{ "id": "b2b5a461-8d97-4c03-9ed1-f80b54afae86", "created_at": "2026-04-06T00:18:24.89435Z", "updated_at": "2026-04-10T03:31:13.581029Z", "deleted_at": null, "sha1_hash": "b1bd0055aacb8e55c02352c87fbb6a8257c2e7af", "title": "XORStringsNet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51764, "plain_text": "XORStringsNet\nPublished: 2023-04-16 ยท Archived: 2026-04-05 19:18:06 UTC\n[b'SC',\n b'/log.tmp',\n b'KL',\n b'KL',\n b' \n[',\n b'yyyy-MM-dd HH:mm:ss',\n b'] \n',\n b' \n',\n b'PW',\n b'Time: ',\n b'MM/dd/yyyy HH:mm:ss',\n b' \nUser Name: ',\n b' \nComputer Name: ',\n b' \nOSFullName: ',\n b' \nCPU: ',\n b' \nRAM: ',\n b' \n',\n b'IP Address: ',\n b' \n',\n b'\n\n---\n',\n b'New ',\n b' Recovered!\\n\\nTime: ',\n b'MM/dd/yyyy HH:mm:ss',\n b'\\nUser Name: ',\n b'/',\n b'\\nOSFullName: ',\n b'\\nCPU: ',\n b'\\nRAM: ',\n b'\\n',\n b'IP Address: ',\n b'\\n',\n b'_',\n b'/',\n b'/',\n b'false',\n b'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0',\n b'false',\n b'false',\n b'false',\n b'false',\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\nPage 1 of 11\n\nb'false',\n b'false',\n b'20',\n b'20',\n b'1',\n b'false',\n b'587',\n b'false',\n b'mail.expertsconsultgh.co',\n b'oppong@expertsconsultgh.co',\n b'Oppong.2012',\n b'wisdombig57@gmail.com',\n b'false',\n b'false',\n b'appdata',\n b'xFzxn',\n b'xFzxn.exe',\n b'xFzxn',\n b'Type',\n b': ',\n b': ',\n b' \n',\n b'\n\n---\n',\n b' \n',\n b'**[ ',\n b']** (',\n b') \n',\n b'{BACK}',\n b'{ALT+TAB}',\n b'{ALT+F4}',\n b'{TAB}',\n b'{ESC}',\n b'{Win}',\n b'{CAPSLOCK}',\n b'{KEYUP}',\n b'{KEYDOWN}',\n b'{KEYLEFT}',\n b'{KEYRIGHT}',\n b'{DEL}',\n b'{END}',\n b'{HOME}',\n b'{Insert}',\n b'{NumLock}',\n b'{PageDown}',\n b'{PageUp}',\n b'{ENTER}',\n b'{F1}',\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\nPage 2 of 11\n\nb'{F2}',\n b'{F3}',\n b'{F4}',\n b'{F5}',\n b'{F6}',\n b'{F7}',\n b'{F8}',\n b'{F9}',\n b'{F10}',\n b'{F11}',\n b'{F12}',\n b' ',\n b'control',\n b'{CTRL}',\n b'\u0026',\n b'\u0026amp;',\n b'\u003c',\n b'\u003c',\n b'\u003e',\n b'\u003e',\n b'\"',\n b'\"',\n b'\n\n---\nCopied Text: \n',\n b'\n\n---\n',\n b'logins',\n b'IE/Edge',\n b'2F1A6504-0641-44CF-8BB5-3612D865F2E5',\n b'Windows Secure Note',\n b'3CCD5499-87A8-4B10-A215-608888DD3B55',\n b'Windows Web Password Credential',\n b'154E23D0-C644-4E6F-8CE6-5069272F999F',\n b'Windows Credential Picker Protector',\n b'4BF4C442-9B8A-41A0-B380-DD4A704DDB28',\n b'Web Credentials',\n b'77BC582B-F0A6-4E15-4E80-61736B6F3B29',\n b'Windows Credentials',\n b'E69D7838-91B5-4FC9-89D5-230D4D4CC2BC',\n b'Windows Domain Certificate Credential',\n b'3E0E35BE-1B77-43E7-B873-AED901B6275B',\n b'Windows Domain Password Credential',\n b'3C886FF3-2669-4AA2-A8FB-3F6759A77548',\n b'Windows Extended Credential',\n b'00000000-0000-0000-0000-000000000000',\n b'SchemaId',\n b'pResourceElement',\n b'pIdentityElement',\n b'pPackageSid',\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\nPage 3 of 11\n\nb'pAuthenticatorElement',\r\n b'IE/Edge',\r\n b'UC Browser',\r\n b'UCBrowser\\\\',\r\n b'*',\r\n b'Login Data',\r\n b'journal',\r\n b'wow_logins',\r\n b'Safari for Windows',\r\n b'\\\\Common Files\\\\Apple\\\\Apple Application Support\\\\plutil.exe',\r\n b'\\\\Apple Computer\\\\Preferences\\\\keychain.plist',\r\n b'\u003carray\u003e',\r\n b'\u003cdict\u003e',\r\n b'\u003cstring\u003e',\r\n b'\u003c/string\u003e',\r\n b'\u003cstring\u003e',\r\n b'\u003c/string\u003e',\r\n b'\u003cdata\u003e',\r\n b'\u003c/data\u003e',\r\n b' -convert xml1 -s -o \"',\r\n b'\\\\fixed_keychain.xml\" ',\r\n b'\"',\r\n b'\"',\r\n b'\\\\Microsoft\\\\Credentials\\\\',\r\n b'\\\\Microsoft\\\\Credentials\\\\',\r\n b'\\\\Microsoft\\\\Credentials\\\\',\r\n b'\\\\Microsoft\\\\Credentials\\\\',\r\n b'\\\\Microsoft\\\\Protect\\\\',\r\n b'\\\\',\r\n b'credential',\r\n b'QQ Browser',\r\n b'Tencent\\\\QQBrowser\\\\User Data',\r\n b'\\\\Default\\\\EncryptedStorage',\r\n b'Profile',\r\n b'\\\\EncryptedStorage',\r\n b'entries',\r\n b'category',\r\n b'Password',\r\n b'str3',\r\n b'str2',\r\n b'blob0',\r\n b'password_value',\r\n b'IncrediMail',\r\n b'PopPassword',\r\n b'SmtpPassword',\r\n b'Software\\\\IncrediMail\\\\Identities\\\\',\r\n b'\\\\Accounts_New',\r\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\r\nPage 4 of 11\n\nb'PopPassword',\r\n b'SmtpPassword',\r\n b'SmtpServer',\r\n b'EmailAddress',\r\n b'Eudora',\r\n b'Software\\\\Qualcomm\\\\Eudora\\\\CommandLine\\\\',\r\n b'current',\r\n b'Settings',\r\n b'SavePasswordText',\r\n b'Settings',\r\n b'ReturnAddress',\r\n b'-',\r\n b'Falkon Browser',\r\n b'\\\\falkon\\\\profiles\\\\',\r\n b'profiles.ini',\r\n b'startProfile=([A-z0-9\\\\/\\\\.\\\\\"]+)',\r\n b'profiles.ini',\r\n b'\\\\browsedata.db',\r\n b'autofill',\r\n b'ClawsMail',\r\n b'\\\\Claws-mail',\r\n b'\\\\clawsrc',\r\n b'\\\\clawsrc',\r\n b'passkey0',\r\n b'master_passphrase_salt=(.+)',\r\n b'master_passphrase_pbkdf2_rounds=(.+)',\r\n b'\\\\accountrc',\r\n b'smtp_server',\r\n b'address',\r\n b'account',\r\n b'[',\r\n b' ',\r\n b']',\r\n b'\\\\passwordstorerc',\r\n b'{(.*),(.*)}(.*)',\r\n b'Flock Browser',\r\n b'APPDATA',\r\n b'\\\\Flock\\\\Browser\\\\',\r\n b'signons3.txt',\r\n b'---',\r\n b'.',\r\n b'---',\r\n b'DynDns',\r\n b'ALLUSERSPROFILE',\r\n b'Dyn\\\\Updater\\\\config.dyndns',\r\n b'username=',\r\n b'password=',\r\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\r\nPage 5 of 11\n\nb'https://account.dyn.com/',\r\n b't6KzXhCh',\r\n b'ALLUSERSPROFILE',\r\n b'Dyn\\\\Updater\\\\daemon.cfg',\r\n b'global',\r\n b'accounts',\r\n b'account.',\r\n b'username',\r\n b'account.',\r\n b'password',\r\n b'Psi/Psi+',\r\n b'name',\r\n b'jid',\r\n b'password',\r\n b'jid',\r\n b'Psi/Psi+',\r\n b'APPDATA',\r\n b'\\\\Psi\\\\profiles',\r\n b'APPDATA',\r\n b'\\\\Psi+\\\\profiles',\r\n b'\\\\accounts.xml',\r\n b'\\\\accounts.xml',\r\n b'OpenVPN',\r\n b'Software\\\\OpenVPN-GUI\\\\configs',\r\n b'Software\\\\OpenVPN-GUI\\\\configs',\r\n b'Software\\\\OpenVPN-GUI\\\\configs\\\\',\r\n b'username',\r\n b'auth-data',\r\n b'entropy',\r\n b'USERPROFILE',\r\n b'\\\\OpenVPN\\\\config\\\\',\r\n b'remote ',\r\n b'remote ',\r\n b'NordVPN',\r\n b'NordVPN',\r\n b'NordVpn.exe*',\r\n b'user.config',\r\n b\"//setting[@name='Username']/value\",\r\n b\"//setting[@name='Password']/value\",\r\n b'NordVPN',\r\n b'-',\r\n b'Private Internet Access',\r\n b'%ProgramW6432%',\r\n b'Private Internet Access\\\\data',\r\n b'ProgramFiles(x86)',\r\n b'\\\\Private Internet Access\\\\data',\r\n b'\\\\account.json',\r\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\r\nPage 6 of 11\n\nb'.*\"username\":\"(.*?)\"',\r\n b'.*\"password\":\"(.*?)\"',\r\n b'Private Internet Access',\r\n b'privateinternetaccess.com',\r\n b'FileZilla',\r\n b'APPDATA',\r\n b'\\\\FileZilla\\\\recentservers.xml',\r\n b'APPDATA',\r\n b'\\\\FileZilla\\\\recentservers.xml',\r\n b'\u003cServer\u003e',\r\n b'\u003cHost\u003e',\r\n b'\u003cHost\u003e',\r\n b'\u003c/Host\u003e',\r\n b':',\r\n b'\u003cPort\u003e',\r\n b'\u003c/Port\u003e',\r\n b'\u003cUser\u003e',\r\n b'\u003cUser\u003e',\r\n b'\u003c/User\u003e',\r\n b'\u003cPass encoding=\"base64\"\u003e',\r\n b'\u003cPass encoding=\"base64\"\u003e',\r\n b'\u003c/Pass\u003e',\r\n b'\u003cPass\u003e',\r\n b'\u003cPass encoding=\"base64\"\u003e',\r\n b'\u003c/Pass\u003e',\r\n b'CoreFTP',\r\n b'SOFTWARE\\\\FTPWare\\\\COREFTP\\\\Sites',\r\n b'\\\\',\r\n b'PW',\r\n b'User',\r\n b'Host',\r\n b'Port',\r\n b'hdfzpysvpzimorhk',\r\n b'WinSCP',\r\n b'SOFTWARE\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions',\r\n b'HostName',\r\n b'UserName',\r\n b'Password',\r\n b'PublicKeyFile',\r\n b':',\r\n b'PortNumber',\r\n b'22',\r\n b'[PRIVATE KEY LOCATION: \"{0}\"]',\r\n b'WinSCP',\r\n b'A',\r\n b'10',\r\n b'B',\r\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\r\nPage 7 of 11\n\nb'11',\r\n b'C',\r\n b'12',\r\n b'D',\r\n b'13',\r\n b'E',\r\n b'14',\r\n b'F',\r\n b'15',\r\n b'ABCDEF',\r\n b'Flash FXP',\r\n b'IP',\r\n b':',\r\n b'port',\r\n b'user',\r\n b'pass',\r\n b'quick.dat',\r\n b'Sites.dat',\r\n b'\\\\FlashFXP\\\\',\r\n b'\\\\FlashFXP\\\\',\r\n b'\\\\',\r\n b'\\\\',\r\n b'\\\\',\r\n b'\\\\',\r\n b'\\\\',\r\n b'yA36zA48dEhfrvghGRg57h5UlDv3',\r\n b'FTP Navigator',\r\n b'SystemDrive',\r\n b'\\\\FTP Navigator\\\\Ftplist.txt',\r\n b'Server',\r\n b'Password',\r\n b'No Password',\r\n b'User',\r\n b'SmartFTP',\r\n b'APPDATA',\r\n b'SmartFTP\\\\Client 2.0\\\\Favorites\\\\Quick Connect',\r\n b'WS_FTP',\r\n b'appdata',\r\n b'Ipswitch\\\\WS_FTP\\\\Sites\\\\ws_ftp.ini',\r\n b'HOST',\r\n b'UID',\r\n b'PWD',\r\n b'PWD=',\r\n b'PWD=',\r\n b'FtpCommander',\r\n b'SystemDrive',\r\n b'\\\\Program Files (x86)\\\\FTP Commander Deluxe\\\\Ftplist.txt',\r\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\r\nPage 8 of 11\n\nb'SystemDrive',\r\n b'\\\\Program Files (x86)\\\\FTP Commander\\\\Ftplist.txt',\r\n b'SystemDrive',\r\n b'\\\\cftp\\\\Ftplist.txt',\r\n b'\\\\VirtualStore\\\\Program Files (x86)\\\\FTP Commander\\\\Ftplist.txt',\r\n b'\\\\VirtualStore\\\\Program Files (x86)\\\\FTP Commander Deluxe\\\\Ftplist.txt',\r\n b';Password=',\r\n b';User=',\r\n b';Server=',\r\n b';Port=',\r\n b';Port=',\r\n b';Password=',\r\n b';User=',\r\n b';Anonymous=',\r\n b':',\r\n b'FTPGetter',\r\n b'\\\\FTPGetter\\\\servers.xml',\r\n b'\u003cserver\u003e',\r\n b'\u003cserver_ip\u003e',\r\n b'\u003cserver_ip\u003e',\r\n b'\u003c/server_ip\u003e',\r\n b':',\r\n b'\u003cserver_port\u003e',\r\n b'\u003c/server_port\u003e',\r\n b'\u003cserver_user_name\u003e',\r\n b'\u003cserver_user_name\u003e',\r\n b'\u003c/server_user_name\u003e',\r\n b'\u003cserver_user_password\u003e',\r\n b'\u003cserver_user_password\u003e',\r\n b'\u003c/server_user_password\u003e',\r\n b'FTPGetter',\r\n b'The Bat!',\r\n b'appdata',\r\n b'\\\\The Bat!',\r\n b'\\\\Account.CFN',\r\n b'\\\\Account.CFN',\r\n b'zzz',\r\n b'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=',\r\n b'+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz',\r\n b'Becky!',\r\n b'HKEY_CURRENT_USER\\\\Software\\\\RimArts\\\\B2\\\\Settings',\r\n b'DataDir',\r\n b'Folder.lst',\r\n b'\\\\Mailbox.ini',\r\n b'Account',\r\n b'PassWd',\r\n b'Account',\r\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\r\nPage 9 of 11\n\nb'SMTPServer',\r\n b'Account',\r\n b'MailAddress',\r\n b'Becky!',\r\n b'Outlook',\r\n b'Software\\\\Microsoft\\\\Office\\\\15.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676',\r\n b'Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows Messaging Subsystem\\\\Profiles\\\\Outlook\\\\9\r\n b'Software\\\\Microsoft\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676',\r\n b'Software\\\\Microsoft\\\\Office\\\\16.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676',\r\n b'Email',\r\n b'IMAP Password',\r\n b'POP3 Password',\r\n b'HTTP Password',\r\n b'SMTP Password',\r\n b'Email',\r\n b'Email',\r\n b'Email',\r\n b'IMAP Password',\r\n b'POP3 Password',\r\n b'HTTP Password',\r\n b'SMTP Password',\r\n b' Server',\r\n b'Windows Mail App',\r\n b'COMPlus_legacyCorruptedStateExceptionsPolicy',\r\n b'1',\r\n b'Software\\\\Microsoft\\\\ActiveSync\\\\Partners',\r\n b'Email',\r\n b'Server',\r\n b'SchemaId',\r\n b'pResourceElement',\r\n b'pIdentityElement',\r\n b'pPackageSid',\r\n b'pAuthenticatorElement',\r\n b'syncpassword',\r\n b'mailoutgoing',\r\n b'FoxMail',\r\n b'HKEY_CURRENT_USER\\\\Software\\\\Aerofox\\\\FoxmailPreview',\r\n b'Executable',\r\n b'HKEY_CURRENT_USER\\\\Software\\\\Aerofox\\\\Foxmail\\\\V3.1',\r\n b'FoxmailPath',\r\n b'\\\\Storage\\\\',\r\n b'\\\\Storage\\\\',\r\n b'\\\\mail',\r\n b'\\\\mail',\r\n b'\\\\VirtualStore\\\\Program Files\\\\Foxmail\\\\mail',\r\n b'\\\\VirtualStore\\\\Program Files\\\\Foxmail\\\\mail',\r\n b'\\\\VirtualStore\\\\Program Files (x86)\\\\Foxmail\\\\mail',\r\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\r\nPage 10 of 11\n\nb'\\\\VirtualStore\\\\Program Files (x86)\\\\Foxmail\\\\mail',\r\n b'\\\\Accounts\\\\Account.rec0',\r\n b'\\\\Accounts\\\\Account.rec0',\r\n b'\\\\Account.stg',\r\n b'\\\\Account.stg',\r\n b'POP3Host',\r\n b'SMTPHost',\r\n b'IncomingServer',\r\n b'Account',\r\n b'MailAddress',\r\n b'Password',\r\n b'POP3Password',\r\n b'5A',\r\n b'71',\r\n b'Opera Mail',\r\n b'\\\\Opera Mail\\\\Opera Mail\\\\wand.dat',\r\n b'\\\\Opera Mail\\\\Opera Mail\\\\wand.dat',\r\n b'opera:']\r\nSource: https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\r\nhttps://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html" ], "report_names": [ "xorstringsnet.html" ], "threat_actors": [ { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434704, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b1bd0055aacb8e55c02352c87fbb6a8257c2e7af.pdf", "text": "https://archive.orkl.eu/b1bd0055aacb8e55c02352c87fbb6a8257c2e7af.txt", "img": "https://archive.orkl.eu/b1bd0055aacb8e55c02352c87fbb6a8257c2e7af.jpg" } }