{
	"id": "2e9dcf2e-12aa-4cfd-a0f3-d339ae91c798",
	"created_at": "2026-04-06T00:10:38.576419Z",
	"updated_at": "2026-04-10T03:30:33.844349Z",
	"deleted_at": null,
	"sha1_hash": "97320b566099a47ca87a03f137cc20eb167b699a",
	"title": "In the Shadows: Vawtrak Aims to Get Stealthier by adding New Data Cloaking | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 693389,
	"plain_text": "In the Shadows: Vawtrak Aims to Get Stealthier by adding New\r\nData Cloaking | Proofpoint US\r\nBy October 01, 2015 Darien Huss and Matthew Mesa\r\nPublished: 2015-09-30 · Archived: 2026-04-05 13:08:28 UTC\r\nIn what is likely to be a short-lived cessation in Dridex campaigns while the criminal proponents behind that\r\nmalware scramble to find a new delivery channel, it appears as though other malware purveyors may be\r\npositioning themselves to take additional market share of the lucrative crimeware arena. One recent development\r\nsaw Vawtrak, previously a second-tier banking and information stealing trojan, emerge with new capabilities --\r\nmost notably new methods for data encoding and changes to C2 communication that appear to be an attempt to\r\nimprove on the malware’s detection evasion.\r\n \r\nPart I: Attack Vectors and Infiltration\r\nBefore it can leverage its new capabilities, Vawtrak must be delivered to a target. While attachment-based\r\nphishing remains a leading delivery vector, Proofpoint also observed exploit kit-based attacks (aka “drive-by\r\ndownloads”) delivering this updated variant starting in late September.\r\nAttachment-Based Phishing\r\nProofpoint observed several high volume email campaigns delivering the new Vawtrak variant.The emails claimed\r\nto have attachments that were faxes (Figure 1), subpoenas, price lists or financial reports in order to persuade the\r\nuser to click on and open the attachment. The attachments contained macros from a service known as Xbagging or\r\nBartalex1, which in turn downloaded the Pony malware dropper from a remote internet site. Pony then\r\ndownloaded and executed the Vawtrak payload.\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 1 of 15\n\nFigure 1. Email lure\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 2 of 15\n\nFigure 2. Malicious attachment\r\nProofpoint researchers have observed the following subjects and lures being used in the latest campaign to\r\ndistribute the new variant of Vawtrak:\r\nDate Email Subject Lure\r\nSept 17 Re: Re: defamation lawsuit Subpoena\r\nSept 22 Re: Re: Re: Financial report\r\nSept 23 Re: New offer Price list\r\nSept 24 New 2 page(s) eFax from \u003cphone number\u003e Fax\r\nSept 28 New 3 page(s) eFax from \u003cphone number\u003e Fax\r\nSept 29 You have 1 new eVoice Voicemail (Callback: \u003cphone number\u003e) Voice message\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 3 of 15\n\nSept 30 You have 1 new eVoice Voicemail (Callback: \u003cphone number\u003e) Voice message\r\nExploit Kit-Based Delivery\r\nProofpoint researchers have also observed this Vawtrak variant distributed through the Angler exploit kit. In the\r\nexample shown in Figure 3, we observed a malicious TDS which led to an instance of Angler EK downloading\r\nBedep. Bedep then performed its usual routines (e.g., created a hidden desktop that engaged in ad-fraud via\r\nbrowsing and other botnet attacks), but also downloaded Vawtrak.\r\nFigure 3. Angler EK distributing Bedep -\u003e Vawtrak\r\nPart II: Command \u0026 Control and Data Exfiltration -- Vawtrak gets an upgrade\r\nUnderstanding communication to C2 and malware configuration files can play an important role in organizations’\r\ndetection of malware and remediation thereof, enabling better assessment of the damage malware might have\r\ninflicted. The latest observed variant of Vawtrak has incorporated definitive changes designed to further thwart\r\nsuch efforts by defenders.\r\nModified Encoding and Encryption\r\nAs previous research has described2,3,4, Vawtrak has historically used an encoding method resembling a Vernam\r\ncipher to hide configuration files, suspicious strings and mask data exfiltrated to C2. In its latest incarnation,\r\nVawtrak still uses a linear congruential generator (LCG) fed by a pseudorandom number generator (PRNG) to\r\nproduce the key used to encrypt the data; however, the utilized PRNG function is now changed. The code below is\r\na simplified version of the new PRNG algorithm written in Python:\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 4 of 15\n\ndef prng(seed):\r\n             return ((seed * 0x41C64E6D) + 0x3039 ) \u0026 0xFFFFFFFF\r\nString Encoding\r\nString encoding utilizes LCG fed by the new PRNG algorithm, while the generated keys are then subtracted from\r\neach ciphertext byte to generate the plaintext string. The first DWORD in the encoded string is used as the seed,\r\nwhile that same value is XOR’ed against the second DWORD to calculate the size of the encoded string. The\r\nencoded string begins at the position after the second DWORD. Most suspicious strings in the unpacked Vawtrak\r\nDLL are encoded using this method.\r\nHTTP Beacons\r\nThe HTTP traffic that is generated by Vawtrak to exfiltrate data to C2 is correspondingly changed, now drastically\r\ndifferent in appearance as well as functionality. Figure 4 shows an example of the HTTP traffic generated by\r\nVawtrak during the initial check-in with C2.\r\nFigure 4. Vawtrak HTTP C2 check-in\r\nPHPSESSID is used to transport an encoded RC4 key and additional data. The first 4-bytes of the decoded Cookie\r\nare used to RC4 encrypt the data contained in the POST’s client body. This variant of Vawtrak utilizes a binary\r\nstructure for most of the data transmitted to C2, as can be seen in the decrypted network traffic in Figure 5. This\r\nsame encoding method is used during the exfiltration of credentials.\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 5 of 15\n\nFigure 5. Decrypted Vawtrak HTTP check-in\r\nDepending on what is being exfiltrated, LZMAT is sometimes used to compress the exfiltrated data prior to\r\nencryption. Figure 6 shows the decrypted HTTP client body during an American Express attempted login, but the\r\ndata is not yet in its plaintext format as it has been compressed with LZMAT. Figure 7 illustrates the observed\r\nplaintext data after it has been decompressed using LZMAT.\r\nFigure 6. Decrypted but still compressed Vawtrak HTTP exfiltrated data\r\nFigure 7. Decompressed data from Figure 3\r\nConfig encoding\r\nThis variant of Vawtrak typically receives a raw (no encoding) binary blob of data immediately after the initial\r\ncheck-in. This blob contains a binary structure that may contain separate segments, including but not limited to an\r\nencoded configuration, URLs for retrieving additional modules, and a URL for retrieving an updated version of\r\nitself.\r\nTo decode the configuration file, Vawtrak first uses the exact same decoding method that is used to decode\r\nsuspicious strings. Next, the configuration file is decompressed using LZMAT. After decompression, the\r\nconfiguration is contained in a binary data structure which contains several further encoded configuration\r\nsegments. Figure 8 depicts the purpose of the first few bytes of this structure.\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 6 of 15\n\nFigure 8. Decompressed encoded Vawtrak configuration\r\nThe next and last layer of encoding that Vawtrak uses to protect its configuration is a simple substitution cipher,\r\nwhere the S-box is created using the same PRNG algorithm. Each individual inject, target URL, etc., is contained\r\nin its own structure and decoded separately.\r\nStoring Configuration\r\nIn addition to decoding the configuration immediately upon receiving it, Vawtrak also stores the encoded\r\nconfiguration in the registry after adding an additional layer of encoding. First, the seed (first DWORD) is\r\nXOR’ed against the VolumeSerialNumber of the drive which contains the result from the Windows API function\r\nGetTempPath. Next, the entire encoded configuration is encoded further using the addition LCG algorithm. This\r\nvalue is then stored in the registry using an encoded key. We have observed this variant using the following\r\nregistry keys denoting the configuration file:\r\n-”#0”\r\n-”#1”\r\nHowever, these keys are first encoded in a similar fashion as older variants, but are first XOR’ed against the\r\nVolumeSerialNumber. Figure 9 contains a screenshot of stored Vawtrak information, while the highlighted key\r\ncontains the encoded configuration.\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 7 of 15\n\nFigure 9. Vawtrak information stored in the Registry\r\nRetrieving Modules\r\nAs mentioned in the previous section, when Vawtrak receives its configuration from C2 it may also receive a list\r\nof URIs that are targets to additional modules. Vawtrak spawns a new thread for each module it should retrieve.\r\nThe module is first received in an encoded state, which is decoded using the same subtraction LCG algorithm\r\ndescribed in the previous sections. The decoded module contains a RSA signature at the beginning, which is used\r\nto verify the integrity of the compressed module. In each of decompressed “modules” we have analyzed, they\r\nhave all contained a x86 and x64 version of the module. Each module may then be decompressed separately\r\ndepending on the architecture of the infected machine. So far we have only observed the following modules:\r\n[hxxp://185.66.10[.]57/module/9f3359a7b12ceea791a4afc21a971152 -\u003e injecter_32.dll / injecter_64.dll]\r\n[hxxp://185.66.10[.]57/module/4c06c7a4c2bc6fb51cd998e9bbcf5846 -\u003e dg_32.dll / dg_64.dll]\r\n[hxxp://185.66.10[.]57/module/221680f17a95443c798c701eff36cbe6 -\u003e pony_32.dll / pony_64.dll]\r\nRetrieving Updates\r\nAs previously mentioned, in addition to retrieving modules Vawtrak may also receive a URL target pointing to an\r\n“update.” The update is contained in a binary data structure similar to the modules’ structure; however, the seed is\r\ncontained in the second DWORD instead of the first. A RSA signature is then contained in the next 0x80 bytes,\r\nwhile the encoded update is contained in the remaining bytes following the signature. The update may be decoded\r\nusing the same LCG subtraction algorithm. The URLs containing updated DLLs can be found in Appendix A.\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 8 of 15\n\nWeb Injects and Stolen Data\r\nVawtrak still functions similarly to previous versions regarding stealing data and web injects. In the sample’s\r\nconfiguration that we analyzed, several financial institutions and online services were targeted such as\r\nAmazon.com. For several of the organizations, a custom web inject was tailored to steal additional information\r\nbeyond just login credentials. Victims attempting to login to Amazon were presented with the following credit\r\ncard form (Figure 10) via Vawtrak’s web inject mechanism.\r\nFigure 10. Web injected fake Amazon.com credit card form\r\nShould a victim fill out this form, the credit card data along with their Amazon login credentials will be sent to the\r\nbotnet operators via the method described in the HTTP Beacons section. Figure 11 shows the decrypted output\r\nthat is delivered to the malware’s C2.\r\nFigure 11. Decrypted exfiltrated Amazon.com data\r\nConclusion\r\nAt least one threat actor has moved away from distributing Dyreza to instead distributing a new variant of Vawtrak\r\nthat has undergone several notable changes, seemingly designed to make Vawtrak’s data transmissions stealthier.\r\nThose changes include:\r\nNew PRNG algorithm for encryption key generation\r\nHTTP communication method to C2 and associated encryption for obfuscation\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 9 of 15\n\nConfiguration encoding\r\nDownloaded modules encoding\r\nUpdate modules encoding\r\nIn the wake of Dridex’s disappearance, the authors of Vawtrak may be making a bid for market share. Whether\r\nthey will succeed remains to be seen, but this latest offering is a sophisticated improvement and could better\r\nposition them to fill the void left by Dridex and become the new leading tool in the banking trojan arena -- and as\r\nsuch, bears further study and monitoring from a defense perspective.\r\nAppendix A\r\nIDPS Detection\r\nET Pro signatures: 2813059,2813060,2814111,2814112,2814150\r\nIOCs\r\nMacro Office documents leading to Vawtrak:\r\n26a92873992b5a674ea953131a4effc119dee0bc74da8ffa43f4d8de7df3c169\r\n93941f506feca505510b60d3ccaea8127a6450836642e97bf936b8875777e26b\r\n120d5320a59a86f9b3e0774609a3f0773d76a7d66689525a023bee7f8666f2eb\r\nb6441a6ea25a4ea5cb38f9f186805501379ceb132cfe8907d174e00dab8526ec\r\n6741e88fcd83fe32a8731d0714fba500ea6a3d9735b3829d51aeb7478061d93d\r\n7683afa68bf176249dfc61c5e3bf455dabc9d8b0696d6f8952d72ebb5500a798\r\n78ceb2dbbd39831f84c6fe50742a778cb4610fb02c06072de02e798692279ae4\r\n9337b6c7f6f4f300ebd11813dc6fe5a9646f394541139c96af27f45e1bb7eec2\r\n1eaac96f675fd29b06beed67cb89d5862183659a071062ca9440c46dc69b5a58\r\n0b9b361aaab7baa0ae49c0234d78bcb7cfbd0e529eeda1b126ef08a3b3e0ae89\r\n2f87d666915cc345ae8ac57c5b975163828c2923cdfabc3cf436ebca50346eb0\r\nb5681046f8a571f4fde991e349356e078498f1afb3d2a31a549df65b01ba6de7\r\neabbcb1af0022dbf1a0b4465e73b6c98458c3c3887b06df13c893a9413556011\r\n606a489df381a8cc3fb43b8ca3b763c61ff91328aa39fa9be167c428d587c1bc\r\n3ffbe191d9326f97db4ffaf6b294c166397bf1c77d28e2ab44d41fca511ce55b\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 10 of 15\n\n3d1e7e54db786c6aef572d1ef57ad1c26413aacbf2fd91eb700d469c550dd4df\r\nXbagging/Bartalex additional code downloads:\r\n[hxxp://pomona[.]pl/wp-content/plugins/wp-db-backup-made/5716367236.txt]\r\n[hxxp://funsockfriday[.]com/wp-content/cache/db/000000/all/cd0/2a7/5716367236.txt]\r\n[hxxp://pomona[.]pl/wp-content/plugins/wp-db-backup-made/pipi.txt]\r\n[hxxp://funsockfriday[.]com/wp-content/cache/db/000000/all/cd0/2a7/pipi.txt]\r\n[hxxp://admtorg[.]ru/wp-includes/js/tinymce/plugins/compat3x/css/5716367236.txt]\r\n[hxxp://ozgencfutbolokulu[.]com/wp-content/plugins/wp-db-backup-made/5716367236.txt]\r\n[hxxp://admtorg[.]ru/wp-includes/js/tinymce/plugins/compat3x/css/pipi.txt]\r\n[hxxp://ozgencfutbolokulu[.]com/wp-content/plugins/wp-db-backup-made/pipi.txt]\r\n[hxxp://unmaskedman[.]com/wp-content/themes/unmaskedman/assets/sass/layouts/pages/5716367236.txt]\r\n[hxxp://ssgc[.]co/wp-content/uploads/cache/remote/www-abc-net-au/5716367236.txt]\r\n[hxxp://unmaskedman[.]com/wp-content/themes/unmaskedman/assets/sass/layouts/pages/pipi.txt]\r\n[hxxp://ssgc[.]co/wp-content/uploads/cache/remote/www-abc-net-au/pipi.txt]\r\n[hxxp://shaliniandamar[.]com/wp-content/tfuse_bk_just-married-parent_2015-04-\r\n20/theme_config/extensions/slider/designs/round/static/images/5716367236.txt]\r\n[hxxp://kingmanmobile[.]com/wp-content/plugins/essential-grid/admin/assets/js/mode/5716367236.txt]\r\n[hxxp://shaliniandamar[.]com/wp-content/tfuse_bk_just-married-parent_2015-04-\r\n20/theme_config/extensions/slider/designs/round/static/images/pipi/txt]\r\n[hxxp://kingmanmobile[.]com/wp-content/plugins/essential-grid/admin/assets/js/mode/pipi.txt]\r\n[hxxp://dillardvideo[.]com/wp-admin/network/5716367236.txt]\r\n[hxxp://diputacion[.]ardinova[.]com/wp-admin/images/screenshots/5716367236.txt]\r\n[hxxp://dillardvideo[.]com/wp-admin/network/pipi.txt]\r\n[hxxp://diputacion[.]ardinova[.]com/wp-admin/images/screenshots/pipi.txt]\r\n[hxxp://diy-router[.]com/wp-includes/css/5716367236.txt]\r\n[hxxp://depositionstream[.]com/scripts/img/5716367236.txt]\r\n[hxxp://diy-router[.]com/wp-includes/css/pipi.txt]\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 11 of 15\n\n[hxxp://depositionstream[.]com/scripts/img/pipi.txt]\r\nPony downloads:\r\n[hxxp://freshbox[.]pl/przypomnienie_lss/WEFiles/Client/jQuery/Plugins/s1.exe]\r\n[hxxp://petalsbythechesapeake[.]com/wp-content/themes/x/framework/scss/site/stacks/integrity/inc/s1.exe]\r\n[hxxp://longcroftcarehome[.]com/wp-content/themes/Impreza/s1.exe]\r\n[hxxp://glovestix[.]com/wp-content/plugins/woocommerce-subscriptions/lib/action-scheduler/tests/phpunit/jobstore/s1.exe]\r\n[hxxp://datanetsolution[.]com/ujksew1/templates/s1.exe]\r\n[hxxp://dominamarketingporinternet[.]com/wp-admin/user/s1.exe]\r\nPony hashes:\r\n3fbffc12ddeedff72e0d73e48965a9bebabe4a527b1ebc030bbbf756ce3d3740\r\ncbaa784cba00750ae5d46aa242fe7337022317ac3d4e02906c9068140532de00\r\nc1afb96d2a3b436444313fde02d103ff86f9b68d7e2ca3151b64cb7caa3696cd\r\na2ba57cec0392cbe781ed67f3ed3ec38f9aaa1e6a232536bcddba171889b9ece\r\n6f8901cbe86e0633b75d772ac7b888d9f9fec7f0eff1c5c12adf1b1b20b86bd9\r\na33f5441949760569756062788077391d5a3611c6cb35a3c97ef76821261d2c8\r\n3de2503dfdc3d108da6676565612ac8bbfc4317026fdcf99543c0de5301f4e82\r\nPony Gates:\r\n[hxxp://dicalburep[.]ru/gate.php]\r\n[hxxp://toldwassmause[.]ru/gate.php]\r\n[hxxp://uthatinuse[.]ru/gate.php]\r\n[hxxp://paughesdidn[.]ru/gate.php]\r\n[hxxp://rectalrenlo[.]ru/gate.php]\r\n[hxxp://ritoftwithhers[.]ru/gate.php]\r\n[hxxp://rindititred[.]ru/gate.php]\r\n[hxxp://wassfethefa[.]ru/gate.php]\r\n[hxxp://kerehiled[.]ru/gate.php]\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 12 of 15\n\n[hxxp://ropaketsed[.]ru/gate.php]\r\n[hxxp://utrewserat[.]ru/gate.php]\r\n[hxxp://joorrolwas[.]ru/gate.php]\r\n[hxxp://fortthenranled[.]ru/gate.php]\r\n[hxxp://harlosion[.]ru/gate.php]\r\n[hxxp://onerophegre[.]ru/gate.php]\r\n[hxxp://duorgoho[.]ru/gate.php]\r\n[hxxp://idwigalitt[.]ru/gate.php]\r\n[hxxp://robbetotso[.]ru/gate.php]\r\n[hxxp://ledrewharte[.]ru/gate.php]\r\n[hxxp://dotindintres[.]ru/gate.php]\r\n[hxxp://tetotgane[.]ru/gate.php]\r\nVawtrak downloads:\r\n[hxxp://oka-dentalshop[.]com/system/logs/k1.exe]\r\n[hxxp://9.rent-shops[.]ru/system/logs/k1.exe]\r\n[hxxp://hubsportsmed[.]com/system/logs/k1.exe]\r\n[hxxp://xn--80aa8argd0e[.]xn--80aswg/system/logs/k1.exe]\r\n[hxxp://www[.]brindesgama[.]com[.]br/system/logs/k1.exe]\r\n[hxxp://mysocceruniforms[.]com/system/logs/k1.exe]\r\n[hxxp://worldhealthsupply[.]com/system/logs/k1.exe]\r\n[hxxp://errors-seeds[.]cz/system/logs/k1.exe]\r\n[hxxp://bloomgifts4u[.]com/system/logs/k1.exe]\r\n[hxxp://plan[.]computer-repair[.]org[.]ua/system/logs/k1.exe]\r\n[hxxp://wildcardzwincanton[.]bricks-and-clicks[.]co[.]uk/system/logs/k1.exe]\r\n[hxxp://kosikyhana[.]sk/system/logs/k1.exe]\r\n[hxxp://electro-cablaj[.]ro/system/logs/m1.exe]\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 13 of 15\n\n[hxxp://juuze[.]demowebsite[.]net/system/logs/m1.exe]\r\n[hxxp://wierdensewijnhandel[.]nl/system/logs/m1.exe]\r\n[hxxp://globalshow[.]com[.]ua/system/logs/m1.exe]\r\n[hxxp://chackochacko[.]com/system/logs/m1.exe]\r\n[hxxp://es[.]healthyliverplus[.]com/system/logs/m1.exe]\r\n[hxxp://boxx96[.]com[.]br/system/logs/m1.exe]\r\n[hxxp://store[.]lumos[.]my/system/logs/m1.exe]\r\n[hxxp://pudore[.]com[.]my/system/logs/m1.exe]\r\nVawtrak hashes from email:\r\na0b3bef0804ca6fb0dd7ab180f6cc38fa1ef4c247d152eaecf9081729cb2b158\r\nafdebec93fd6e133e24809e7b476927f7403a119c428698645abd0e380048f6a\r\n4d47396e1e9c7538c59da8b5574fb8f208154cdfc6590e33b74b7e9feada7584\r\nd3ccde340b36b55dc2db2abc323f728a8c135b8d27ec18f2afc756675008b511\r\ncaac605b2d5dec2ec314eb0a9f9273595935791509df27f599402a92beb107b9\r\n5B0E4024C12E21CA5F7552A555DC20499FD7A439A669C963AB5D02227CC1BE9A\r\n2350F4617102C51542682219761E7A3E2CD6EFD7529599DBC579AC6882C0343E\r\nVawtrak hashes from Angler EK chain:\r\n75db66d0aaff0d6adc4bedcb652ae041071852fbb550d5c3446502de29246c3d\r\nVawtrak c2:\r\n[hxxp://ninthclub[.]com/Work/new/index.php]\r\n[hxxp://camelcap[.]com/Work/new/index.php]\r\n[hxxp://ideagreens[.]com/Work/new/index.php]\r\n[hxxp://guesstrade[.]com/Work/new/index.php]\r\n[hxxp://castuning[.]ru/Work/new/index.php]\r\n[hxxp://mgsmedia[.]ru/Work/new/index.php]\r\nVawtrak module downloads:\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 14 of 15\n\n[hxxp://185.66.10[.]57/module/9f3359a7b12ceea791a4afc21a971152]\r\n[hxxp://185.66.10[.]57/module/4c06c7a4c2bc6fb51cd998e9bbcf5846]\r\n[hxxp://185.66.10[.]57/module/221680f17a95443c798c701eff36cbe6]\r\nVawtrak update downloads:\r\n[hxxp://185.66.10[.]57/upd/2]\r\n[hxxp://185.66.10[.]57/upd/3]\r\n[hxxp://185.66.10[.]57/upd/4]\r\n[hxxp://185.66.10[.]57/upd/5]\r\nVawtrak updates, decoded (respectively):\r\n6ca5edee52615821bd25f6872b86ccb61329d047c9de8817c8fea17679076eda\r\n592a84f6c913e8bdccabf3d4a36deb0844d037ca3aa19029755d2d658c873c04\r\n75ff95ef4cdf7511264df09daa93f44e72acfc5084c4f058071ddd2fc8ad2d09\r\nb7475a729083a11b8e99ae7a293807b6e35fa4c2735789847afdee97eddfb904\r\nAnalyzed Vawtrak Dropper:\r\n7e7d0557cc95e3f509f71a72aad9b8ab85d6a681df4a46e1648e928a4be5f4be\r\nAnalyzed unpacked Vawtrak x86 DLL:\r\n1818967235b1e86f9b5e956ab55e1fb47ea44c6579c91e9a48d8bd428f14f165\r\nReferences\r\n1.https://www.proofpoint.com/sites/default/files/documents/bnt_download/pp-macroeconomics-rr.pdf\r\n2.http://now.avg.com/wp-content/uploads/2015/03/avg_technologies_vawtrak_banking_trojan_report.pdf\r\n3.https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf\r\n4.https://www.virusbtn.com/virusbulletin/archive/2015/01/vb201501-Vawtrak\r\nSource: https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nhttps://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows"
	],
	"report_names": [
		"In-The-Shadows"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434238,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97320b566099a47ca87a03f137cc20eb167b699a.pdf",
		"text": "https://archive.orkl.eu/97320b566099a47ca87a03f137cc20eb167b699a.txt",
		"img": "https://archive.orkl.eu/97320b566099a47ca87a03f137cc20eb167b699a.jpg"
	}
}