{ "id": "9807195b-de51-4de5-97ab-0ccb6eccdfb1", "created_at": "2026-04-06T00:17:38.620981Z", "updated_at": "2026-04-10T13:13:02.745915Z", "deleted_at": null, "sha1_hash": "b101c0701ecd96957bc37c38ea374a223242d1e3", "title": "Analyzing a Stealer MSI using msitools", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 784047, "plain_text": "Analyzing a Stealer MSI using msitools\r\nPublished: 2022-02-12 · Archived: 2026-04-05 14:28:56 UTC\r\nThis post is dedicated to Josh Rickard (@MSAdministrator on Twitter) since his feedback on my blog posts has cut my\r\ntriage time on MSI files down in a massive way! After writing an analysis of a MSI payload distributing njRAT, Josh hit me\r\nup on Twitter to suggest a Python tool he made to analyze MSIs, msi-utils with the caveat that it only worked on macOS.\r\nI set off to figure out why it only worked on macOS and, long story short, the journey led me to the msitools package on\r\nLinux. I’ll use it in this post to analyze this sample in MalwareBazaar:\r\nhttps://bazaar.abuse.ch/sample/1f7830f0117f694b87ae81caed022c82174f9a8d158a0b8e127154e17d1600cc/.\r\n2022-02-14 Edit: msitools is now included in REMnux! To get it run remnux upgrade .\r\nThe msitools package isn’t installed by default in REMnux, so we have to go install it ourselves. This is easily done using\r\napt .\r\n1\r\n2\r\nsudo apt update\r\nsudo apt install msitools\r\nOnce the package is installed, we can move on to ripping apart MSI files!\r\nTriage the MSI Sample\r\nThe Detect-It-Easy and file output confirm we do have a MSI file.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\nremnux@remnux:~/cases/arkei-msi$ diec po.msi\r\nfiletype: Binary\r\narch: NOEXEC\r\nmode: Unknown\r\nendianess: LE\r\ntype: Unknown\r\n installer: Microsoft Installer(MSI)\r\nremnux@remnux:~/cases/arkei-msi$ file po.msi\r\npo.msi: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title\r\nMore specifically, the data from file indicates the MSI file was created by a tool named “MSI Wrapper (10.0.50.0)”. The\r\ntool is likely the one from this web site: https://www.exemsi.com/\r\nEnumerating MSI Tables and Streams\r\nWe can start the analysis using msiinfo to get some information about the file. We definitely want to know what table and\r\nstream structures we can expect within the MSI.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nremnux@remnux:~/cases/arkei-msi$ msiinfo tables po.msi\r\n_SummaryInformation\r\n_ForceCodepage\r\n_Validation\r\nAdminExecuteSequence\r\nAdminUISequence\r\nAdvtExecuteSequence\r\nBinary\r\nComponent\r\nDirectory\r\nCustomAction\r\nFeature\r\nhttps://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/\r\nPage 1 of 6\n\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\nFeatureComponents\r\nFile\r\nIcon\r\nInstallExecuteSequence\r\nInstallUISequence\r\nLaunchCondition\r\nMedia\r\nProperty\r\nRegistry\r\nUpgrade\r\nremnux@remnux:~/cases/arkei-msi$ msiinfo streams po.msi\r\nIcon.ProductIcon\r\nBinary.bz.CustomActionDll\r\nBinary.bz.WrappedSetupProgram\r\nSummaryInformation\r\nDocumentSummaryInformation\r\nAs MSI files go, this one isn’t particularly complex. Depending on the product used, there can be a lot more data in tables\r\nand streams. There are a few things we definitely want to hit during our analysis here. First, we need to examine the contents\r\nof the “CustomAction” table at the very least. The CustomAction table is often interesting with malicious installers as\r\nadversaries may hide code to execute within the CustomAction table. PurpleFox malware has placed JScript to execute in\r\nthis table in the past and other malware families have used the table to specify that a malicious DLL should be executed\r\nduring installation. T\r\nDumping Tables and Streams\r\nWe can dump out all of the contents using msidump .\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\nremnux@remnux:~/cases/arkei-msi$ msidump -s -t po.msi\r\nExporting table _SummaryInformation...\r\nExporting table _ForceCodepage...\r\nExporting table _Validation...\r\nExporting table AdminExecuteSequence...\r\nExporting table AdminUISequence...\r\nExporting table AdvtExecuteSequence...\r\nExporting table Binary...\r\nExporting table Component...\r\nExporting table Directory...\r\nExporting table CustomAction...\r\nExporting table Feature...\r\nExporting table FeatureComponents...\r\nExporting table File...\r\nExporting table Icon...\r\nExporting table InstallExecuteSequence...\r\nExporting table InstallUISequence...\r\nExporting table LaunchCondition...\r\nExporting table Media...\r\nExporting table Property...\r\nExporting table Registry...\r\nExporting table Upgrade...\r\nExporting stream Icon.ProductIcon...\r\nExporting stream Binary.bz.CustomActionDll...\r\nExporting stream Binary.bz.WrappedSetupProgram...\r\nExporting stream SummaryInformation...\r\nExporting stream DocumentSummaryInformation...\r\nremnux@remnux:~/cases/arkei-msi$ ls -l\r\ntotal 4720\r\n-rw-rw-r-- 1 remnux remnux 243 Feb 12 22:44 AdminExecuteSequence.idt\r\n-rw-rw-r-- 1 remnux remnux 141 Feb 12 22:44 AdminUISequence.idt\r\n-rw-rw-r-- 1 remnux remnux 225 Feb 12 22:44 AdvtExecuteSequence.idt\r\ndrwxrwxr-x 2 remnux remnux 4096 Feb 12 22:44 Binary\r\n-rw-rw-r-- 1 remnux remnux 132 Feb 12 22:44 Binary.idt\r\n-rw-rw-r-- 1 remnux remnux 202 Feb 12 22:44 Component.idt\r\nhttps://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/\r\nPage 2 of 6\n\n37\r\n38\r\n-rw-rw-r-- 1 remnux remnux 1093 Feb 12 22:44 CustomAction.idt\r\n...\r\nEach of the IDT files contain data from the tables, while two folders named “Binary” and “_Streams” hold executable and\r\nstream data fetched from the MSI. First up, let’s inspect that CustomAction.idt file.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nAction Type Source Target ExtendedType\r\ns72 i2 S72 S255 I4\r\nCustomAction Action\r\nbz.EarlyInstallMain 1 bz.CustomActionDll _InstallMain@4\r\nbz.EarlyInstallSetPropertyForDeferred1 51 bz.EarlyInstallFinish2 [BZ.INIFILE]\r\nbz.EarlyInstallFinish2 1 bz.CustomActionDll _InstallFinish2@4\r\nbz.LateInstallPrepare 1 bz.CustomActionDll _InstallPrepare@4\r\nbz.LateInstallSetPropertyForDeferred1 51 bz.LateInstallFinish1 [BZ.INIFILE]\r\nbz.LateInstallFinish1 3073 bz.CustomActionDll _InstallFinish1@4\r\nbz.LateInstallSetPropertyForDeferred2 51 bz.LateInstallFinish2 [BZ.INIFILE]\r\nbz.LateInstallFinish2 3073 bz.CustomActionDll _InstallFinish2@4\r\nbz.CheckReboot 1 bz.CustomActionDll _CheckReboot@4\r\nbz.UninstallPrepare 1 bz.CustomActionDll _UninstallPrepare@4\r\nbz.UninstallSetPropertyForDeferred1 51 bz.UninstallFinish1 [BZ.INIFILE]\r\nbz.UninstallFinish1 3073 bz.CustomActionDll _UninstallFinish1@4\r\nbz.UninstallSetPropertyForDeferred2 51 bz.UninstallFinish2 [BZ.INIFILE]\r\nbz.UninstallFinish2 1025 bz.CustomActionDll _UninstallFinish2@4\r\nbz.UninstallWrapped 1 bz.CustomActionDll _UninstallWrapped@4\r\nThe table contents look relatively normal as far as MSI files go. If there were malicious content here we’d see code chunks\r\nthat we’d expect to see in JScript or VBScript files. Let’s go take a look at some other interesting tables. The Property table\r\ngives some more information.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\nProperty Value\r\ns72 l0\r\nProperty Property\r\nUpgradeCode {3FF46275-96F9-4EBF-9B1E-50CA97E8DB0E}\r\nALLUSERS 1\r\nARPNOREPAIR 1\r\nARPNOMODIFY 1\r\nARPPRODUCTICON ProductIcon\r\nBZ.WRAPPED_REGISTRATION None\r\nBZ.VER 2922\r\nBZ.CURRENTDIR *SOURCEDIR*\r\nBZ.WRAPPED_APPID {1FC4DB72-5AB1-4002-B9B0-00FAA9B12D8E}\r\nBZ.COMPANYNAME EXEMSI.COM\r\nBZ.BASENAME NEnXoxoXxKaPjctW.exe\r\nBZ.ELEVATE_EXECUTABLE administrators\r\nBZ.INSTALLMODE EARLY\r\nBZ.WRAPPERVERSION 10.0.50.0\r\nBZ.EXITCODE 0\r\nBZ.INSTALL_SUCCESS_CODES 0\r\nManufacturer My App\r\nProductCode {481C9516-0944-4A5D-B8F1-803936B5D792}\r\nProductLanguage 1033\r\nProductName My App\r\nProductVersion 21.9.9.16\r\nSecureCustomProperties WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED\r\nIt looks like the CompanyName for this MSI Wrapper is EXEMSI.COM, consistent with what we expected so far. The\r\nBaseName property looks to be NEnXoxoXxKaPjctW.exe . We haven’t seen this name anywhere else in the tables so far, so\r\nI’m going to guess there’s an archive or something inside a stream that contains the executable or content that downloads it.\r\nLet’s go look at the _Streams content.\r\nhttps://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/\r\nPage 3 of 6\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nremnux@remnux:~/cases/arkei-msi/_Streams$ file *\r\nBinary.bz.CustomActionDll: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nBinary.bz.WrappedSetupProgram: Microsoft Cabinet archive data, Windows 2000/XP setup, 2059637 bytes, 1 file, at 0x2c +A \"NEnX\r\nDocumentSummaryInformation: dBase III DBT, version number 0, next free block index 65534\r\nIcon.ProductIcon: Targa image data - Map 32 x 19866 x 1 +1\r\nSummaryInformation: dBase III DBT, version number 0, next free block index 65534\r\nWe have some executable content that looks interesting in _Streams. First, the file Binary.bz.CustomActionDll looks like\r\nit’s a Windows native DLL file. A “custom action DLL” is pretty common to see in MSI files from multiple different\r\nproducts. I commonly see this sort of DLL in MSIs made by AdvancedInstaller tools, and those are usually signed. The\r\nsecond interesting file is Binary.bz.WrappedSetupProgram . This looks like a Microsoft CAB file that we can unpack using\r\n7z .\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\nremnux@remnux:~/cases/arkei-msi/_Streams$ 7z x Binary.bz.WrappedSetupProgram\r\n7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21\r\np7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (806EA\r\nScanning the drive for archives:\r\n1 file, 2059637 bytes (2012 KiB)\r\nExtracting archive: Binary.bz.WrappedSetupProgram\r\n--\r\nPath = Binary.bz.WrappedSetupProgram\r\nType = Cab\r\nPhysical Size = 2059637\r\nMethod = LZX:21\r\nBlocks = 1\r\nVolumes = 1\r\nVolume Index = 0\r\nID = 5658\r\nEverything is Ok\r\nSize: 2094224\r\nCompressed: 2059637\r\nremnux@remnux:~/cases/arkei-msi/_Streams$ ls -l\r\ntotal 4408\r\n-rw-rw-r-- 1 remnux remnux 212992 Feb 12 22:44 Binary.bz.CustomActionDll\r\n-rw-rw-r-- 1 remnux remnux 2059637 Feb 12 22:44 Binary.bz.WrappedSetupProgram\r\n-rw-rw-r-- 1 remnux remnux 2094224 Feb 9 14:17 NEnXoxoXxKaPjctW.exe\r\nAfter a life-affirming message from 7z , the tool successfully unpacked NEnXoxoXxKaPjctW.exe from the CAB. This is the\r\nEXE we were looking for after it was mentioned in Property.idt! Thus ends the MSI triage!\r\nTriage the EXE\r\nUsing Detect-It-Easy to identify the file helped find a stumbling block.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nremnux@remnux:~/cases/arkei-msi/_Streams$ diec NEnXoxoXxKaPjctW.exe\r\nfiletype: PE32\r\narch: I386\r\nmode: 32-bit\r\nendianess: LE\r\ntype: GUI\r\nhttps://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/\r\nPage 4 of 6\n\n7\r\n8\r\n protector: Obsidium(-)[-]\r\n linker: unknown(2.30)[GUI32]\r\nThe EXE is protected/packed using Obsidium, a commercial packing tool. There’s probably a way to unpack it statically or\r\nwith a debugger, but that’s going to take more effort than I want to put in tonight. The best way from here forward for me\r\nwill be to lean on a sandbox report.\r\nHow do we know it’s Arkei Stealer?\r\nThe Tria.ge report for the sample indicates it found evidence of Arkei in the memory dump of process ID 1312, which\r\ncorresponds to NEnXoxoXxKaPjctW.exe . Let’s inspect that memory dump with some YARA rules and see what we can find.\r\nAfter running the sample through YARA rules from the yara-rules and ditekshen repositories, I couldn’t find a match. I\r\nassume at this point that the YARA rule is internal/private to Hatching. So let’s see if we can find intelligence overlaps in the\r\nsandbox telemetry.\r\nThe network activity from the report indicates the sample downloaded mozglue.dll , sqlite3.dll , nss3.dll ,\r\nfreebl3.dll , and a couple others. These DLLs are commonly downloaded and loaded into memory by stealers as they\r\nprovide functionality to decrypt sensitive data within Mozilla Firefox and Chromium-based web browsers. This is common\r\nto Vidar and Arkei, and these two families are similar enough that one may be forked from the other. The network telemetry\r\nin the sandbox PCAP can also be helpful since it looks like there was a POST request. We can take a look at the data in\r\nWireshark. In Wireshark, we want to filter on http protocol only so we can immediately find that POST request.To see the\r\ncontent of the POST, we can right-click on the POST request and follow the HTTP stream. Once we do that, we can see it\r\nlooks like the malware uploaded a ZIP archive named USR1V37900ZM7Q.zip .\r\nSince this file is uploaded over HTTP, it stands to reason that we can carve it out of the network traffic and inspect the\r\ncontents. We can do this easily with NetworkMiner. Once you open the PCAP in NetworkMiner, all the files get\r\nautomatically reassembled and written to disk. To inspect one, right-click on the file and either “Open File” or “Open\r\nFolder”.\r\nhttps://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/\r\nPage 5 of 6\n\nAfter unpacking the ZIP we can find just a few files.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nremnux@remnux:~/cases/arkei-msi/network$ tree -a\r\n.\r\n├── History\r\n│ └── Firefox_n0kj3f68.default-release.txt\r\n├── screenshot.jpg\r\n├── system.txt\r\n└── USR1V37900ZM7Q.zip\r\nJust searching for “screenshot.jpg” + “system.txt” on Google will yield some hits on Oski stealer, and one on Vidar. This\r\nisn’t surprising as Oski reportedly shares some code with Vidar and Arkei.\r\nThe Firefox and screenshot information will likely be self-explanatory, so let’s start with system.txt . Stealers commonly\r\ncapture system configuration data within a text file and sometimes leave specific toolmarks/artifacts inside those files. For\r\nexample, Raccoon often leaves its own name in a systeminfo text file. Previous versions of Vidar, such as in fumik0’s\r\nanalysis, seem to store system information in a file named information.txt instead. This makes me think we’re actually\r\nsomewhere in Oski stealer territory since it allegedly shares some code with Arkei. Lastly, there’s also a possibility this\r\ncould be Mars stealer based on its similarity to Oski in this analysis as with Oski, there is a system.txt file.\r\nSo why does any of this matter? It matters a bit for threat intelligence tracking and attribution to developers. This also shows\r\nthe great challenge in threat intelligence of trying to interpret malware analysis findings and detection details when many\r\nmalware tools fork from one another and share artifacts. In worst case scenarios analysts can make assessments based on\r\nseverely flawed or dated information. In many cases, though, the data is “close enough” to still be useful. This can be seen in\r\nthe Tria.ge report: no matter what the stealer is, the configuration is still parsed.\r\nThanks for reading!\r\nSource: https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/\r\nhttps://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/\r\nPage 6 of 6\n\n29 remnux@remnux:~/cases/arkei-msi$ 30 total 4720 ls -l\n31-rw-rw-r-- 1 remnux remnux 243 Feb 12 22:44 AdminExecuteSequence.idt\n32-rw-rw-r-- 1 remnux remnux 141 Feb 12 22:44 AdminUISequence.idt\n33-rw-rw-r-- 1 remnux remnux 225 Feb 12 22:44 AdvtExecuteSequence.idt\n34 drwxrwxr-x 2 remnux remnux 4096 Feb 12 22:44 Binary\n35-rw-rw-r-- 1 remnux remnux 132 Feb 12 22:44 Binary.idt\n36-rw-rw-r-- 1 remnux remnux 202 Feb 12 22:44 Component.idt\n Page 2 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/" ], "report_names": [ "analyzing-stealer-msi-using-msitools" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434658, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b101c0701ecd96957bc37c38ea374a223242d1e3.pdf", "text": "https://archive.orkl.eu/b101c0701ecd96957bc37c38ea374a223242d1e3.txt", "img": "https://archive.orkl.eu/b101c0701ecd96957bc37c38ea374a223242d1e3.jpg" } }