{
	"id": "42010a2f-b36a-45f7-96e7-d404940c26f0",
	"created_at": "2026-04-06T00:14:54.177787Z",
	"updated_at": "2026-04-10T03:23:52.176159Z",
	"deleted_at": null,
	"sha1_hash": "9b0c4912422cc7f0282e490947f040015753e7f9",
	"title": "Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9504306,
	"plain_text": "Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID\r\nBy Brad Duncan\r\nPublished: 2023-05-30 · Archived: 2026-04-05 16:48:51 UTC\r\nScenario, Requirements and Quiz Material\r\nTraffic for this quiz occurred in an Active Directory (AD) environment during April 2023. The infection is similar\r\nto previous IcedID activity tweeted by Unit 42 in March 2023. Details of the Local Area Network (LAN)\r\nenvironment for the pcap follow.\r\nLAN segment range: 10.4.19[.]0/24 (10.4.19[.]1 through 10.4.19[.]255)\r\nDomain: boogienights[.]live\r\nDomain controller IP address: 10.4.19[.]19\r\nDomain controller hostname: WIN-GP4JHCK2JMV\r\nLAN segment gateway: 10.4.19[.]1\r\nLAN segment broadcast address: 10.4.19[.]255\r\nThis quiz requires Wireshark, and we recommend using the latest version of Wireshark, since it has more features,\r\ncapabilities and bug fixes over previous versions.\r\nWe also recommend readers customize their Wireshark display to better analyze web traffic. A list of tutorials and\r\nvideos is available. As always, we recommend using Wireshark in a non-Windows environment like BSD, Linux\r\nor macOS when analyzing malicious Windows-based traffic.\r\nTo obtain the pcap, visit our GitHub repository, download the April 2023 ZIP archive and extract the pcap. Use\r\ninfected as the password to unlock the ZIP archive.\r\nQuiz Questions\r\nFor this IcedID infection, we ask participants to answer the following questions previously described in our\r\nstandalone quiz post:\r\nWhat is the date and time in UTC the infection started?\r\nWhat is the IP address of the infected Windows client?\r\nWhat is the MAC address of the infected Windows client?\r\nWhat is the hostname of the infected Windows client?\r\nWhat is the user account name from the infected Windows host?\r\nIs there any follow-up activity from other malware?\r\nQuiz Answers\r\nThe AD environment for this pcap contains three Windows clients, but only one was infected with IcedID.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 1 of 19\n\nAnswers for this Wireshark quiz follow.\r\nMalicious traffic for this infection started on April 19, 2023, at 15:31 UTC.\r\nInfected Windows client IP address: 10.4.19[.]136\r\nInfected Windows client MAC address: 14:58:d0:2e:c5:ae\r\nInfected Windows client hostname: DESKTOP-SFF9LJF\r\nInfected Windows client user account name: csilva\r\nFollow-up activity: BackConnect traffic\r\nPcap Analysis: IcedID Chain of Events\r\nTo understand IcedID network traffic, you should understand the chain of events for an IcedID infection. A flow\r\nchart illustrating this chain of events is shown in Figure 1.\r\nFigure 1. Flowchart for chain of events in the April 2023 IcedID infection.\r\nMost IcedID infections use a standard variant of IcedID. These infections typically use an EXE or DLL that acts\r\nas an installer. This installer generates an unencrypted HTTP GET request that retrieves a gzip-compressed binary.\r\nThe installer then converts this binary into malware used for a persistent IcedID infection.\r\nThe newly created, persistent IcedID generates HTTPS traffic to communicate with command and control (C2)\r\nservers. The C2 activity can lead to BackConnect traffic, Cobalt Strike and Virtual Network Computing (VNC)\r\nactivity.\r\nIf the infected host is part of a high-value environment, an IcedID infection would likely lead to ransomware.\r\nPcap Analysis: Infection Vector\r\nUsing Wireshark customized from our tutorials, apply a basic web filter to see if anything stands out. Review the\r\nresults in your column display. Look for unencrypted HTTP traffic over TCP port 80 directly to an IP address\r\nwithout an associated domain. This is a common characteristic in the chain of events for various malware\r\ninfections.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 2 of 19\n\nAt 15:31:08 UTC, the host at 10.4.19[.]136 generated an HTTP GET request to hxxp://80.77.25[.]175/main.php as\r\nshown below in Figure 2.\r\nFigure 2. Suspicious HTTP traffic directly to an IP address shown in Wireshark.\r\nFollow the TCP stream for this HTTP GET request, as shown in Figure 3. This should generate a window for TCP\r\nstream 32, as shown in Figure 4.\r\nFigure 3. Following TCP stream for suspicious HTTP GET request.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 3 of 19\n\nFigure 4. TCP stream for the suspicious HTTP GET request and response.\r\nFigure 4 reveals HTTP request headers that contain a User-Agent string ending with Edg/112.0.1722.48. This\r\nstring indicates the traffic was likely generated by the Microsoft Edge browser. However, web traffic generated by\r\nmalware can spoof different User-Agent strings, and some browser extensions also have this ability, so we cannot\r\nbe certain this was actually Microsoft Edge.\r\nThe HTTP response headers in Figure 4 show a 302 code, redirecting traffic to the following URL:\r\nhxxps://firebasestorage.googleapis[.]com/v0/b/serene-cathode-377701.appspot.com/o/XSjwp6O0pq%2FScan_Inv.zip?alt=media\u0026token=a716bdce-1373-44ed-ae89-\r\nfdabafa31c61\r\nThis Firebase Storage URL has been reported as malicious by at least seven security vendors on VirusTotal, and it\r\nappears in URLhaus tagged as IcedID. Fortunately, Google has taken the URL offline, and it is no longer active.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 4 of 19\n\nTo further refine our search, add the client’s IP address 10.4.19[.]136 to the basic web filter as shown below in\r\nFigure 5. This reveals HTTPS traffic to firebasestorage.googleapis[.]com shortly after traffic to the initial URL at\r\nhxxp://80.77.25[.]175/main.php.\r\nFigure 5. HTTPS traffic to firebasestorage.googleapis[.]com after the initial suspicious URL.\r\nFollow the TCP stream for the initial frame showing\r\nfire\r\nin the Wireshark column display. The TCP stream reveals 273 KB of data sent from the server to the Windows\r\nhost, as shown below in Figure 6. This indicates a file might have been sent to the Windows host.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 5 of 19\n\nFigure 6. TCP stream showing 275 KB of data sent from firebasestorage.googleapis[.]com to the\r\nWindows host.\r\nWhile the Firebase Storage URL is\r\ntagged as IcedID on URLhaus\r\n, this only indicates a distribution method for the IcedID installer. Based on this pcap, the victim opened a link that\r\nled to the Firebase Storage URL, and that URL delivered a file for an IcedID installer.\r\nThe URLhaus entry for this Firebase Storage URL reveals the ZIP archive it previously hosted, as shown in Figure\r\n7.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 6 of 19\n\nFigure 7. URLhaus entry for our firebasestorage URL shows it delivered a zip archive.\r\nThe ZIP archive was submitted to Malware Bazaar. The archive is password-protected with the ASCII string 1235,\r\nand it contains a file named Scan_Inv.exe. This Windows executable file is an IcedID installer.\r\nPcap Analysis: IcedID Traffic\r\nAn IcedID loader first generates an unencrypted HTTP GET request over TCP port 80 to a domain using GET /\r\nwithout any further URL. This returns a gzip binary used by the installer to create the persistent malware on the\r\nvictim’s host.\r\nTo find the gzip binary, use the same basic web filter with the victim’s IP address noted earlier in Figure 5. Scroll\r\ndown to an HTTP GET request to skigimeetroc[.]com at 15:35:39 UTC and follow the TCP stream as shown\r\nbelow, in Figure 8.\r\nFigure 8. Following the TCP stream for IcedID installer’s initial HTTP GET request.\r\nThis is TCP stream 53 from the pcap, as shown below in Figure 9. The HTTP request headers for traffic generated\r\nby the IcedID installer have no User-Agent string. Note the cookie sent in the request headers in Figure 9.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 7 of 19\n\nFigure 9. HTTP GET request generated by the IcedID installer.\r\nThe cookie line follows:\r\nCookie: __gads=422998217:1:1808:131; _gid=A0CA96894E9D;\r\n_u=4445534B544F502D534646394C4A46:6373696C7661:46353431423635424230383346354633;\r\n__io=21_1181811818_1193560798_2439418475; _ga=1.591597.1635208534.1022; _gat=10.0.22621.64\r\nCookie parameters for the HTTP GET request caused by this IcedID installer follow:\r\n__gads= IcedID campaign identifier and information from the infected host.\r\n_gid= Value calculated using MAC address of the infected host.\r\n_u= ASCII text representing hex values of the victim’s hostname, Windows user account name and another\r\nundetermined value.\r\n__io= Domain identifier from the infected host’s security identifier (SID).\r\n_ga= Information based on the infected host’s CPU.\r\n_gat= Windows version. For example, 10.0.22621.64 is an identifier for 64-bit Windows 11 version 22H2\r\nand 10.0.19045.64 is an identifier for 64-bit Windows 10 version 22H2.\r\nThese cookie parameters are unique to IcedID infections. You can identify this traffic as IcedID without\r\nunderstanding the values. However, the _u= parameter reveals the victim’s hostname and Windows user account\r\nname. This information is very useful for our investigation. These hex values translate to a hostname of\r\nDESKTOP-SFF9LJF and a Windows user account name of csilva, as shown below in Figure 10.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 8 of 19\n\nFigure 10. Using the _u= cookie parameter to determine the victim’s hostname and Windows user\r\naccount name.\r\nAfter retrieving the gzip binary, an IcedID installer creates persistent IcedID malware that takes over the infection.\r\nThe infected Windows host then starts generating HTTPS traffic to IcedID C2 servers.\r\nThese C2 servers use different domain names and IP addresses than the initial domain contacted by the IcedID\r\ninstaller. IcedID’s HTTPS C2 traffic starts within a minute or two after the installer retrieves the gzip binary, and\r\nthis activity uses at least two domains with random alphabetic names.\r\nOur pcap reveals HTTPS traffic from the infected host to two domains after skigimeetroc[.]com at 15:35:39 UTC.\r\nThese HTTPS C2 servers are askamoshopsi[.]com on 104.168.53[.]18 and skansnekssky[.]com on\r\n217.199.121[.]56.\r\nTo find these servers, use the same basic web filter with the victim’s IP address noted earlier in Figure 5. HTTPS\r\ntraffic starting at 15:36:41 UTC reveals these domains, as shown below in Figure 11.\r\nFigure 11. HTTPS C2 traffic after HTTP request by the IcedID installer.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 9 of 19\n\nBoth C2 servers at askamoshopsi[.]com and skansnekssky[.]com use self-signed certificates for their HTTPS\r\ntraffic. Self-signed certificates for HTTPS traffic will generate warnings about potential security risks when the\r\nsite is viewed in any modern web browser.\r\nWhy do web browsers display warnings about websites that use self signed certificates? Because these are not\r\nvalidated by a Certificate Authority. Criminals can generate self-signed certificates that impersonate an existing\r\ncompany, or they can use generic values for the certificate issuer. Without a validated certificate, web browsers\r\ncannot be sure a website is what it says it is.\r\nFigure 12 shows what the server at askamoshopsi[.]com looked like when we attempted to view it with the Firefox\r\nweb browser. This warning allows users to view the server’s self-signed certificate.\r\nFigure 12. Attempting to view the web server at askamoshopsi[.]com using Firefox.\r\nAs shown above in Figure 12, the certificate uses values like\r\nInternet Widgits Pty Ltd\r\nfor the issuer’s Organization name and Some-State for the State/Province name. Values for self-signed certificates\r\nused by IcedID C2 servers are the same default values seen when\r\nusing OpenSSL to create a certificate\r\nin Xubuntu as shown below in Figures 13 and 14.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 10 of 19\n\nFigure 13. Creating an x509 certificate for a web server using OpenSSL in Xubuntu.\r\nFigure 14. Default values when creating an x509 certificate for a web server using OpenSSL in\r\nXubuntu.\r\nSince Internet Widgits Pty Ltd is a default value for a self-signed certificate in HTTPS traffic, and this value is\r\nsometimes seen in C2 traffic for malware. This should be more closely examined if it’s found when investigating a\r\nsuspected malware infection. We can easily check any pcap for this value using the following Wireshark filter:\r\nx509sat.uTF8String eq \"Internet Widgits Pty Ltd\"\r\nThe results from our pcap reveal the same IP addresses used by IcedID C2 servers for askamoshopsi[.]com at\r\n104.168.53[.]18 and skansnekssky[.]com at 217.199.121[.]56. Expand the frame details for any of the results to\r\nfind the same certificate issuer data, as shown in Figure 15.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 11 of 19\n\nFigure 15. Self-signed certificate by IcedID C2 servers using Internet Widgits Pty Ltd as the\r\nOrganization name shown in Wireshark.\r\nThis certificate data is not unique to IcedID. The same values for self-signed certificates are also seen in HTTPS\r\nC2 traffic by other malware families like Bumblebee.\r\nPcap Analysis: BackConnect Traffic\r\nUndetected IcedID infections lead to follow-up activity like BackConnect traffic.\r\nFor the past several months, BackConnect traffic caused by IcedID was easy to detect because it occurred over\r\nTCP port 8080. However, as early as April 11, 2023, BackConnect activity for IcedID changed to TCP port 443,\r\nmaking it harder to find.\r\nThis BackConnect activity from IcedID Unit 42 tweeted on April 11, 2023 used an IP address of\r\n193.149.176[.]100 over TCP port 443. Filter for that IP address in Wireshark and combine it with tcp.flags eq\r\n0x0002 as shown below, in Figure 16. This reveals the beginning of three streams.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 12 of 19\n\nFigure 16. Filtering in Wireshark for BackConnect traffic in our pcap.\r\nFollow the TCP stream for the first result, which is TCP stream 950. This stream reveals encoded or otherwise\r\nencrypted TCP traffic, as shown in Figure 17.\r\nFigure 17. The first TCP stream for BackConnect activity.\r\nGo back to the Wireshark filter used to reveal the TCP streams to 193.149.176[.]100. Follow the TCP stream for\r\nthe second frame in the results, which is TCP stream 951. This reveals encoded or encrypted data followed by a\r\ncommand to reveal all hosts under the domain controller for boogienights[.]live as shown below, in Figure 18.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 13 of 19\n\nFigure 18. BackConnect traffic with a command to and results enumerating the victim’s AD\r\nenvironment.\r\nThe response to this command enumerates the victim’s AD environment, showing three clients logged in to the\r\ndomain:\r\nDESKTOP-JAL4D68\r\nDESKTOP-RETP4BU\r\nDESKTOP-SFF9LJF\r\nGo back to the Wireshark filter used to reveal the TCP streams to 193.149.176[.]100. Follow the TCP stream for\r\nthe last frame in the results, which is TCP stream 953. This lists disk drives on the victim client, and it provides a\r\ndirectory listing for each of these drives, as shown below in Figure 19.\r\nThe C:\\ drive is the victim’s system drive. Z:\\ is likely a mapped drive from a server’s shared directory that does\r\nnot contain any files.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 14 of 19\n\nFigure 19. BackConnect traffic showing contents of the victim’s system drive and mapped drive.\r\nPrevious IcedID infections reveal this threat can use BackConnect traffic to load and run Cobalt Strike. We\r\ntweeted about one such case from March 24, 2023. However, this pcap does not contain any indicators of Cobalt\r\nStrike.\r\nPrevious IcedID infections also reveal this threat can generate VNC traffic over the same IP address used by\r\nBackConnect traffic. This happened during the same IcedID infection from March 24, 2023.\r\nPcap Analysis: Victim Details\r\nThe common internal IP address for the malicious traffic we have reviewed is 10.4.19[.]136. This is our victim’s\r\nIP address. To find the Windows user account name, filter on that IP address and kerberos.CNameString as shown\r\nin Figure 20.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 15 of 19\n\nFigure 20. Finding the Windows user account name for our infected Windows host.\r\nIn some cases, lightweight directory access protocol (LDAP) might also provide the full name of the user. Use the\r\nfollowing Wireshark filter:\r\nldap.AttributeDescription == \"givenName\"\r\nThis should provide four frames in our column display. Select any of them and expand the frame details until you\r\nfind the user’s full name, Cornelius Silva, as shown below in Figure 21.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 16 of 19\n\nFigure 21. Finding the victim’s full name from LDAP traffic.\r\nPerhaps the easiest way to find a victim’s hostname in Wireshark is to combine the victim’s IP address with a\r\nsearch for ip contains \"DESKTOP-\" as shown below, in Figure 22. Several results in the info column show Host\r\nAnnouncement DESKTOP-SFF9LJF sent by our infected Windows host at 10.4.19[.]136.\r\nFigure 22. Finding the Windows hostname in Wireshark.\r\nTo find the victim’s MAC address, just correlate the IP address to the host’s MAC address in any of the frame\r\ndetails windows, as shown below in Figure 23.\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 17 of 19\n\nFigure 23. Correlating the victim’s MAC address with its associate IP address.\r\nConclusion\r\nThis blog provides answers and analysis for our Unit 42 Wireshark quiz featuring an IcedID infection from April\r\n2023. IcedID is important to identify and stop, because it is a known vector for ransomware infections.\r\nMany organizations lack access to full packet capture in their IT environment. As a result, security professionals\r\nmight lack experience reviewing IcedID and other malware traffic. Training material like this Wireshark quiz can\r\nhelp. Pcap analysis is a useful skill that helps us better understand malicious activity.\r\nYou can also read the original post, without answers, from our standalone quiz post.\r\nPalo Alto Networks customers are protected from IcedID and other malware through Cortex XDR and our Next-Generation Firewall with Cloud-Delivered Security Services that include WildFire, Advanced Threat Prevention\r\nand Advanced URL Filtering.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nTraffic from the pcap related to the IcedID infection:\r\nhxxp://80.77.24[.]175/main.php\r\nhxxps://firebasestorage.googleapis[.]com/v0/b/serene-cathode-377701.appspot.com/o/XSjwp6O0pq%2FScan_Inv.zip?alt=media\u0026token=a716bdce-1373-44ed-ae89-\r\nfdabafa31c61\r\n192.153.57[.]223:80 - hxxp://skigimeetroc[.]com/\r\n104.168.53[.]18:443 - askamoshopsi[.]com - HTTPS traffic\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 18 of 19\n\n217.199.121[.]56:443 - skansnekssky[.]com - HTTPS traffic\r\n193.149.176[.]100:443 - BackConnect traffic\r\nFiles associated with traffic from this IcedID infection:\r\nSHA256 hash: fc96c893a462660e2342febab2ad125ce1ec9a90fdf7473040b3aeb814ba7901\r\nFile size: 262,343 bytes\r\nFilename: Scan_Inv.zip\r\nFile description: Password-protected ZIP archive hosted on Firebase Storage URL\r\nPassword: 1235\r\nMalwareBazaar Database sample\r\nSHA256 hash: bd24b6344dcde0c84726e620818cb5795c472d9def04b259bf9bff1538e5a759\r\nFile size: 333,408 bytes\r\nFilename: Scan_Inv.exe\r\nFile description: Windows executable file for IcedID installer\r\nMalwareBazaar Database sample\r\nAdditional Resources\r\nWireshark Tutorial: Wireshark Workshop Videos Now Available – Unit 42, Palo Alto Networks\r\nUnit 42 Wireshark Quiz, January 2023 – Unit 42, Palo Alto Networks\r\nAnswers to January 2023 Unit 42 Wireshark Quiz – Unit 42, Palo Alto Networks\r\nUnit 42 Wireshark Quiz, February 2023 – Unit 42, Palo Alto Networks\r\nAnswers to February 2023 Unit 42 Wireshark Quiz – Unit 42, Palo Alto Networks\r\nFinding Gozi: Unit 42 Wireshark Quiz, March 2023 – Unit 42, Palo Alto Networks\r\nFinding Gozi: Answers to Unit 42 Wireshark Quiz, March 2023 – Unit 42, Palo Alto Networks\r\nUnit 42 tweet, Jan. 1, 2023 – IcedID infection leads to Cobalt Strike\r\nUnit 42 tweet, Feb. 8, 2023 – Cobalt Strike from an IcedID infection\r\nUnit 42 tweet, Feb. 13, 2023 – Fake software page leads to IcedID\r\nUnit 42 tweet, Feb. 24, 2023 – IcedID to BackConnect traffic to Cobalt Strike\r\nUnit 42 tweet, March 24, 2023 – IcedID to BackConnect traffic to Cobalt Strike\r\nUnit 42 tweet, April 11, 2023 – IcedID to BackConnect traffic changes TCP port\r\nFork in the Ice: The New Era of IcedID – Proofpoint\r\nIcedID BackConnect Protocol – Netresec\r\nInside the IcedID BackConnect Protocol – Team Cymru\r\nThreat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet at Qbot – Cybereason\r\nIcedID \u0026 Qakbot’s VNC Backdoors: Dark Cat, Anubis \u0026 Keyhole – NVISO Labs\r\nMalicious ISO File Leads to Domain Wide Ransomware - The DFIR Report\r\nSource: https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nhttps://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/"
	],
	"report_names": [
		"wireshark-quiz-icedid-answers"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434494,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b0c4912422cc7f0282e490947f040015753e7f9.pdf",
		"text": "https://archive.orkl.eu/9b0c4912422cc7f0282e490947f040015753e7f9.txt",
		"img": "https://archive.orkl.eu/9b0c4912422cc7f0282e490947f040015753e7f9.jpg"
	}
}