{ "id": "937a4088-0349-4c57-b5b4-e370b6ae8b82", "created_at": "2026-04-06T00:08:59.013945Z", "updated_at": "2026-04-10T03:38:09.833245Z", "deleted_at": null, "sha1_hash": "a05c5a1360a24cd63a3387be7dd99d10d8ddb956", "title": "Taleret strings - APT (1)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54093, "plain_text": "Taleret strings - APT (1)\r\nArchived: 2026-04-05 23:38:34 UTC\r\nFile: Taleret_FED166A667AB9CBB1EF6331B8E9D7894\r\nMD5:  fed166a667ab9cbb1ef6331b8e9d7894\r\nSize: 36864\r\nAscii Strings:\r\n---------------------------------------------------------------------------\r\n!This program cannot be run in DOS mode.\r\nRich\r\n.text\r\n`.rdata\r\n@.data\r\n.reloc\r\n------------------------------snip\r\nMFC42.DLL\r\n_beginthreadex\r\nstrstr\r\nprintf\r\nfclose\r\nfprintf\r\n_strdate\r\n_strtime\r\nfopen\r\n_vsnprintf\r\nstrchr\r\nrand\r\nsrand\r\ntime\r\n__CxxFrameHandler\r\nstrrchr\r\nsprintf\r\nfread\r\n_mbscmp\r\nfree\r\nhttp://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html\r\nPage 1 of 7\n\nmalloc\r\nMSVCRT.dll\r\n_initterm\r\n_adjust_fdiv\r\nGetProcAddress\r\nLoadLibraryA\r\nExitProcess\r\nSleep\r\nWaitForSingleObject\r\nFreeConsole\r\nExpandEnvironmentStringsA\r\nGetLocalTime\r\nGetLastError\r\nCloseHandle\r\nGetCurrentProcess\r\nLocalFree\r\nHeapFree\r\nHeapAlloc\r\nGetProcessHeap\r\nProcess32Next\r\nOpenProcess\r\nProcess32First\r\nCreateToolhelp32Snapshot\r\nDeleteFileA\r\nFreeLibrary\r\nReadFile\r\nSetFilePointer\r\nGetFileSize\r\nGetTickCount\r\nOutputDebugStringA\r\nKERNEL32.dll\r\nPostQuitMessage\r\nDefWindowProcA\r\nDispatchMessageA\r\nTranslateMessage\r\nGetMessageA\r\nUpdateWindow\r\nShowWindow\r\nCreateWindowExA\r\nRegisterClassA\r\nLoadCursorA\r\nLoadIconA\r\nhttp://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html\r\nPage 2 of 7\n\nSendMessageTimeoutA\r\nUSER32.dll\r\nGetStockObject\r\nGDI32.dll\r\nRegisterServiceCtrlHandlerW\r\nSetServiceStatus\r\nRegQueryValueExA\r\nRegCloseKey\r\nAdjustTokenPrivileges\r\nLookupPrivilegeValueA\r\nConvertSidToStringSidA\r\nEqualSid\r\nGetTokenInformation\r\nADVAPI32.dll\r\nInternetCloseHandle\r\nInternetSetOptionA\r\nInternetSetCookieA\r\nHttpQueryInfoA\r\nInternetConnectA\r\nHttpSendRequestA\r\nHttpOpenRequestA\r\nWININET.dll\r\nGetAdaptersInfo\r\niphlpapi.dll\r\nSHRegGetValueA\r\nSHLWAPI.dll\r\nCoCreateGuid\r\nole32.dll\r\n_strlwr\r\n_strnicmp\r\nMsgHandlerDll.dll\r\nServiceMain\r\nStart\r\nwxxxd\r\nkernel32.dll\r\nCreateDirectoryA\r\nGetWindowsDirectoryA\r\nWinExec\r\nGetDriveTypeA\r\nGetFileAttributesA\r\nGetLogicalDriveStringsA\r\nDeleteFileA\r\nhttp://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html\r\nPage 3 of 7\n\nMoveFileA\r\nFindNextFileA\r\nFindFirstFileA\r\nFindResourceA\r\nCreateFileA\r\nGetVolumeInformationA\r\nCopyFileA\r\nCreateMutexA\r\nGetTempPathA\r\nlstrcatA\r\nlstrcpyA\r\nlstrcmpA\r\nuser32.dll\r\nGetWindowTextA\r\nGetForegroundWindow\r\nFindWindowExA\r\nPostMessageA\r\nGetCursorPos\r\nWindowFromPoint\r\nwsprintfA\r\nkeybd_event\r\nGetParent\r\nADVAPI32.dll\r\nRegSetValueExA\r\nRegCreateKeyA\r\nRegEnumKeyA\r\nRegDeleteKeyA\r\nRegSetValueA\r\nRegOpenKeyExA\r\nRegQueryValueA\r\nRegQueryValueExA\r\nRegDeleteValueA\r\nCreatePipe\r\nGetSystemDirectoryA\r\nCreateProcessA\r\nUser32.dll\r\nSetWindowsHookExA\r\nCallNextHookEx\r\nCreateFileMappingA\r\nGetModuleFileNameA\r\nWininet.dll\r\nInternetOpenA\r\nhttp://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html\r\nPage 4 of 7\n\nInternetOpenUrlA\r\nHttpQueryInfoA\r\nInternetReadFile\r\nAdvapi32.dll\r\nRegCreateKeyExA\r\nOpenProcessToken\r\nrundll32.exe\r\nThe Window\r\nsdfjx\r\nhttps:\r\nMSIE 6.0; Windows NT 5.1; SV1)\r\nMozilla/4.0 (compatible;\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\r\nUser Agent\r\nXXXXX\r\n%s %s - %s\r\nail: %s:%d\r\nconn f\r\nread from registry\r\nSoftware\\Microsoft\\SysInternal\r\nfurl: %s\r\nauto proxy\r\n%tmp%\\~alot.dat\r\n1A10\r\n{AEBA21FA-782A-4A90-978D-B72164C80120}\r\n{A8A88C49-5EB2-4990-A1A2-0876022C854F}\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\r\nDefaultConnectionSettings\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\r\nexplorer.exe\r\nSeDebugPrivilege\r\nMUID\r\nhttp://%s:%d\r\nhttp://%s\r\nNOT Certified\r\nAFTER: Disconnect\r\nAFTER: %d s\r\nSetTime: %d OK\r\nSendFile: %d OK\r\n%temp%\\\r\nWRONG PASSWORD\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\nhttp://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html\r\nPage 5 of 7\n\nerror:\r\n Run\r\n Run error\r\n Run OK\r\nShellExecuteA\r\nshell32.dll\r\n%%temp%%\\%u\r\n/webhp?source=\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\nContent-Type: application/x-www-form-urlencoded\r\nPOST\r\nHTTP/1.1\r\n%02X-%02X-%02X-%02X-%02X-%02X\r\n0.0.0.0\r\n01-01-01-01-01-01\r\n%04x\r\n%04x%04x%04x%04x\r\n0#0(0A0F0L0S0X0q0v0|0\r\n11161\u003c1C1H1a1f1l1s1x1\r\n2!2\u00262,23282Q2V2\\2c2h2\r\n3#3(3A3F3L3S3X3q3v3|3\r\n41464\u003c4C4H4a4f4l4s4x4\r\n5!5\u00265,53585Q5V5\\5c5h5\r\n6#6(6A6F6L6S6X6q6v6|6\r\n71767\u003c7C7H7a7f7l7s7x7\r\n8!8\u00268,83888Q8V8\\8c8h8\r\n9#9(9A9F9L9S9X9{9\r\n:\":.:E:P:a:w:\r\n;#;);=;C;I;O;\r\n\u003c1\u003c]\u003c}\u003c\r\n=,=1=D=M=y=\r\n\u003e;\u003eZ\u003e\r\n474F4O4V4]4y4\r\n5,5O5[5k5\r\n6 6?6k6v6\r\n9O9U9d9v9\r\n:6:=:^:e:w:\r\n;0;e;\r\n\u003c \u003c0\u003c=\u003ct\u003c\r\n\u003c#=:=^=\r\n\u003e_\u003ef\u003e\r\n?7?O?\r\nhttp://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html\r\nPage 6 of 7\n\n0]0l0\r\n1Q1V1\\1c1h1\r\n2#2(232\r\n767p7\r\n9X:l:\r\n=!\u003e+\u003e\u003c\u003eC\u003eW\u003e\r\n\u003e`?q?\r\n1\u003c2S2\r\n3\"3(353\u003c3w3\r\n5=5P5\r\n6\u003c6A6G6Z6\r\n6/767D7|7\r\n9c:h:q:\r\n;4;F;R;g;\r\n\u003c2=H=\r\n?8?Y?j?t?\r\n0.030\u003e0N0X0b0q0w0\r\n1 1\u00261,12181\u003e1D1J1P1V1\\1b1\r\n2+272=2_2q2\r\n4G4Y4\r\n4V5y5\r\n2$2,242\u003c2D2L2T2\\2d2l2x2\r\n3(3D3P3l3t3|3\r\n4 4\u003c4D4L4X4t4|4\r\n0 0$0(0,0004080\u003c0@0D0H0L0P0T0X0\\0`0d0h0l0p0t0x0|0\r\nUnicode Strings:\r\n---------------------------------------------------------------------------\r\nSource: http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html\r\nhttp://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html" ], "report_names": [ "taleret-strings-apt-1.html" ], "threat_actors": [ { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434139, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a05c5a1360a24cd63a3387be7dd99d10d8ddb956.pdf", "text": "https://archive.orkl.eu/a05c5a1360a24cd63a3387be7dd99d10d8ddb956.txt", "img": "https://archive.orkl.eu/a05c5a1360a24cd63a3387be7dd99d10d8ddb956.jpg" } }