{ "id": "1e8a84c6-9da9-4930-8824-b2211ca4fb84", "created_at": "2026-04-06T00:20:51.623269Z", "updated_at": "2026-04-10T03:32:50.101436Z", "deleted_at": null, "sha1_hash": "694c995bd92d815da556578c273f4e4d542dac7e", "title": "API Hashing Tool, Imagine That", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 405999, "plain_text": "API Hashing Tool, Imagine That\r\nBy Kyle O'Meara\r\nPublished: 2019-03-25 · Archived: 2026-04-05 22:26:25 UTC\r\nIn the fall of 2018, the CERT Coordination Center (CERT/CC) Reverse Engineering (RE) Team received a tip\r\nfrom a trusted source about a YARA rule that triggered an alert in VirusTotal. This YARA rule was found in the\r\nDepartment of Homeland Security (DHS) Alert TA17-293A, which describes nation state threat activity associated\r\nwith Russian activity. I believed this information warranted further analysis.\r\nThe YARA rule, shown in Figure 1, is allegedly associated with the Energetic Bear group. The Energetic Bear\r\ngroup, named by security firm CrowdStrike, conducts global intelligence operations, primarily against the energy\r\nsector. It has been in operation since 2012. (For more information, see CrowdStrike Global Threat Report: 2013\r\nYear in Review.) This group has also been referred to as Dragonfly (Symantec), Crouching Yeti (Kaspersky),\r\nGroup 24 (Cisco), and Iron Liberty (SecureWorks), among others. (For more information, see APT Groups and\r\nOperations.)\r\nrule APT_malware_2\r\n{\r\nmeta:\r\n description = \"rule detects malware\"\r\n author = \"other\"\r\nstrings:\r\n $api_hash = { 8A 08 84 C9 74 0D 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }\r\n $http_push = \"X-mode: push\" nocase\r\n $http_pop = \"X-mode: pop\" nocase\r\ncondition:\r\n any of them\r\n}\r\nFigure 1: YARA Rule for DHS Alert TA17-293A\r\nUnfortunately, upon reviewing numerous public threat reports from the above vendors, I could not find further\r\ninformation tying this YARA rule or associated exemplars to the Energetic Bear group, but I still believed that the\r\nactivity warranted further investigation and analysis.\r\nMethodology\r\nI used the following methodology for this analysis:\r\nanalyzed the YARA rule and initial exemplar\r\nanalyzed exemplar with IDA\r\nresearched and applied API hashing module routine findings to exemplar\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 1 of 13\n\nmapped research findings and analysis to exemplar with IDA\r\ncreated a tightly scoped YARA rule to discover new exemplars\r\ncreated API hash YARA rules to discover more exemplars\r\nanalyzed new exemplars with refined YARA rule\r\ncreated a tightly scoped YARA rule\r\ndiscovered API hashes found in new exemplars\r\nquestioned attribution\r\nidentified future work\r\nreported results\r\nAnalyzed the YARA Rule and Initial Exemplar\r\nI was interested in understanding the string variables found in the YARA rule shown in Figure 1. Specifically, it\r\nwas not immediately clear what the $api_hash variable represented, whereas the variables $http_post and\r\n$http_push appeared to be associated with Hypertext Transfer Protocol (HTTP) header fields. I focused my\r\nanalysis on the $api_hash variable.\r\nAnalyzed Exemplar with IDA\r\nAfter cursory analysis of the initial exemplar (SHA256:\r\n1b17ce735512f3104557afe3becacd05ac802b2af79dab5bb1a7ac8d10dccffd), I determined that the $api_hash\r\nvariable was alerting on the routine (highlighted in green in Figure 2).\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 2 of 13\n\nFigure 2: $api_hash Variable Found in Initial Exemplar\r\nResearched and Applied API Hashing Module Routine Findings to Exemplar\r\nThe key points to highlight in Figure 2 are the or of 0x60, shift logical left (shl) by 1, followed by an add, and\r\njump. Based on this information coupled with the variable name $api_hash, I was able to determine that this was a\r\nWindows application programming interface (API) hashing routine.\r\nI wanted to find further information on any API hashing techniques. Through open source intelligence (OSINT)\r\ngathering, I discovered the FireEye Flare IDA Pro utilities Github page that mentioned a plug-in called Shellcode\r\nHashes and an associated blog post from 2012 titled \"Using Precalculated String Hashes when Reverse\r\nEngineering Shellcode,\" which further discussed API hashing. (For more information, see FireEye Flare IDA Pro\r\nutilities Github and Using Precalculated String Hashes when Reverse Engineering Shellcode.) After I examined\r\nthe FireEye Flare IDA plug-in script further, I found it contained 23 API hashing modules. I identified an API\r\nhashing module, shown in Figure 3, that was very similar to the routine found in the exemplar shown in Figure 2.\r\nThis API hashing module is a function that contains a for loop, which contains an or of 0x60 followed by add and\r\na shift left by 1.\r\ndef sll1AddHash32(inString,fName):\r\n if inString is None:\r\n return 0\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 3 of 13\n\nval = 0\r\n for i in inString:\r\n b = ord(i)\r\n b = 0xff \u0026 (b | 0x60)\r\n val = val + b\r\n val = val \u003c\u003c 1\r\n val = 0xffffffff \u0026 val\r\nreturn val\r\nFigure 3: sll1AddHash32 Function from FireEye Flare IDA Plug-In\r\nThe CERT/CC has an API hashing tool that creates a set of YARA signatures of API hashes for a given set of\r\ndynamic link library (DLL) files. This API hashing tool contained 22 API hashing modules. One of these modules\r\nmatched the routine from the exemplar shown in Figure 2 and the FireEye API hashing module shown in Figure 3.\r\nI called this API hashing module sll1Add. I used the CERT/CC API hashing tool and a clean set of DLL files (see\r\nTable 1), to create a set of YARA rules for the sll1Add routine. After running the entire set of YARA rules against\r\nthe exemplar, I received an alert for kernel32.dll API hashes shown in Figure 4.\r\nFunction Byte Value (big endian)\r\nLoadLibraryA 86 57 0D 00\r\nVirtualAlloc 42 31 0E 00\r\nVirtualProtect 3C D1 38 00\r\nFigure 4: API Hashes from kernel32.dll for sll1Add Routine\r\nMapped Research Findings and Analysis to Exemplar with IDA\r\nI used another CERT/CC tool called UberFLIRT. UberFLIRT calculates and stores position independent code\r\n(PIC) hashes of arbitrary functions, easily shares information via a central database, and allows for fewer false\r\npositives than IDA's Fast Library Identification and Recognition Technology (FLIRT). I labeled the function\r\nshown in Figure 2 in IDA as api_hash_func_slladd1 and saved it to the Uberflirt database to facilitate future\r\nanalysis of similar exemplars.\r\nExamining the entry point of the exemplar, I found two values that are pushed onto the stack and passed as\r\nparameters to a function. These two values are 0x0038D13C and 0x000D4E88. The value 0x0038D13C is the\r\nhash of VirtualProtect shown in Figure 4. The other value, 0x000D4E88, is discussed below.\r\nExamining this function, where the API hashes were passed as parameters, I determined that this exemplar uses\r\nmanual symbol loading techniques, which are very similar to that of shellcode, to interact with the system through\r\nAPIs.\r\nThis process reads the Thread Environment Block (TEB) to find the pointer to Process Environment Block (PEB)\r\nstructure. The PEB structure is then parsed to find the DllBase of kernel32.dll. This exemplar also checks to\r\nensure that it has the correct kernel32.dll by using 0x000D4E88 hash value to check for the kernel32.dll base\r\nname to the kernel32.dll that was found via manual symbol loading. The function then continues to parse the\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 4 of 13\n\nportable executable (PE) export data and passes the virtual protect hash (0x0038D13C) to the hashing algorithm.\r\nThe same is done for the remaining hashes. This process is shown in Figure 5 with my added comments. I labeled\r\nthe function from Figure 5 manual_symbol_resolution and saved it to the UberFLIRT database to aid in future\r\nanalysis of similar exemplars.\r\nFigure 5: Manual Symbol Loading with Comments of Exemplar\r\nNow that I understood the initial exemplar, I proceeded to find similar exemplars.\r\nCreated a Tightly Scoped YARA Rule to Discover New Exemplars\r\nI used the following process to find additional exemplars:\r\ncreated API hash YARA rule to discover more exemplars\r\nanalyzed new exemplars with refined YARA rule\r\ncreated a tightly scoped YARA rule\r\nCreated API Hash YARA Rule to Discover More Exemplars\r\nThe YARA rule, shown in Figure 6, represents the push of the API hash value (0x0038D13C), the push of the DLL\r\nbase name hash value (0x000D4E88), and the call to manual_symbol_resolution.\r\nI used the YARA rule, shown in Figure 6, to discover an additional 36 potential exemplars. To discover these files,\r\nI used the CERT/CC's large archive of potentially malicious software artifacts called the Massive Analysis and\r\nStorage System (MASS). The MASS is a distributed system designed to download, process, analyze, and index\r\nterabytes of potentially malicious files on a daily basis.\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 5 of 13\n\nrule api_hashes_2_call\r\n{\r\n strings:\r\n (2019-02-22)\r\n $api_hashes_2_call = { 68 3C D1 38 00 68 88 4E 0D 00 E8 ?? ?? ?? ?? }\r\n condition:\r\n uint16(0) == 0x5a4d and $api_hashes_2_call\r\n}\r\nFigure 6: API Hashes\r\nAnalyzed New Exemplars with Refined YARA Rule\r\nI refined the YARA rule from Figure 1, as shown in Figure 7, to further examine the potential 36 exemplars for the\r\nexistence of the API hashing routine. I assumed that if additional exemplars contained the string variable from the\r\nYARA rule shown in Figure 6, then these exemplars should have the API hashing routine from the YARA rule\r\nshown in Figure 7.\r\nrule energetic_bear_api_hashing_tool {\r\nmeta:\r\n description = \"Energetic Bear - API Hashing\"\r\n assoc_report = \"DHS Report TA17-293A\"\r\n author = \"CERT RE Team\"\r\n version = \"1\"\r\nstrings:\r\n $api_hash_func = { 8A 08 84 C9 74 0D 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }\r\n $http_push = \"X-mode: push\" nocase\r\n $http_pop = \"X-mode: pop\" nocase\r\ncondition:\r\n $api_hash_func and (uint16(0) == 0x5a4d or $http_push or $http_pop)\r\nFigure 7: Refined YARA Rule\r\nUpon further analysis, I realized that some of the new exemplars did not alert with the YARA rule shown in Figure\r\n7. I analyzed this subset of exemplars and discovered two slight variations in the API hashing routine. The first\r\nwas an addition of one extra byte, while the second dealt with 64-bit files.\r\nCreated a Tightly Scoped YARA Rule\r\nI refined the YARA rule further to incorporate these two additional variations shown in Figure 8.\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 6 of 13\n\nrule energetic_bear_api_hashing_tool {\r\nmeta:\r\n description = \"Energetic Bear API Hashing Tool\"\r\n assoc_report = \"DHS Report TA17-293A\"\r\n author = \"CERT RE Team\"\r\n version = \"2\"\r\nstrings:\r\n $api_hash_func_v1 = { 8A 08 84 C9 74 ?? 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }\r\n $api_hash_func_v2 = { 8A 08 84 C9 74 ?? 80 C9 60 01 CB C1 E3 01 03 44 24 14 EB EC }\r\n $api_hash_func_x64 = { 8A 08 84 C9 74 ?? 80 C9 60 48 01 CB 48 C1 E3 01 48 03 45 20 EB EA }\r\n $http_push = \"X-mode: push\" nocase\r\n $http_pop = \"X-mode: pop\" nocase\r\ncondition:\r\n $api_hash_func_v1 or $api_hash_func_v2 or $api_hash_func_x64 and (uint16(0) == 0x5a4d or $http_push or $ht\r\n}\r\nFigure 8: Tightly Scoped YARA Rule with All Variations\r\nThis YARA rule, shown in Figure 8, could be refined further by combining the API hash routines into one string\r\nvariable. However, when identifying new exemplars, I wanted to know which API hashing function was found in\r\nthe exemplar.\r\nDiscovered API Hashes Found in New Exemplars\r\nI turned my attention to identifying the sll1Add routine API hash values found in all of the 37 exemplars.\r\nAll exemplars had the sll1Add routine API hash values for functions from kernel32.dll. These are shown in Figure\r\n9.\r\nFunction Byte Value (big endian)\r\nCreateThread 14 F3 0C 00\r\nExitProcess 6A BC 06 00\r\nGetSystemDirectoryA E6 B2 9B 06\r\nLoadLibraryA 86 57 0D 00\r\nVirtualAlloc 42 31 0E 00\r\nVirtualFree 8E 18 07 00\r\nVirtualProtect 3C D1 38 00\r\nFigure 9: sll1Add Module API Hash Values from kernel32.dll\r\nMost of the exemplars had the sll1Add routine API hash values for functions from ws2_32.dll, as shown in Figure\r\n10.\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 7 of 13\n\nFunction Byte Value (big endian)\r\nWSAGetLastError 70 71 71 00\r\nWSAStartup 14 93 03 00\r\nconnect 7C 67 00 00\r\nrecv C0 0C 00 00\r\nsend D8 0C 00 00\r\nsocket A4 36 00 00\r\nFigure 10: sll1Add Module API Hash Values from ws2_32.dll\r\nThere were a few outliers that had the sll1Add routine API hash values for functions from wininet.dll. These are\r\nshown in Figure 11.\r\nFunction Byte Value (big endian)\r\nHttpAddRequestHeadersA AE 57 5E 36\r\nHttpEndRequestA DA 03 6D 00\r\nHttpOpenRequestA DA BB DA 00\r\nHttpQueryInfoA EE C3 36 00\r\nHttpSendRequestA DA B3 DA 00\r\nInternetCloseHandle 1A DE BB 06\r\nInternetConnectA BA 7B D7 00\r\nInternetOpenA 02 F0 1A 00\r\nInternetOpenUrlA 52 87 D7 00\r\nInternetReadFile 62 81 D7 00\r\nInternetSetOptionA 82 28 5E 03\r\nFigure 11: sll1Add Module API Hash Values from wininet.dll\r\nThe API hashes shown in Figures 10 and 11 indicate that these exemplars have potential network communications.\r\nI analyzed these exemplars to identify the network-based indicators of compromise (IOC). The use of two\r\ndifferent DLLs for network communications points to the existence of at least two different versions of the API\r\nhashing tool.\r\nI identified 29 unique IP address, including private IP space and port pairings, shown in Table 3, from 33 of 37\r\nexemplars.\r\nThe other 4 of 37 exemplars had a structure outbound POST request. For 2 of these 4, I captured the requests in a\r\npacket capture (pcap) using FakeNet. I had to infer the outbound POST request structure from strings for the\r\nremaining 2 exemplars. These POST requests are shown in Figures 12 and 13. The strings of the POST request are\r\nshown in Figures 14 and 15.\r\nPOST / HTTP/1.1\r\nX-mode: pop\r\nX-id: 0x00000000,0x5547a48a\r\nUser-Agent: Mozilla\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 8 of 13\n\nHost: 187.234.55.76:8080\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nFigure 12: Captured Network Communication from Exemplar (SHA256:\r\n2595c306f266d45d2ed7658d3aba9855f2b08682b771ca4dc0e4a47cb9015b64)\r\nPOST / HTTP/1.1\r\nX-mode: pop\r\nX-id: 0x00000000,0x5bc509c7\r\nUser-Agent: Mozilla\r\nHost: 4.34.48.68:18443\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nFigure 13: Captured Network Communication from Exemplar (SHA256:\r\n1b17ce735512f3104557afe3becacd05ac802b2af79dab5bb1a7ac8d10dccffd)\r\nX-mode: push\\r\\nX-type: more\\r\\nX-id: 0x00000000,0x523fe61c\\r\\n\r\nX-mode: push\\r\\nX-type: last\\r\\nX-id: 0x00000000,0x523fe61c\\r\\n\r\nX-mode: pop\\r\\n\\r\\nX-id: 0x00000000,0x523fe61c\\r\\n\r\nMozilla\r\nPOST\r\nFigure 14: Network Communication Strings from Exemplar (SHA256:\r\n34f567b1661dacacbba0a7b8c9077c50554adb72185c945656accb9c4460119a)\r\nX-mode: push\\r\\nX-type: more\\r\\nX-id: 0x00000000,0x5bc509c7\\r\\n\r\nPOST\r\nMozilla\r\nX-mode: pop\\r\\n\\r\\nX-id: 0x00000000,0x5bc509c7\\r\\n\r\nX-mode: push\\r\\nX-type: last\\r\\nX-id: 0x00000000,0x5bc509c7\\r\\n\r\nFigure 15: Network Communication Strings from Exemplar (SHA256:\r\n9676bacb77e91d972c31b758f597f7a5e111c7a674bbf14c59ae06dd721d529d)\r\nThis information can be turned into signatures for network intrusion detection systems, such as Snort or Suricata.\r\nQuestioned Attribution\r\nI attempted to identify other public reporting or research related to this Energetic Bear group API hashing tool. I\r\ndid not identify any public reporting or research.\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 9 of 13\n\nBecause of the link to the Energetic Bear group, I thought the exemplars could be a remote access Trojan (RAT),\r\nsuch as Havex, which is also attributed to this particular group. I discovered research by Veronica Valeros on A\r\nStudy of RATs: Third Timeline Iteration. I contacted her directly and ask if she recalled any of the RATs she\r\nresearched using an API hashing technique. She could not recall, but mentioned that it could have been missed\r\nbecause she was not explicitly looking for this technique. I used her research to attempt to identify RATs that use\r\nthis API hashing technique. I was unable to identify any publically reported RAT using this technique.\r\nIdentified Future Work\r\nThis brings me to a couple outstanding questions:\r\nWhy is this API hashing tool linked to the Energetic Bear group?\r\nWho actually wrote the YARA rule from Figure 1 found in DHS Alert TA17-293A?\r\nCan the author of the YARA rule provide more insight to this problem?\r\nI hope by publicly discussing this analysis that I can encourage information sharing and allow us, as a community,\r\nto engage in more detailed threat reporting.\r\nLastly, I have reached out to the MITRE ATT\u0026CKTM team to ask for an additional technique, API hashing, to be\r\nadded to its framework. During my analysis, I could not find this explicit technique listed in the framework.\r\nReported Results\r\nI expanded the corpus of information from afore mentioned trusted partner regarding DHS Alert TA17-293A. This\r\ninformation includes\r\na more concise YARA rule, shown in Figure 8\r\nadditional exemplars shown in Table 2\r\nnetwork IOCs shown in Table 3 (of which at least 2 different versions exist)\r\nIf the attribution and my research are correct, this may be the first publicly documented report of an API hashing\r\ntechnique being used by a nation state actor.\r\nUpdates\r\n(May 3, 2019)\r\nI've worked with the MITRE Malware Attribute Enumeration and Characterization (MAECâ„¢) team to have API\r\nHashing added to the Malware Behavior Catalog Matrix. You can find the API Hashing listed as a Method under\r\nAnti-Static Analysis--Executable Code Obfuscation.\r\n(March 27, 2019)\r\nThe power of open source sharing has been positive. It was brought to my attention (thanks to Matt Brooks from\r\nCitizen Lab) that this API hashing tool is related to Trojan.Heriplor from Symantec's Dragonfly: Westion energy\r\nsector targeted by sophisticated attack group report. The hash in Symantec's report is, in fact, one of the exemplars\r\nfound shown in the appendix. Symantec provided this hash in the form of a picture, and I must have fat-fingered\r\nthe hash when transcribing it. However, this specific API hashing technique isn't mentioned in their report.\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 10 of 13\n\nThis corroboration does help to answer my own question from the Identified Future Work section. Symantec's\r\nTrojan.Heriplor analysis attributes my analysis of this API hashing tool to Energetic Bear. More importantly, this\r\nlinkage also shows that this tool is still actively used.\r\nAppendix\r\nList of Clean DLL Files Used to Identify API Hashes\r\nTable 1: List of DLL Files\r\nadvapi32.dll\r\nadvpack.dll\r\navicap32.dll\r\ncomctl32.dll\r\ncomdlg32.dll\r\ngdi32.dll\r\nimagehlp.dll\r\niertutil.dll\r\nIPHLPAPI.DLL\r\nkernel32.dll\r\nmpr.dll\r\nmsvcrt.dll\r\nnetapi32.dll\r\nntdll.dll\r\nntoskrnl.exe\r\nole32.dll\r\npsapi.dll\r\noleaut32.dll\r\nsecur32.dll\r\nshell32.dll\r\nshlwapi.dll\r\nsrvsvc.dll\r\nrlmon.dll\r\nuser32.dll\r\nwin32k.sys\r\nwinhttp.dll\r\nwininet.dll\r\nwinmm.dll\r\nwship6.dll\r\nws2_32.dll\r\nHashes of Exemplars\r\nTable 2: List of Exemplars SHA256 Hash Values\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 11 of 13\n\n2595c306f266d45d2ed7658d3aba9855f2b08682b771ca4dc0e4a47cb9015b64\r\n9676bacb77e91d972c31b758f597f7a5e111c7a674bbf14c59ae06dd721d529d\r\n1b17ce735512f3104557afe3becacd05ac802b2af79dab5bb1a7ac8d10dccffd\r\nb1ef39b2d0e26a23f59554ba4aecca8f266d6a69de1225d6b5c46828e06e9903\r\n759445c7f68b55e90f23111c0e85d0da5456f2437e2360f4e808638d4c9020f7\r\n8893b621b0bbbe8d29bd2cee70b5318b81deaadb42dda3c1a1a970fe0b54e781\r\n1169853e30afd4fd2fbf34ef2c3028da6a81e9b6e1bd3bde077f13ad41e210de\r\n5a9b65f9ed0758d11f74af9195fa3263a93bd1127e389c9ad920d585aee603ce\r\n16e0188364ffcf738130436d08083306a52fe16bc45c2fbb3069d30a0de4995c\r\n8c5bbff5875079cc553a296eae0f8b516eb03410c5a51fa9ffb0b98d13e3e489\r\naeece7de386715cd187c23d8e6aef165c107183ca15ebec797c9c2c7f9b2782d\r\n0851abdd2b96779a43bd6144b3de4a7274f70c4e72ed96c113237ddcc669d3d0\r\n34f567b1661dacacbba0a7b8c9077c50554adb72185c945656accb9c4460119a\r\n16a3ad20b7c702808d29afacd1bcac626963d7d7b21ba7d0ea4d85403331dab0\r\nb051a5997267a5d7fa8316005124f3506574807ab2b25b037086e2e971564291\r\n12cc855139caed5256901d773c72a618e1cce730f7a47af91aa32541077b96a9\r\n834e4560cec6deae11c378c47b4be806d4048868ee5315ba080fe11650a7c74d\r\n58903fd6f2ecf56d0f90295d32c1ae29fe5250d3cf643ba2982257860b3f01a8\r\na9982010eeff3d2dd90757f10298fb511aeb538def94236d73b45ae92b416a50\r\naddf1024d36d73bb22d2cfc8db78f118883de9e26092dde3f56605cf2436ef12\r\n41395f0e1efc967fbd3ef2559f6307dd4dc331b1dd39ff9b0e239aeb83906555\r\n689e8995e41a6484b1ff47edf0c0d2e9b660f1965d83836eb94610c6c4110066\r\n064b5ff7890808b9c5ccdc2968fb7401c807a5a53132e6b1359ac46b2bec3c85\r\nc5d75c25ac791ccac327f5f68340a8cfd7f5640dd2614aef7c50af4f6f330d02\r\nc329462d39cdf794af1e4b5f2137a9141d9035932a4d64a99e3ce576219f337b\r\n5d1c2e1be2360d9d58f87bc8131cbb1079813f08f93e7b5d627dd53758372e0d\r\nc51f70707baa65cb88a97f0ffb5a3664d9c62a37e61909bd7710ecd6a2de59e7\r\n1fde10b6ddf54b8740394ead7005126825e1c79617ed771f9f6d20b4aa56782f\r\nc3a5251642fbfcf5a1dc6c91b32e4f37dde5b9bbf50ba3242e780a21c5af3989\r\n600637f424dbcfab99e0aec4397930df9f21f4eff880de8410e68098323d29fd\r\na9507f96c8730e7dc9b504087c89dece5042e01d931a6f9e0ca72fcdd7d8e57f\r\n16ee4abb23abf28cdce01413fd9bf01ff5e674d8bc97ddf09114b183ac14d2ac\r\nce8e9241ede7f74ce6c4f21acd5617a96e15be0cae0d543934ab297bfe1f7666\r\neb16465b4f8f876aa85001a6333f1175c2a20a1642d49f3179b451d26ae7d541\r\n6ca195ee197105a20daf7179d72624a55aff9b4efeff7a1dfc207d8da6135de9\r\n1246d8e86ffd2235bbd9cc9d8c32c3fbd19ede23d8f9f2ad8e58c19ef971c0d2\r\nc3449091b487f77cac165db9c69fbb430bf61b1787846f351cc15b46df83ee69\r\nIdentified Network Communications (Deduplicated)\r\nTable 3: List of Identified Network Communications\r\nIP Address Port\r\n187.234.55.76 8080\r\n4.34.48.68 18443\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 12 of 13\n\n78.38.244.10 25\r\n160.211.55.3 5555\r\n160.0.70.36 5555\r\n87.98.212.8 80\r\n143.248.95.119 55555\r\n69.196.157.195 80\r\n8.8.8.8 443\r\n143.248.222.15 55555\r\n121.200.62.194 8443\r\n80.255.10.235 80\r\n78.47.114.3 443\r\n192.9.226.2 5555\r\n172.22.2.16 50001\r\n127.0.0.1 5555\r\n192.168.1.49 25\r\n192.168.50.8 5555\r\n192.168.56.1 5555\r\n192.168.100.153 2222\r\n192.168.100.20 9999\r\n10.201.56.136 25\r\n192.168.1.49 25\r\n192.168.231.1 5555\r\nNo IP Address 5555\r\n192.168.19.134 1337\r\n172.16.214.1 5555\r\n172.24.8.41 25\r\n192.168.100.45 No port\r\nSource: https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nhttps://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" ], "report_names": [ "api-hashing-tool-imagine-that.html" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434851, "ts_updated_at": 1775791970, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/694c995bd92d815da556578c273f4e4d542dac7e.pdf", "text": "https://archive.orkl.eu/694c995bd92d815da556578c273f4e4d542dac7e.txt", "img": "https://archive.orkl.eu/694c995bd92d815da556578c273f4e4d542dac7e.jpg" } }