 RegDeleteValueA\r\nU,r,A 3,6,11 GetUserNameA\r\nv,t,S 3,6,12 ConvertSidToStringSidA\r\nk,A,A 3,6,17 LookupAccountNameA\r\nkernel32.dll\r\nW,E,c 0,3,6 WinExec\r\nC,M,A 0,10,17 CreateFileMappingA\r\nU,V,e 0,5,14 UnmapViewOfFile\r\nM,O,e 0,7,12 MapViewOfFile\r\nFigure 1. Character and Offset Pairs Found in Cmstar Payload and the Resulting API Function Names\r\nCmstar Behavior\r\nAfter manually creating the IAT, Cmstar decrypts its configuration, several encrypted strings, and a piece of\r\nshellcode. The embedded configuration contains nothing more than a URL that Cmstar uses as its command and\r\ncontrol (C2) location. The encrypted strings within the Trojan include fields used within the HTTP requests that\r\nCmstar will create to communicate with its C2 server, as well as additional strings used to interact with the\r\nregistry. The Cmstar sample associated with the MNKIT delivery document creates the following registry key to\r\nautomatically execute at system startup:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\xpsfiltsvcs: \"rundll32.exe\r\nC:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\xpsfiltsvcs.dll,XpsRegisterServer\"\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 2 of 14\n\nUnit 42 found an additional encrypted registry key that would allow Cmstar to automatically start up after reboots.\r\nHowever, the code does not decrypt, reference, or use the following registry key in any way, which suggests that\r\nthe malware author left this artifact in the code after swapping to the run key listed above:\r\nHKCU\\Software\\Microsoft\\CTF\\LangBarAddIn\r\nCmstar also decrypts a 752-byte piece of shellcode that carries out communications with the C2 server,\r\nspecifically by sending HTTP POST requests to the following URL:\r\nhttp://happy.launchtrue[.]com:8080/cgl-bin/update.cgi\r\nIt should be noted that the C2 URL contains the string ‘cgl-bin’, which visually resembles the common cgi-bin\r\nfolder used by many webservers to run server-side scripts. Unit 42 used the Palo Alto Networks AutoFocus threat\r\nintelligence service to locate additional samples using the ‘cgl-bin’ string within URLs of HTTP requests and\r\nfound several samples of the Cmwhite tool associated with the LURID/Enfal downloader1, as seen in Figure 2.\r\nFigure 2. Cmwhite Tools Using \"cgl-bin\" within HTTP Requests\r\nCmstar’s HTTP POST requests sent to ‘happy.launchtrue[.]com’ contain data that the Trojan gathers from the\r\ninfected machine that has the following structure:\r\n\u003cWindows Version number\u003e@@\u003cCPU Architecture (2 for x64, 1 for x86)\u003e??\u003cboolean for elevated\r\nprivileges\u003e]]**\u003cboolean if antivirus processes are found\u003e!!\u003cstatic version string\u003e==\r\nIn one example, Unit 42 observed the following data within an analysis environment, which was then encrypted\r\nusing a single-byte XOR algorithm and a key of 0x45 before being sent to the C2 server:\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 3 of 14\n\n510@@1??1]]**0!!150316o==\r\nHelpfully, the malware author writes log messages to the ‘DF64159.TMP’ file, used for debugging purposes\r\nthroughout the execution of the Cmstar downloader. The log messages are abbreviated strings that describe\r\nspecific activities during the execution of the code. For instance, the downloader uses the CreateMutex to create a\r\nmutex named ‘{53A4988C-F91F-4054-9076-220AC5EC03F3}’ to determine if another instance of the code is\r\nrunning. If the downloader determines another instance of itself is running, the code writes the string ‘CM**’ -\r\nwhich happens to be the basis for the name of the Trojan - to the log file. Unit 42 created a Yara signature to detect\r\nCmstar samples based on these debugging strings, which is available in the appendix.\r\nHashing Process Names\r\nAs mentioned in the behavioral analysis section, the Cmstar downloader gathers system-specific information to\r\nsend to the C2 server. One such piece of information is the existence of specific running processes. Many malware\r\nfamilies and tools check for the existence of antivirus, but the Cmstar tool does so in a clever way. Rather than\r\nincluding a list of strings of associated processes, Cmstar enumerates the running processes and subjects these\r\nprocess names to a hashing algorithm. The results of this algorithm are then compared against three static values:\r\n0x1E00AFA, 0xBEE091E8 and 0xD46FCDFA. Unit 42 reverse engineered the algorithm and created the function\r\nseen below to generate hashes in order to determine the processes Cmstar is trying to find:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\ndef hashStr(st):\r\nhash = 0\r\ncount = 0\r\nwhile count \u003c len(st):\r\nh1 = (hash\u003c\u003c0x13)\u00260xFFFFFFFF\r\nh2 = (hash\u003e\u003e0x0d)\u00260xFFFFFFFF\r\nh3 = (h1|h2)\u00260xFFFFFFFF\r\nhash = (h3 + (ord(st[count])^0x4a))\u00260xFFFFFFFF\r\ncount += 1\r\nreturn hash\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 4 of 14\n\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nUnit 42 found that the string ‘avp’ subjected to the algorithm above results in the value 0x1E00AFA, which\r\nsuggests the Cmstar sample specifically looks for Kaspersky's Anti-virus product (avp.exe) running on the\r\ncompromised system. If the Trojan finds processes whose hash matches the three values mentioned earlier, it sets\r\na boolean value (the character ‘1’) within the data sent to the C2 server and continues carrying out its\r\nfunctionality. Rather than altering its activities, Cmstar only notifies the C2 server if a system is running one of\r\nthese processes, suggesting that the threat actors might employ this technique as a filtering mechanism to ignore\r\nanalysis systems and researchers.\r\nThreat Infrastructure\r\nIn order to determine the intrusion set involved with the Cmstar, Unit 42 enumerated infrastructure used by the\r\ndownloader for its C2 servers. The related infrastructure chart in Figure 3 shows a rather large cluster of related\r\nentities with one small set of entities that do not share any related entities with the larger cluster.\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 5 of 14\n\nFigure 3. Infrastructure and Entites Related to Cmstar\r\nAs seen in the chart above, the C2 domain ‘happy.launchtrue[.]com’ was originally registered using the email\r\naddress ‘WANGMINGHUA6@GMAIL[.]COM’. When Unit 42 used the Palo Alto Networks AutoFocus threat\r\nintelligence service to locate additional Cmstar samples, we found several with C2 domains that also had the same\r\noriginal registrant:\r\nlinks.dogsforhelp[.]com\r\nthree.earewq[.]com\r\nquestion.eboregi[.]com\r\nhere.pechooin[.]com\r\nsarey.phdreport[.]com\r\nbakler.featurvoice[.]com\r\nThe only known Cmstar C2 domain not initially registered by the email address was help.ubxpi0s[.]com. Further\r\nanalysis revealed that additional domains related to Cmstar C2 domains were also originally registered using the\r\nemail address ‘WANGMINGHUA6@GMAIL[.]COM’ and updated to the current information within a few days.\r\nIn addition, this was the original registrant for C2 domain used in our Google Code blog2, indicating this\r\nregistrant email is likely a re-seller, and/or someone who initially sets up infrastructure for particular APT threat\r\nactors.\r\nforever.cowforhelp[.]com\r\nquestion.shiesiido[.]com\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 6 of 14\n\nendline.biortherm[.]com\r\nright.marubir[.]com\r\nbaby.brabbq[.]com\r\nlind.kruptcy[.]com\r\nThe rest of the domains related to the Cmstar infrastructure did not use the original registrant noted above, but\r\ninstead kept the same information initially used to register them. The difference in domain registration patterns\r\ncould indicate threat actor preference, or could indicate there are at least two groups using this malware whose\r\ninfrastructure at times overlaps.\r\nunder.suttgte[.]com\r\nhelp.ubxpi0s[.]com\r\nfinally.basiccompare[.]com\r\ncrystal.diskfunc[.]com\r\nqueenfansclub[.]com\r\nnovnitie[.]com\r\nflash-vip[.]com\r\nreplyfunt[.]com\r\nnatcongress[.]com\r\nkeep.regebky[.]com\r\nlove.regebky[.]com\r\nInterestingly, the updated registrant information (or original, in the cases where it wasn’t changed) for all of the\r\nC2 domains in this blog has also been used to register scam sites, most purporting to sell knock-off designer\r\nproducts like shoes, software, or cell phones.  The contact emails and contact names can vary, but the address is\r\nre-used. Blue Coat noted this pattern as well in a blog published late last year, which also noted the \r\n‘WANGMINGHUA6@GMAIL[.]COM’ registrant email.3It is not known whether the threat actors conducting\r\nthe malicious activity are also behind the scam sites.\r\n Conclusion\r\nThe Cmstar tool has several interesting features, including a previously unseen method of manually creating its\r\nimport address table using an API function name character to offset mapping techniques, and a hashing algorithm\r\nused to find antivirus processes on an infected system. Both of these features are noteworthy and may provide the\r\nability to correlate future tools to the same group and/or malware authors.\r\nThe URL used by Cmstar to communicate with its C2 server, as well as significant infrastructure overlap, show a\r\ndirect relationship between the Cmstar downloader, Lurid/Enfal and Cmwhite tools. In a majority of the cases,\r\nthreat actors using the Cmstar downloader initially register the C2 domains using the email address\r\n‘WANGMINGHUA6@GMAIL[.]COM’ and later change the registration information to include a different email\r\naddress. Unit 42 cannot positively confirm that the threat actors control the\r\n‘WANGMINGHUA6@GMAIL[.]COM’ email address, or if the email address belongs to a reseller that the threat\r\nactors buy domains from to create their infrastructure; however, we do believe this is an interesting TTP worth\r\ntracking in future infrastructure enumeration.\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 7 of 14\n\n1. THE “LURID”DOWNLOADER - Nart Villeneuve and David Sancho -\r\nhttp://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf\r\n2. Attacks on East Asia using Google Code for Command and Control – Jen Miller-Osborn and Rob Downs --\r\nhttp://blog.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/\r\n3. Linking APTs from 2011 and 2014 to an Active Scam Network – Kiel Wadner -\r\n https://www.bluecoat.com/security-blog/2014-10-08/linking-apts-2011-and-2014-active-scam-network\r\n Appendix\r\nKnown Cmstar Downloaders\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: 239a25ac2b38f0be9392ceeaeab0d64cb239f033af07ed56565ba9d6a7ddcf1f\r\nC2: links.dogsforhelp.com\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: 6b557c22ab12e8ea43d29e4f9f8a9483e3e75cd41338a674c9069b6dacdf7ba7\r\nC2: question.eboregi.com\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: 7ade616a8f1750cecba944a02e2bce1340b18a55697b29f721ccc4701aadba6e\r\nC2: links.dogsforhelp.com\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: 88184983733f4d4fa767ad4e7993b01c5754f868470dd78ac1bad2b02c9e5001\r\nC2: here.pechooin.com\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: b9d597aea53023727d8564e47e903b652f5e98a2c32bdc23bc4936448fb2d593\r\nC2: question.eboregi.com\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: e0b3cc07d3a9b509480b240368dee2a29713ea1e240674c0ccf610c84810a7c5\r\nC2: question.eboregi.com\r\nFilename: xpsfiltsvcs.txt\r\nSHA256: f4b8f71c0e10a345a855763e01033e2144e949c8f98c271755cc025e3f55b7da\r\nC2: three.earewq.com\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: 2e00a98212c5a2015d12612f0d26039a0c2dfee3e1b384675f613e683f276e02\r\nC2: bakler.featurvoice.com\r\nFilename: xpsfiltsvcs.dll\r\nSHA256: 42ed2edc37b957266ff7b02955a007dd82d955c09ef7be23e685d938e40ad61d\r\nC2: turber.xoxcobbs.com\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 8 of 14\n\nFilename: xpsfiltsvcs.dll\r\nSHA256: 9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c\r\nC2: happy.launchtrue.com\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: a330c52b7643de9d8be51a4ae0150b7b8390dbabaea9704069694835fbd3298e\r\nC2: three.earewq.com\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: a8fa487d9f2152738bf49c8c69e8a147aae55c06f37c7e25026a28f21601ad7f\r\nC2: sarey.phdreport.com\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: c99c0b37f2fd64fa523d39c35ead6416a684ae203ae728feb5feff8490eb902c\r\nC2: help.ubxpi0s.com\r\nFilename: xpsfiltsvcs.tmp\r\nSHA256: d541280b37dd5e2101cc5cd47b0991b8320714f5627b37646330136cddef0c23\r\nC2: three.earewq.com\r\nFilename: coyote_load.dll\r\nSHA256: adb05c1eecd789582886b3354b53831df9c9a06e891bb687633ee7ce21417edc\r\nC2: bakler.featurvoice.com\r\nDelivery Documents Installing Cmstar\r\nFilename: Какая реформа армии нужна Украине.doc (What is needed reform of the army Ukraine.doc)\r\nMD5: 76ffb9c2d8d0ae46e8ea792ffacc8018\r\nSHA256: c26c67eac20614038aaadfda19b604862926433333893d65332928b5e36796aa\r\nType: MIME entity text\r\nToolkit: MNKit\r\nAuthor: User123\r\nLast Saved By: User123\r\nCreated: 2012-05-01T14:08:00Z\r\nModified: 2012-05-01T14:12:00Z\r\nFilename: запуск ракеты-носителя Союз.doc (launch of the carrier rocket Soyuz.doc)\r\nMD5: 6fdeadacfe1dafd2293ce5c4e178b668\r\nSHA256: e39b0e777ef0135c1f737b67988df70c2e6303c3d2b01d3cdea3efc1d03d9ad9\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 9 of 14\n\nFilename: РФ_КНР_сельское_хозяйство.doc (RF China Agriculture and Economy.doc)\r\nMD5: 9da10a36daf845367e0fc2f3e7e54336\r\nSHA256: a0aeb172a72442d2c2c02e1d32b48accb9975c4da7742df24d9350a8ccd401f2\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nFilename: Ерөнхий сайд асан Н.Алтанхуягийг шалгаж эхэлжээ.doc (Former Prime Minister started to check\r\nwith their lethargy.doc)\r\nMD5: f7d47e1de4f5f4ad530bca0fc080ea53\r\nSHA256: 4883286b8229a2c43db17eb1e1c5bd79d1933e840cdfedff80d5b99a84c9e39f\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nFilename: запуск ракеты-носителя Союз.doc (launch of the carrier rocket Soyuz.doc)\r\nMD5: 6fdeadacfe1dafd2293ce5c4e178b668\r\nSHA256: e39b0e777ef0135c1f737b67988df70c2e6303c3d2b01d3cdea3efc1d03d9ad9\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nMD5: 5aeb8a5aa8f6e2408016cbd13b3dfaf0\r\nSHA256: df34aa9c8021f1f0bdf33249908efc4a9628941453ad79b281b3a46bf9a7f37f\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nFilename: Путины урилга.doc (Putin’s invitation.doc)\r\nSHA256: 45027d11ab783993c413f97e8e29759d04b04564f8916f005f5c632f291697bb\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 10 of 14\n\nMD5: 46bf922d9ae07a9bc3667a374605bdbb\r\nSHA256: 7dc78caf515d1d3d2b84be7c023ccbd0b4fd670a42babcbcbd5a5ba65bbdd166\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nFilename: Армия-2015.doc (Army-2015.doc)\r\nMD5: 783a423f5e285269126d0d98f53c795b\r\nSHA256: 5b338decffe665a2141d1079c32b2d612057d1fdbfddf198cc28003dae7f0516\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nFilename: С днём 70 лет победы.doc (Happy 70 years of victory.doc)\r\nMD5: 510b3272342765743a202373261c08da\r\nSHA256: 0a10d7bb317dceccd05d18408fd6b8b12c784910e5f7e035ee22c2c5d7e4cbf5\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nFilename: new resume.doc\r\nMD5: c5ae7bd6aec1e01aa53edcf41962ac04\r\nSHA256: 87bcc6d18c6a81d92d826b232703dee84b522bd1d0cae56f74bcf58fdca0930e\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nMD5: 3d41e3c902502c8b0ea30f5947307d56\r\nSHA256: b65dd4da9f83c11fcb5beaec43fabd0df0f7cb61de94d874f969ca926e085515\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 11 of 14\n\nFilename: Центр-2015.doc (Center-2015.doc)\r\nMD5: 94499ff857451ab7ef8823bf067189e7\r\nSHA256: 671dfc4d47a43cf0bd9205a0f654dcd5050175aef54b69388b0c5f4610896c6a\r\nType: Microsoft Office Word 97-2003 Document\r\nToolkit: Tran Duy Linh\r\nCreated: 2012:11:23 04:35:00\r\nModified: 2012:11:23 04:39:00\r\nCompany: DLC Corporation\r\nRelated Cmwhite Tools\r\nMD5: 3fff0bf6847d0d056636caef9c3056c3\r\nSHA256: 13c1d7eb2fd64591e224dec9534d8252f4b91e425e8f047b36605138d15cbf2d\r\nC2: stone.timmf.com\r\nMD5: 30a6c3c7723fe14c4b6960fa3e4e57ba\r\nSHA256: ab934c6177be0fdc3b6dfbf21f60ce7837a30e6599dcfb111b43008c75ceb91f\r\nC2: xphome.mailru-vip.com\r\nC2: error.yandex-pro.com\r\nMD5: e0417547ba54b58bb2c8f795bca0345c\r\nSHA256: 1cf44815f9eb735e095f68c929d5549e0ebc44af9988cccaf1852baeb96bb386\r\nC2: dns.thinkttun.com\r\nMD5: d05f012c9c1a7fb669a07070be821072\r\nSHA256: a37f337d0bc3cebede2039b0a3bd5afd0624e181d2dcc9614d2f7d816b5a7a6b\r\nC2: help.redhag.com\r\nC2: mssage.hotoicq.com\r\nC2: new.hoticq.com\r\nCmstar Yara Rule\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nrule ce_enfal_cmstar_debug_msg\r\n{\r\nmeta:\r\nauthor = \"rfalcone\"\r\ndescription = \"Detects the static debug strings within CMSTAR\"\r\nreference = \"9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c\"\r\ndate = \"5/10/2015\"\r\nstrings:\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 12 of 14\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n$d1 = \"EEE\\x0d\\x0a\" fullword\r\n$d2 = \"TKE\\x0d\\x0a\" fullword\r\n$d3 = \"VPE\\x0d\\x0a\" fullword\r\n$d4 = \"VPS\\x0d\\x0a\" fullword\r\n$d5 = \"WFSE\\x0d\\x0a\" fullword\r\n$d6 = \"WFSS\\x0d\\x0a\" fullword\r\n$d7 = \"CM**\\x0d\\x0a\" fullword\r\ncondition:\r\nuint16(0) == 0x5a4d and all of ($d*)\r\n}\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 13 of 14\n\n35\r\nSource: https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nhttps://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/"
	],
	"report_names": [
		"cmstar-downloader-lurid-and-enfals-new-cousin"
	],
	"threat_actors": [
		{
			"id": "7c8cf02c-623a-4793-918b-f908675a1aef",
			"created_at": "2023-01-06T13:46:38.309165Z",
			"updated_at": "2026-04-10T02:00:02.921721Z",
			"deleted_at": null,
			"main_name": "APT15",
			"aliases": [
				"Metushy",
				"Lurid",
				"Social Network Team",
				"Royal APT",
				"BRONZE DAVENPORT",
				"BRONZE IDLEWOOD",
				"VIXEN PANDA",
				"Ke3Chang",
				"Playful Dragon",
				"BRONZE PALACE",
				"G0004",
				"Red Vulture",
				"Nylon Typhoon"
			],
			"source_name": "MISPGALAXY:APT15",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434317,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/610a7c5ce4ebd62b5097f680d66a87d57ee2cc07.pdf",
		"text": "https://archive.orkl.eu/610a7c5ce4ebd62b5097f680d66a87d57ee2cc07.txt",
		"img": "https://archive.orkl.eu/610a7c5ce4ebd62b5097f680d66a87d57ee2cc07.jpg"
	}
}