{
	"id": "a506bdf1-9c68-4edd-a34c-d1d5ee94b8ed",
	"created_at": "2026-04-06T00:18:00.064118Z",
	"updated_at": "2026-04-10T03:19:59.615743Z",
	"deleted_at": null,
	"sha1_hash": "842239a58833c283f48b1becf123721cdafb8e5c",
	"title": "How Wazuh detects and responds to Mint Stealer | Wazuh",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 512349,
	"plain_text": "How Wazuh detects and responds to Mint Stealer | Wazuh\r\nBy Benjamin Nworah\r\nPublished: 2024-09-26 · Archived: 2026-04-05 14:37:50 UTC\r\nMint Stealer is a Python-based malware that steals data from web browsers, cryptocurrency wallets, VPN clients,\r\nmail clients, game applications, and more. Mint Stealer is sold as a malware-as-a-service (MaaS), designed to\r\ncovertly exfiltrate sensitive information from infected Windows endpoints to a command and control (C2) server.\r\nMint Stealer uses encryption and obfuscation techniques to evade detection and enhance its effectiveness on\r\ninfected endpoints. This malware is sold on multiple dedicated websites and with support provided to users\r\nthrough Telegram.\r\nThis blog post demonstrates how Wazuh detects and responds to Mint Stealer malware on infected Windows\r\nendpoints.\r\nBehavioral analysis of Mint Stealer\r\nMint Stealer malware exhibits the following behaviors during execution.\r\nMint Stealer extracts and uses content from its resource section as the next stage payload.\r\nThe malware creates a folder in the C:\\Users\\\u003cUSER_NAME\u003e\\AppData\\Local\\Temp folder. The folder\r\ncreated starts with onefile followed by the process ID of Setup.exe and the system time retrieved\r\nusing the GetSystemTimeAsFileTime API.\r\nIt creates DLL (Dynamic link library) files, Pyd (Python dynamic modules) files, and an executable file\r\nusually named vadimloader.exe in the C:\\Users\\\r\n\u003cUSER_NAME\u003e\\AppData\\Local\\Temp\\onefile_\u003cPID\u003e_\u003cSYSTEM_TIME\u003e folder. \r\nMint Stealer uses Setup.exe to run the executable file as a child process. The executable file reads all the\r\nfiles in C:\\Users\\\u003cUSER_NAME\u003e\\AppData\\Local\\Temp\\onefile_\u003cPID\u003e_\u003cSYSTEM_TIME\u003e and also loads the\r\nrequired libraries and code into the process memory for its operation.\r\nThe malware collects information from web browsers, cryptocurrency wallets, VPN clients, FTP clients,\r\nmessaging applications, and clipboards, among others. Mint Stealer also collects system and clipboard\r\ninformation using wmic and PowerShell commands respectively.\r\nIt creates a folder inside C:\\Users\\\u003cUSER_NAME\u003e\\AppData\\Local\\Temp\\onefile_\u003cPID\u003e_\u003cSYSTEM_TIME\u003e that\r\nstarts with Save- followed by a randomly generated string. It saves all stolen data into this folder. \r\nMint Stealer compresses the Save-\u003cRANDOMLY_GENERATED_STRING\u003e into a ZIP archive with a name that\r\nstarts with Save- followed by a different random string.\r\nInfrastructure\r\nWe use the following infrastructure to demonstrate how to  detect and respond to Mint Stealer with Wazuh:\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 1 of 17\n\nA pre-built, ready-to-use Wazuh OVA 4.9.0: Follow this guide to download the virtual machine (VM).\r\nThis VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard)\r\nA Windows 10 endpoint: The victim endpoint has the Wazuh agent 4.9.0 installed and enrolled to the\r\nWazuh server. Refer to the following guide to install the Wazuh agent.\r\nDetection with Wazuh\r\nIn this blog post, we use the following techniques to detect the presence of Mint Stealer on a Windows 10\r\nendpoint.\r\nWazuh detection rules: This technique is used to detect malicious activities performed by Mint Stealer\r\nmalware.\r\nYARA integration with Wazuh: This technique is used to detect the presence of Mint Stealer malware\r\nand remove it before it can do any damage.\r\nWazuh detection rules\r\nWe use Sysmon to monitor several system events and create rules on the Wazuh server to detect the malicious\r\nactivities performed by Mint Stealer malware.\r\nWindows endpoint\r\nPerform the following steps to configure Sysmon on the monitored endpoint and forward logs in the Sysmon\r\nevent channel to the Wazuh server for analysis.\r\n1. Download Sysmon from the Microsoft Sysinternals page.\r\n2. Extract the compressed Sysmon file to your preferred location. \r\n3. Download the Sysmon configuration file – sysmonconfig.xml using PowerShell. Replace\r\n\u003cSYSMON_EXECUTABLE_PATH\u003e with the path to your Sysmon executable.\r\n\u003e wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile \u003cSYSMON_EXECUTABLE_PATH\u003e\\sysmonconfig.xml\r\n\u003e wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile \u003cSYSMON_EXECUTABLE_PATH\u003e\\sysmonconfig.xml\r\n\u003e wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/\r\n4. Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using\r\nPowerShell with Administrator privileges:\r\n\u003e .\\Sysmon64.exe -accepteula -i .\\sysmonconfig.xml\r\n\u003e .\\Sysmon64.exe -accepteula -i .\\sysmonconfig.xml\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 2 of 17\n\n\u003e .\\Sysmon64.exe -accepteula -i .\\sysmonconfig.xml\r\n5. Add the following configuration within the \u003cossec_config\u003e block of the C:\\Program Files (x86)\\ossec-agent\\ossec.conf file to forward Sysmon events to the Wazuh server:\r\n\u003c!-- Configure Wazuh agent to receive events from Sysmon --\u003e\r\n\u003clocation\u003eMicrosoft-Windows-Sysmon/Operational\u003c/location\u003e\r\n\u003clog_format\u003eeventchannel\u003c/log_format\u003e\r\n\u003c!-- Configure Wazuh agent to receive events from Sysmon --\u003e \u003clocalfile\u003e \u003clocation\u003eMicrosoft-Windows-Sysmon/Operational\u003c/location\u003e \u003clog_format\u003eeventchannel\u003c/log_format\u003e \u003c/localfile\u003e\r\n\u003c!-- Configure Wazuh agent to receive events from Sysmon --\u003e\r\n\u003clocalfile\u003e\r\n \u003clocation\u003eMicrosoft-Windows-Sysmon/Operational\u003c/location\u003e\r\n \u003clog_format\u003eeventchannel\u003c/log_format\u003e\r\n\u003c/localfile\u003e\r\n6. Restart the Wazuh agent for the changes to take effect:\r\n\u003e Restart-Service -Name wazuh\r\n\u003e Restart-Service -Name wazuh\r\n\u003e Restart-Service -Name wazuh\r\nWazuh server\r\nPerform the following steps to configure rules to detect malicious activities of the Mint Stealer malware.\r\n1. Create a new file mint_stealer_malware.xml in the /var/ossec/etc/rules/ directory:\r\n# touch /var/ossec/etc/rules/mint_stealer_malware.xml\r\n# touch /var/ossec/etc/rules/mint_stealer_malware.xml\r\n# touch /var/ossec/etc/rules/mint_stealer_malware.xml\r\n2. Edit the file /var/ossec/etc/rules/mint_stealer_malware.xml and include the following detection rules for\r\nMint Stealer malware:\r\n\u003cgroup name=\"windows,sysmon,mint_stealer,\"\u003e\r\n\u003c!-- Mint Stealer creates a malicious executable file --\u003e\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 3 of 17\n\n\u003crule id=\"100190\" level=\"8\"\u003e\r\n\u003cfield name=\"win.system.eventID\"\u003e11\u003c/field\u003e\r\n\u003cfield name=\"win.eventdata.image\" type=\"pcre2\"\u003e(?i)\\\\\\\\.+exe\u003c/field\u003e\r\n\u003cfield name=\"win.eventdata.targetFilename\" type=\"pcre2\"\u003e(?\r\ni)\\\\\\\\Local\\\\\\\\Temp\\\\\\\\onefile_\\d+_\\d+\\\\\\\\.+exe\u003c/field\u003e\r\n\u003cdescription\u003ePossible Mint Stealer malware detected. Malware creates a malicious executable\r\n$(win.eventdata.targetFilename).\u003c/description\u003e\r\n\u003c!-- Mint Stealer loads DLL or Pyd files --\u003e\r\n\u003crule id=\"100191\" level=\"8\"\u003e\r\n\u003cfield name=\"win.eventdata.image\" type=\"pcre2\"\u003e(?i)\\\\\\\\.+exe\u003c/field\u003e\r\n\u003cfield name=\"win.eventdata.imageLoaded\" type=\"pcre2\"\u003e(?i)\\\\\\\\Local\\\\\\\\Temp\\\\\\\\onefile_\\d+_\\d+\\\\\\\\.+(dll|pyd)\r\n\u003c/field\u003e\r\n\u003cdescription\u003ePossible Mint Stealer malware detected. $(win.eventdata.imageLoaded) file loaded by\r\n$(win.eventdata.image).\u003c/description\u003e\r\n\u003c!-- Mint Stealer gathers victim host information using wmic command --\u003e\r\n\u003crule id=\"100192\" level=\"10\"\u003e\r\n\u003cmatch type=\"pcre2\"\u003e(?i)\\\\\\\\cmd.exe /c \\\\\"wmic (os|csproduct|cpu|computersystem) get \u003c/match\u003e\r\n\u003cdescription\u003ePossible Mint Stealer malware detected. Malware steals system information using wmic command.\r\n\u003c/description\u003e\r\n\u003c!-- Mint Stealer attempts to steal clipboard data using PowerShell --\u003e\r\n\u003crule id=\"100193\" level=\"8\" ignore=\"1200\"\u003e\r\n\u003cfield name=\"win.eventdata.parentImage\" type=\"pcre2\"\u003e(?i)\\\\\\\\.+exe\u003c/field\u003e\r\n\u003cmatch type=\"pcre2\"\u003e(?i)powershell get-clipboard\u003c/match\u003e\r\n\u003cdescription\u003ePossible Mint Stealer malware detected. Malware attempts to steal clipboard data using PowerShell.\r\n\u003c/description\u003e\r\n\u003cgroup name=\"windows,sysmon,mint_stealer,\"\u003e \u003c!-- Mint Stealer creates a malicious executable file --\u003e \u003crule\r\nid=\"100190\" level=\"8\"\u003e \u003cif_sid\u003e92213\u003c/if_sid\u003e \u003cfield name=\"win.system.eventID\"\u003e11\u003c/field\u003e \u003cfield\r\nname=\"win.eventdata.image\" type=\"pcre2\"\u003e(?i)\\\\\\\\.+exe\u003c/field\u003e \u003cfield name=\"win.eventdata.targetFilename\"\r\ntype=\"pcre2\"\u003e(?i)\\\\\\\\Local\\\\\\\\Temp\\\\\\\\onefile_\\d+_\\d+\\\\\\\\.+exe\u003c/field\u003e \u003cdescription\u003ePossible Mint Stealer\r\nmalware detected. Malware creates a malicious executable $(win.eventdata.targetFilename).\u003c/description\u003e\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 4 of 17\n\n\u003c/rule\u003e \u003c!-- Mint Stealer loads DLL or Pyd files --\u003e \u003crule id=\"100191\" level=\"8\"\u003e \u003cif_sid\u003e61609\u003c/if_sid\u003e \u003cfield\r\nname=\"win.eventdata.image\" type=\"pcre2\"\u003e(?i)\\\\\\\\.+exe\u003c/field\u003e \u003cfield name=\"win.eventdata.imageLoaded\"\r\ntype=\"pcre2\"\u003e(?i)\\\\\\\\Local\\\\\\\\Temp\\\\\\\\onefile_\\d+_\\d+\\\\\\\\.+(dll|pyd)\u003c/field\u003e \u003cdescription\u003ePossible Mint Stealer\r\nmalware detected. $(win.eventdata.imageLoaded) file loaded by $(win.eventdata.image).\u003c/description\u003e \u003cmitre\u003e\r\n\u003cid\u003eT1574.002\u003c/id\u003e \u003c/mitre\u003e \u003c/rule\u003e \u003c!-- Mint Stealer gathers victim host information using wmic command --\u003e\r\n\u003crule id=\"100192\" level=\"10\"\u003e \u003cif_sid\u003e92032\u003c/if_sid\u003e \u003cmatch type=\"pcre2\"\u003e(?i)\\\\\\\\cmd.exe /c \\\\\"wmic\r\n(os|csproduct|cpu|computersystem) get \u003c/match\u003e \u003cdescription\u003ePossible Mint Stealer malware detected. Malware\r\nsteals system information using wmic command.\u003c/description\u003e \u003cmitre\u003e \u003cid\u003eT1592\u003c/id\u003e \u003c/mitre\u003e \u003c/rule\u003e \u003c!--\r\nMint Stealer attempts to steal clipboard data using PowerShell --\u003e \u003crule id=\"100193\" level=\"8\" ignore=\"1200\"\u003e\r\n\u003cif_sid\u003e92021\u003c/if_sid\u003e \u003cfield name=\"win.eventdata.parentImage\" type=\"pcre2\"\u003e(?i)\\\\\\\\.+exe\u003c/field\u003e \u003cmatch\r\ntype=\"pcre2\"\u003e(?i)powershell get-clipboard\u003c/match\u003e \u003cdescription\u003ePossible Mint Stealer malware detected.\r\nMalware attempts to steal clipboard data using PowerShell.\u003c/description\u003e \u003cmitre\u003e \u003cid\u003eT1115\u003c/id\u003e \u003c/mitre\u003e\r\n\u003c/rule\u003e \u003c/group\u003e\r\n\u003cgroup name=\"windows,sysmon,mint_stealer,\"\u003e\r\n\u003c!-- Mint Stealer creates a malicious executable file --\u003e\r\n \u003crule id=\"100190\" level=\"8\"\u003e\r\n \u003cif_sid\u003e92213\u003c/if_sid\u003e\r\n \u003cfield name=\"win.system.eventID\"\u003e11\u003c/field\u003e\r\n \u003cfield name=\"win.eventdata.image\" type=\"pcre2\"\u003e(?i)\\\\\\\\.+exe\u003c/field\u003e\r\n \u003cfield name=\"win.eventdata.targetFilename\" type=\"pcre2\"\u003e(?i)\\\\\\\\Local\\\\\\\\Temp\\\\\\\\onefile_\\d+_\\d+\\\r\n \u003cdescription\u003ePossible Mint Stealer malware detected. Malware creates a malicious executable $(win\r\n \u003c/rule\u003e\r\n\u003c!-- Mint Stealer loads DLL or Pyd files --\u003e\r\n \u003crule id=\"100191\" level=\"8\"\u003e\r\n \u003cif_sid\u003e61609\u003c/if_sid\u003e\r\n \u003cfield name=\"win.eventdata.image\" type=\"pcre2\"\u003e(?i)\\\\\\\\.+exe\u003c/field\u003e\r\n \u003cfield name=\"win.eventdata.imageLoaded\" type=\"pcre2\"\u003e(?i)\\\\\\\\Local\\\\\\\\Temp\\\\\\\\onefile_\\d+_\\d+\\\\\\\\\r\n \u003cdescription\u003ePossible Mint Stealer malware detected. $(win.eventdata.imageLoaded) file loaded by\r\n \u003cmitre\u003e\r\n \u003cid\u003eT1574.002\u003c/id\u003e\r\n \u003c/mitre\u003e\r\n \u003c/rule\u003e\r\n\u003c!-- Mint Stealer gathers victim host information using wmic command --\u003e\r\n \u003crule id=\"100192\" level=\"10\"\u003e\r\n \u003cif_sid\u003e92032\u003c/if_sid\u003e\r\n \u003cmatch type=\"pcre2\"\u003e(?i)\\\\\\\\cmd.exe /c \\\\\"wmic (os|csproduct|cpu|computersystem) get \u003c/match\u003e\r\n \u003cdescription\u003ePossible Mint Stealer malware detected. Malware steals system information using wmic\r\n \u003cmitre\u003e\r\n \u003cid\u003eT1592\u003c/id\u003e\r\n \u003c/mitre\u003e\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 5 of 17\n\n\u003c/rule\u003e\r\n\u003c!-- Mint Stealer attempts to steal clipboard data using PowerShell --\u003e\r\n \u003crule id=\"100193\" level=\"8\" ignore=\"1200\"\u003e\r\n \u003cif_sid\u003e92021\u003c/if_sid\u003e\r\n \u003cfield name=\"win.eventdata.parentImage\" type=\"pcre2\"\u003e(?i)\\\\\\\\.+exe\u003c/field\u003e\r\n \u003cmatch type=\"pcre2\"\u003e(?i)powershell get-clipboard\u003c/match\u003e\r\n \u003cdescription\u003ePossible Mint Stealer malware detected. Malware attempts to steal clipboard data usi\r\n \u003cmitre\u003e\r\n \u003cid\u003eT1115\u003c/id\u003e\r\n \u003c/mitre\u003e\r\n \u003c/rule\u003e\r\n\u003c/group\u003e\r\nThe following rule IDs are triggered when Wazuh detects the malicious activities of the Mint Stealer malware:\r\nRule ID 100190 is triggered when Mint Stealer creates a malicious executable file.\r\nRule ID 100191 is triggered when Mint Stealer loads DLL or Pyd files.\r\nRule ID 100192 is triggered when the malware gathers information like CPU, OS name, system name\r\nfrom the victim endpoint using wmic.\r\nRule ID 100193 is triggered when the malware attempts to steal clipboard information from the victim\r\nendpoint using PowerShell.\r\n3. Restart the Wazuh manager for the changes to take effect:\r\n# sudo systemctl restart wazuh-manager\r\n# sudo systemctl restart wazuh-manager\r\n# sudo systemctl restart wazuh-manager\r\nVisualizing alerts on the Wazuh dashboard\r\nThe alerts below are generated on the Wazuh dashboard when the Mint Stealer malware infects the victim\r\nendpoint. Perform the following steps to view the alerts on the Wazuh dashboard.\r\n1. Navigate to Threat intelligence \u003e Threat Hunting.\r\n2. Click + Add filter. Then, filter by rule.id in the Field field.\r\n3. Filter for is one of in the Operator field.\r\n4. Filter for 100190 , 100191 , 100192 and 100193 in the Values field.\r\n5. Click Save.\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 6 of 17\n\nYARA integration with Wazuh\r\nYARA is an open source and multi-platform tool that identifies and classifies malware samples based on their\r\ntextual or binary patterns. In this blog post, we use the Wazuh Active Response module to automatically execute a\r\nYARA scan on files added or modified in the Downloads folder of the monitored Windows endpoint.\r\nWindows endpoint\r\nTo download and install YARA, we require the following packages installed on the victim endpoint:\r\nPython v 3.8.7 or later (with pip pre-installed).\r\nMicrosoft Visual C++ 2015 Redistributable.\r\nAfter installing the above packages, perform the steps below to download the YARA executable:\r\n1. Launch PowerShell with administrator privileges and download YARA:\r\n\u003e Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-\r\nwin64.zip -OutFile v4.5.2-2326-win64.zip\r\n\u003e Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-\r\nwin64.zip -OutFile v4.5.2-2326-win64.zip\r\n\u003e Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326\r\n2. Extract the YARA executable:\r\n\u003e Expand-Archive v4.5.2-2326-win64.zip\r\n\u003e Expand-Archive v4.5.2-2326-win64.zip\r\n\u003e Expand-Archive v4.5.2-2326-win64.zip\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 7 of 17\n\n3. Create a folder named C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\ and copy the\r\nYARA binary into it:\r\n\u003e mkdir 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\'\r\n\u003e cp .\\v4.5.2-2326-win64\\yara64.exe 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\'\r\n\u003e mkdir 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\' \u003e cp .\\v4.5.2-2326-win64\\yara64.exe\r\n'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\'\r\n\u003e mkdir 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\'\r\n\u003e cp .\\v4.5.2-2326-win64\\yara64.exe 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\'\r\nPerform the steps below to download YARA rules:\r\n1. Using the same PowerShell terminal launched earlier, install valhallaAPI using the pip utility:\r\n\u003e pip install valhallaAPI\r\n\u003e pip install valhallaAPI\r\n\u003e pip install valhallaAPI\r\n2. Create the file download_yara_rules.py and copy the following script into it:\r\nfrom valhallaAPI.valhalla import ValhallaAPI\r\nv = ValhallaAPI(api_key=\"1111111111111111111111111111111111111111111111111111111111111111\")\r\nresponse = v.get_rules_text()\r\nwith open('yara_rules.yar', 'w') as fh:\r\nfrom valhallaAPI.valhalla import ValhallaAPI v =\r\nValhallaAPI(api_key=\"1111111111111111111111111111111111111111111111111111111111111111\") response =\r\nv.get_rules_text() with open('yara_rules.yar', 'w') as fh: fh.write(response)\r\nfrom valhallaAPI.valhalla import ValhallaAPI\r\nv = ValhallaAPI(api_key=\"1111111111111111111111111111111111111111111111111111111111111111\")\r\nresponse = v.get_rules_text()\r\nwith open('yara_rules.yar', 'w') as fh:\r\n fh.write(response)\r\n3. Download YARA rules and copy them to the C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\ folder:\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 8 of 17\n\n\u003e python download_yara_rules.py\r\n\u003e mkdir 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\'\r\n\u003e cp yara_rules.yar 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\'\r\n\u003e python download_yara_rules.py \u003e mkdir 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\' \u003e\r\ncp yara_rules.yar 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\'\r\n\u003e python download_yara_rules.py\r\n\u003e mkdir 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\'\r\n\u003e cp yara_rules.yar 'C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\'\r\n4. Edit the file C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\yara_rules.yar and\r\nadd the following YARA rule to detect the Mint Stealer malware:\r\nAuthor = \"Benjamin Nworah\"\r\nDescription = \"Detect Mint Stealer malware\"\r\nHash1 = \"1064ab9e734628e74c580c5aba71e4660ee3ed68db71f6aa81e30f148a5080fa\" // SHA-256 Hash\r\nHash2 = \"cc93a4627a459d505c46de6fac342f856fb8f95b6a4fdcbd5e48be59aa4cbb7b\" // SHA-256 Hash\r\n$a2 = \"GetSystemTimeAsFileTime\"\r\nrule MintStealer { meta: Author = \"Benjamin Nworah\" Description = \"Detect Mint Stealer malware\" Date = \"13-\r\n09-2024\" Hash1 = \"1064ab9e734628e74c580c5aba71e4660ee3ed68db71f6aa81e30f148a5080fa\" // SHA-256\r\nHash Hash2 = \"cc93a4627a459d505c46de6fac342f856fb8f95b6a4fdcbd5e48be59aa4cbb7b\" // SHA-256 Hash\r\nstrings: $a1 = \"FindResource\" $a2 = \"GetSystemTimeAsFileTime\" $a3 = /NUITKA.{1,15}/ condition: all of\r\n($a*) }\r\nrule MintStealer\r\n{\r\nmeta:\r\n Author = \"Benjamin Nworah\"\r\n Description = \"Detect Mint Stealer malware\"\r\n Date = \"13-09-2024\"\r\n Hash1 = \"1064ab9e734628e74c580c5aba71e4660ee3ed68db71f6aa81e30f148a5080fa\" // SHA-256 Hash\r\n Hash2 = \"cc93a4627a459d505c46de6fac342f856fb8f95b6a4fdcbd5e48be59aa4cbb7b\" // SHA-256 Hash\r\n strings:\r\n $a1 = \"FindResource\"\r\n $a2 = \"GetSystemTimeAsFileTime\"\r\n $a3 = /NUITKA.{1,15}/\r\n \r\n condition:\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 9 of 17\n\nall of ($a*)\r\n}\r\n5. Edit the Wazuh agent file C:\\Program Files (x86)\\ossec-agent\\ossec.conf and add the below configuration\r\nwithin the \u003csyscheck\u003e block to monitor the Downloads folders of all users in real-time:\r\n\u003cdirectories realtime=\"yes\"\u003eC:\\Users\\*\\Downloads\u003c/directories\u003e\r\n\u003cdirectories realtime=\"yes\"\u003eC:\\Users\\*\\Downloads\u003c/directories\u003e\r\n\u003cdirectories realtime=\"yes\"\u003eC:\\Users\\*\\Downloads\u003c/directories\u003e\r\nNote: In this blog post, the Downloads folders of all users are monitored. However, you can configure other\r\nfolders you intend to monitor.\r\n6. Create a batch file yara.bat in the C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\ folder. The\r\nWazuh active response module executes this file to initiate YARA scans for malware detection and removal:\r\n:: This script deletes Mint Stealer malware and other malicious files matched by the YARA Rules\r\nsetlocal enableDelayedExpansion\r\nreg Query \"HKLM\\Hardware\\Description\\System\\CentralProcessor\\0\" | find /i \"x86\" \u003e NUL \u0026\u0026 SET OS=32BIT\r\n|| SET OS=64BIT\r\nSET log_file_path=\"%programfiles%\\ossec-agent\\active-response\\active-responses.log\"\r\nSET log_file_path=\"%programfiles(x86)%\\ossec-agent\\active-response\\active-responses.log\"\r\nfor /f \"delims=\" %%a in ('PowerShell -command \"$logInput = Read-Host; Write-Output $logInput\"') do (\r\nset json_file_path=\"C:\\Program Files (x86)\\ossec-agent\\active-response\\stdin.txt\"\r\necho %input% \u003e %json_file_path%\r\nFOR /F \"tokens=* USEBACKQ\" %%F IN (`Powershell -Nop -C \"(Get-Content 'C:\\Program Files (x86)\\ossec-agent\\active-response\\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path\"`) DO (\r\nSET syscheck_file_path=%%F\r\nset yara_exe_path=\"C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\yara64.exe\"\r\nset yara_rules_path=\"C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\yara_rules.yar\"\r\necho %syscheck_file_path% \u003e\u003e %log_file_path%\r\nfor /f \"delims=\" %%a in ('powershell -command \"\u0026 \\\"%yara_exe_path%\\\" \\\"%yara_rules_path%\\\"\r\n\\\"%syscheck_file_path%\\\"\"') do (\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 10 of 17\n\necho wazuh-yara: INFO - Scan result: %%a \u003e\u003e %log_file_path%\r\n:: Deleting the scanned file.\r\ndel /f \"%syscheck_file_path%\"\r\necho wazuh-yara: INFO - Successfully deleted: %%a \u003e\u003e %log_file_path%\r\n:: This script deletes Mint Stealer malware and other malicious files matched by the YARA Rules @echo off\r\nsetlocal enableDelayedExpansion reg Query \"HKLM\\Hardware\\Description\\System\\CentralProcessor\\0\" | find /i\r\n\"x86\" \u003e NUL \u0026\u0026 SET OS=32BIT || SET OS=64BIT if %OS%==32BIT ( SET\r\nlog_file_path=\"%programfiles%\\ossec-agent\\active-response\\active-responses.log\" ) if %OS%==64BIT ( SET\r\nlog_file_path=\"%programfiles(x86)%\\ossec-agent\\active-response\\active-responses.log\" ) set input= for /f\r\n\"delims=\" %%a in ('PowerShell -command \"$logInput = Read-Host; Write-Output $logInput\"') do ( set\r\ninput=%%a ) set json_file_path=\"C:\\Program Files (x86)\\ossec-agent\\active-response\\stdin.txt\" set\r\nsyscheck_file_path= echo %input% \u003e %json_file_path% FOR /F \"tokens=* USEBACKQ\" %%F IN (`Powershell\r\n-Nop -C \"(Get-Content 'C:\\Program Files (x86)\\ossec-agent\\active-response\\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path\"`) DO ( SET syscheck_file_path=%%F ) set yara_exe_path=\"C:\\Program\r\nFiles (x86)\\ossec-agent\\active-response\\bin\\yara\\yara64.exe\" set yara_rules_path=\"C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\yara_rules.yar\" echo %syscheck_file_path% \u003e\u003e %log_file_path% for /f\r\n\"delims=\" %%a in ('powershell -command \"\u0026 \\\"%yara_exe_path%\\\" \\\"%yara_rules_path%\\\"\r\n\\\"%syscheck_file_path%\\\"\"') do ( echo wazuh-yara: INFO - Scan result: %%a \u003e\u003e %log_file_path% :: Deleting the\r\nscanned file. del /f \"%syscheck_file_path%\" echo wazuh-yara: INFO - Successfully deleted: %%a \u003e\u003e\r\n%log_file_path% ) exit /b\r\n:: This script deletes Mint Stealer malware and other malicious files matched by the YARA Rules\r\n@echo off\r\nsetlocal enableDelayedExpansion\r\nreg Query \"HKLM\\Hardware\\Description\\System\\CentralProcessor\\0\" | find /i \"x86\" \u003e NUL \u0026\u0026 SET OS=32BIT\r\nif %OS%==32BIT (\r\n SET log_file_path=\"%programfiles%\\ossec-agent\\active-response\\active-responses.log\"\r\n)\r\nif %OS%==64BIT (\r\n SET log_file_path=\"%programfiles(x86)%\\ossec-agent\\active-response\\active-responses.log\"\r\n)\r\nset input=\r\nfor /f \"delims=\" %%a in ('PowerShell -command \"$logInput = Read-Host; Write-Output $logInput\"') do (\r\n set input=%%a\r\n)\r\nset json_file_path=\"C:\\Program Files (x86)\\ossec-agent\\active-response\\stdin.txt\"\r\nset syscheck_file_path=\r\necho %input% \u003e %json_file_path%\r\nFOR /F \"tokens=* USEBACKQ\" %%F IN (`Powershell -Nop -C \"(Get-Content 'C:\\Program Files (x86)\\ossec-ag\r\nSET syscheck_file_path=%%F\r\n)\r\nset yara_exe_path=\"C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\yara64.exe\"\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 11 of 17\n\nset yara_rules_path=\"C:\\Program Files (x86)\\ossec-agent\\active-response\\bin\\yara\\rules\\yara_rules.ya\r\necho %syscheck_file_path% \u003e\u003e %log_file_path%\r\nfor /f \"delims=\" %%a in ('powershell -command \"\u0026 \\\"%yara_exe_path%\\\" \\\"%yara_rules_path%\\\" \\\"%syschec\r\n echo wazuh-yara: INFO - Scan result: %%a \u003e\u003e %log_file_path%\r\n :: Deleting the scanned file.\r\n del /f \"%syscheck_file_path%\"\r\n echo wazuh-yara: INFO - Successfully deleted: %%a \u003e\u003e %log_file_path%\r\n)\r\nexit /b\r\n7. Restart the Wazuh agent using PowerShell for the changes to take effect:\r\n\u003e Restart-Service -Name wazuh\r\n\u003e Restart-Service -Name wazuh\r\n\u003e Restart-Service -Name wazuh\r\nWazuh server\r\nPerform the following steps to configure custom decoders, rules, and the Active Response module on the Wazuh\r\nserver.\r\n1. Edit the file /var/ossec/etc/decoders/local_decoder.xml on the Wazuh server and include the following\r\ndecoders:\r\n\u003c!-- The decoders parse logs from the YARA scans --\u003e\r\n\u003cdecoder name=\"yara_decoder\"\u003e\r\n\u003cprematch\u003ewazuh-yara:\u003c/prematch\u003e\r\n\u003cdecoder name=\"yara_decoder1\"\u003e\r\n\u003cparent\u003eyara_decoder\u003c/parent\u003e\r\n\u003cregex\u003ewazuh-yara: (\\S+) - Scan result: (\\S+) (\\S+)\u003c/regex\u003e\r\n\u003corder\u003elog_type, yara_rule, yara_scanned_file\u003c/order\u003e\r\n\u003cdecoder name=\"yara_decoder1\"\u003e\r\n\u003cparent\u003eyara_decoder\u003c/parent\u003e\r\n\u003cregex\u003ewazuh-yara: (\\S+) - Successfully deleted: (\\S+) (\\S+)\u003c/regex\u003e\r\n\u003corder\u003elog_type, yara_rule, yara_scanned_file\u003c/order\u003e\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 12 of 17\n\n\u003c!-- The decoders parse logs from the YARA scans --\u003e \u003cdecoder name=\"yara_decoder\"\u003e \u003cprematch\u003ewazuh-yara:\r\n\u003c/prematch\u003e \u003c/decoder\u003e \u003cdecoder name=\"yara_decoder1\"\u003e \u003cparent\u003eyara_decoder\u003c/parent\u003e \u003cregex\u003ewazuh-yara:\r\n(\\S+) - Scan result: (\\S+) (\\S+)\u003c/regex\u003e \u003corder\u003elog_type, yara_rule, yara_scanned_file\u003c/order\u003e \u003c/decoder\u003e\r\n\u003cdecoder name=\"yara_decoder1\"\u003e \u003cparent\u003eyara_decoder\u003c/parent\u003e \u003cregex\u003ewazuh-yara: (\\S+) - Successfully\r\ndeleted: (\\S+) (\\S+)\u003c/regex\u003e \u003corder\u003elog_type, yara_rule, yara_scanned_file\u003c/order\u003e \u003c/decoder\u003e\r\n\u003c!-- The decoders parse logs from the YARA scans --\u003e\r\n\u003cdecoder name=\"yara_decoder\"\u003e\r\n \u003cprematch\u003ewazuh-yara:\u003c/prematch\u003e\r\n\u003c/decoder\u003e\r\n\u003cdecoder name=\"yara_decoder1\"\u003e\r\n \u003cparent\u003eyara_decoder\u003c/parent\u003e\r\n \u003cregex\u003ewazuh-yara: (\\S+) - Scan result: (\\S+) (\\S+)\u003c/regex\u003e\r\n \u003corder\u003elog_type, yara_rule, yara_scanned_file\u003c/order\u003e\r\n\u003c/decoder\u003e\r\n\u003cdecoder name=\"yara_decoder1\"\u003e\r\n \u003cparent\u003eyara_decoder\u003c/parent\u003e\r\n \u003cregex\u003ewazuh-yara: (\\S+) - Successfully deleted: (\\S+) (\\S+)\u003c/regex\u003e\r\n \u003corder\u003elog_type, yara_rule, yara_scanned_file\u003c/order\u003e\r\n\u003c/decoder\u003e\r\n2. Edit the file /var/ossec/etc/rules/local_rules.xml on the Wazuh server and include the following rules:\r\n\u003c!-- File added to the Downloads folder --\u003e\r\n\u003cgroup name= \"syscheck,\"\u003e\r\n\u003crule id=\"100028\" level=\"7\"\u003e\r\n\u003cfield name=\"file\" type=\"pcre2\"\u003e(?i)C:\\\\Users.+Downloads\u003c/field\u003e\r\n\u003cdescription\u003eFile modified in the Downloads folder.\u003c/description\u003e\r\n\u003c!-- File modified in the Downloads folder --\u003e\r\n\u003crule id=\"100029\" level=\"7\"\u003e\r\n\u003cfield name=\"file\" type=\"pcre2\"\u003e(?i)C:\\\\Users.+Downloads\u003c/field\u003e\r\n\u003cdescription\u003eFile added to the Downloads folder.\u003c/description\u003e\r\n\u003c!-- Rule for the decoder (yara_decoder) --\u003e\r\n\u003crule id=\"100194\" level=\"0\"\u003e\r\n\u003cdecoded_as\u003eyara_decoder\u003c/decoded_as\u003e\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 13 of 17\n\n\u003cdescription\u003eYara grouping rule\u003c/description\u003e\r\n\u003c!-- YARA scan detects a positive match --\u003e\r\n\u003crule id=\"100195\" level=\"12\"\u003e\r\n\u003cmatch type=\"pcre2\"\u003ewazuh-yara: INFO - Scan result: \u003c/match\u003e\r\n\u003cdescription\u003eFile \"$(yara_scanned_file)\" is a positive match. Yara rule: $(yara_rule)\u003c/description\u003e\r\n\u003crule id=\"100196\" level=\"12\"\u003e\r\n\u003cmatch type=\"pcre2\"\u003ewazuh-yara: INFO - Successfully deleted: \u003c/match\u003e\r\n\u003cdescription\u003eSuccessfully removed \"$(yara_scanned_file)\". YARA rule: $(yara_rule)\u003c/description\u003e\r\n\u003c!-- File added to the Downloads folder --\u003e \u003cgroup name= \"syscheck,\"\u003e \u003crule id=\"100028\" level=\"7\"\u003e\r\n\u003cif_sid\u003e550\u003c/if_sid\u003e \u003cfield name=\"file\" type=\"pcre2\"\u003e(?i)C:\\\\Users.+Downloads\u003c/field\u003e \u003cdescription\u003eFile\r\nmodified in the Downloads folder.\u003c/description\u003e \u003c/rule\u003e \u003c!-- File modified in the Downloads folder --\u003e \u003crule\r\nid=\"100029\" level=\"7\"\u003e \u003cif_sid\u003e554\u003c/if_sid\u003e \u003cfield name=\"file\" type=\"pcre2\"\u003e(?\r\ni)C:\\\\Users.+Downloads\u003c/field\u003e \u003cdescription\u003eFile added to the Downloads folder.\u003c/description\u003e \u003c/rule\u003e\r\n\u003c/group\u003e \u003c!-- Rule for the decoder (yara_decoder) --\u003e \u003cgroup name=\"yara,\"\u003e \u003crule id=\"100194\" level=\"0\"\u003e\r\n\u003cdecoded_as\u003eyara_decoder\u003c/decoded_as\u003e \u003cdescription\u003eYara grouping rule\u003c/description\u003e \u003c/rule\u003e \u003c!-- YARA\r\nscan detects a positive match --\u003e \u003crule id=\"100195\" level=\"12\"\u003e \u003cif_sid\u003e100194\u003c/if_sid\u003e \u003cmatch\r\ntype=\"pcre2\"\u003ewazuh-yara: INFO - Scan result: \u003c/match\u003e \u003cdescription\u003eFile \"$(yara_scanned_file)\" is a positive\r\nmatch. Yara rule: $(yara_rule)\u003c/description\u003e \u003c/rule\u003e \u003crule id=\"100196\" level=\"12\"\u003e \u003cif_sid\u003e100194\u003c/if_sid\u003e\r\n\u003cmatch type=\"pcre2\"\u003ewazuh-yara: INFO - Successfully deleted: \u003c/match\u003e \u003cdescription\u003eSuccessfully removed\r\n\"$(yara_scanned_file)\". YARA rule: $(yara_rule)\u003c/description\u003e \u003c/rule\u003e \u003c/group\u003e\r\n\u003c!-- File added to the Downloads folder --\u003e\r\n\u003cgroup name= \"syscheck,\"\u003e\r\n \u003crule id=\"100028\" level=\"7\"\u003e\r\n \u003cif_sid\u003e550\u003c/if_sid\u003e\r\n \u003cfield name=\"file\" type=\"pcre2\"\u003e(?i)C:\\\\Users.+Downloads\u003c/field\u003e\r\n \u003cdescription\u003eFile modified in the Downloads folder.\u003c/description\u003e\r\n \u003c/rule\u003e\r\n\u003c!-- File modified in the Downloads folder --\u003e\r\n \u003crule id=\"100029\" level=\"7\"\u003e\r\n \u003cif_sid\u003e554\u003c/if_sid\u003e\r\n \u003cfield name=\"file\" type=\"pcre2\"\u003e(?i)C:\\\\Users.+Downloads\u003c/field\u003e\r\n \u003cdescription\u003eFile added to the Downloads folder.\u003c/description\u003e\r\n \u003c/rule\u003e\r\n\u003c/group\u003e\r\n\u003c!-- Rule for the decoder (yara_decoder) --\u003e\r\n\u003cgroup name=\"yara,\"\u003e\r\n \u003crule id=\"100194\" level=\"0\"\u003e\r\n \u003cdecoded_as\u003eyara_decoder\u003c/decoded_as\u003e\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 14 of 17\n\n\u003cdescription\u003eYara grouping rule\u003c/description\u003e\r\n \u003c/rule\u003e\r\n\u003c!-- YARA scan detects a positive match --\u003e\r\n \u003crule id=\"100195\" level=\"12\"\u003e\r\n \u003cif_sid\u003e100194\u003c/if_sid\u003e\r\n \u003cmatch type=\"pcre2\"\u003ewazuh-yara: INFO - Scan result: \u003c/match\u003e\r\n \u003cdescription\u003eFile \"$(yara_scanned_file)\" is a positive match. Yara rule: $(yara_rule)\u003c/descriptio\r\n \u003c/rule\u003e\r\n \u003crule id=\"100196\" level=\"12\"\u003e\r\n \u003cif_sid\u003e100194\u003c/if_sid\u003e\r\n \u003cmatch type=\"pcre2\"\u003ewazuh-yara: INFO - Successfully deleted: \u003c/match\u003e\r\n \u003cdescription\u003eSuccessfully removed \"$(yara_scanned_file)\". YARA rule: $(yara_rule)\u003c/description\u003e\r\n \u003c/rule\u003e\r\n\u003c/group\u003e\r\n3. Add the following configuration to the Wazuh server file /var/ossec/etc/ossec.conf within the\r\n\u003cossec_config\u003e block:\r\n\u003c!-- The YARA batch script is executed when a file is added or modified in the Downloads folder monitored by\r\nWazuh --\u003e\r\n\u003cexecutable\u003eyara.bat\u003c/executable\u003e\r\n\u003ctimeout_allowed\u003eno\u003c/timeout_allowed\u003e\r\n\u003clocation\u003elocal\u003c/location\u003e\r\n\u003crules_id\u003e100028,100029\u003c/rules_id\u003e\r\n\u003c!-- The YARA batch script is executed when a file is added or modified in the Downloads folder monitored by\r\nWazuh --\u003e \u003ccommand\u003e \u003cname\u003eyara\u003c/name\u003e \u003cexecutable\u003eyara.bat\u003c/executable\u003e\r\n\u003ctimeout_allowed\u003eno\u003c/timeout_allowed\u003e \u003c/command\u003e \u003cactive-response\u003e \u003ccommand\u003eyara\u003c/command\u003e\r\n\u003clocation\u003elocal\u003c/location\u003e \u003crules_id\u003e100028,100029\u003c/rules_id\u003e \u003c/active-response\u003e\r\n\u003c!-- The YARA batch script is executed when a file is added or modified in the Downloads folder monit\r\n\u003ccommand\u003e\r\n \u003cname\u003eyara\u003c/name\u003e\r\n \u003cexecutable\u003eyara.bat\u003c/executable\u003e\r\n \u003ctimeout_allowed\u003eno\u003c/timeout_allowed\u003e\r\n\u003c/command\u003e\r\n\u003cactive-response\u003e\r\n \u003ccommand\u003eyara\u003c/command\u003e\r\n \u003clocation\u003elocal\u003c/location\u003e\r\n \u003crules_id\u003e100028,100029\u003c/rules_id\u003e\r\n\u003c/active-response\u003e\r\n4. Restart the Wazuh manager for the changes to take effect:\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 15 of 17\n\n# systemctl restart wazuh-manager\r\n# systemctl restart wazuh-manager\r\n# systemctl restart wazuh-manager\r\nVisualizing alerts on the Wazuh dashboard\r\nThe Wazuh dashboard shows alerts when the Mint Stealer malware is downloaded to the Downloads folder of the\r\nvictim endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.\r\n1. Navigate to Threat intelligence \u003e Threat Hunting.\r\n2. Click + Add filter. Then filter by rule.id in the Field field.\r\n3. Filter for is one of in the Operator field.\r\n4. Filter for 100029 , 100195 , and 100196 in the Values field.\r\n5. Click Save.\r\nConclusion\r\nIn this blog post, we used Sysmon integration with Wazuh to detect the malicious activities performed by Mint\r\nStealer malware. We also used YARA integration with Wazuh to detect and remove this malware once it is\r\ndownloaded to an endpoint.\r\nWazuh is a free and open source enterprise-ready security platform for uncovering security threats, incident\r\nresponse, and compliance. Wazuh integrates with third-party technologies. We also have a growing community\r\nwhere users are supported. To learn more about Wazuh, please check out our documentation and blog posts.\r\nReferences\r\nMint Stealer: A Comprehensive Study of a Python-Based Information Stealer\r\nMint Stealer: New MaaS Malware Threatens Confidential Data\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 16 of 17\n\nSource: https://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nhttps://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://wazuh.com/blog/how-wazuh-detects-and-responds-to-mint-stealer/"
	],
	"report_names": [
		"how-wazuh-detects-and-responds-to-mint-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434680,
	"ts_updated_at": 1775791199,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/842239a58833c283f48b1becf123721cdafb8e5c.pdf",
		"text": "https://archive.orkl.eu/842239a58833c283f48b1becf123721cdafb8e5c.txt",
		"img": "https://archive.orkl.eu/842239a58833c283f48b1becf123721cdafb8e5c.jpg"
	}
}