{ "id": "190f79f3-0208-45cc-857b-5e8dd0ce2a27", "created_at": "2026-04-06T00:17:05.20145Z", "updated_at": "2026-04-10T03:33:16.700116Z", "deleted_at": null, "sha1_hash": "b7e1375a2ee397e98b850d92dfd34ad4a3dcd1fb", "title": "Tracking the Crypter and the Actor, viXra.org e-Print archive, viXra:1902.0257", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42401, "plain_text": "Tracking the Crypter and the Actor, viXra.org e-Print archive,\r\nviXra:1902.0257\r\nArchived: 2026-04-05 18:07:30 UTC\r\nAuthors: Jason Reaves\r\nIn the world of malware crypters and packers are often time considered throwaway by researchers, it’s also fairly\r\ncommon to use them as training tools for junior personnel. In a way most obfuscations are treated as training,\r\nlearning or for games like CTF(Capture The Flag). So it’s probably not surprising that lots of researchers don’t\r\npay much attention to these layers. These layers can be used especially when you find some of the more\r\nsophisticated ones that tend to stick around for longer periods of time. While probably not as useful as tracking an\r\nactor to a backend system, these malware artifacts can provide valuable clues, serving as tools, techniques and\r\nprocedures (TTPs) in tracking the ongoing operations of a specific threat actor across a wide range of operations\r\nand groups. In this case, we focus on MAN1, a sophisticated crypter dating back to 2014 that's still in use today.\r\nComments: 24 Pages. Malware Research; PE Cryptor\r\nDownload: PDF\r\nSubmission history\r\n[v1] 2019-02-14 08:24:08\r\nUnique-IP document downloads: 688 times\r\nVixra.org is a pre-print repository rather than a journal. Articles hosted may not yet have been verified by peer-review and should be treated as preliminary. In particular, anything that appears to include financial or legal\r\nadvice or proposed medical treatments should be treated with due caution. Vixra.org will not be responsible for\r\nany consequences of actions that result from any form of use of any documents on this website.\r\nAdd your own feedback and questions here:\r\nYou are equally welcome to be positive or negative about any paper but please be polite. If you are being critical\r\nyou must mention at least one specific error, otherwise your comment will be deleted as unhelpful.\r\nSource: https://vixra.org/abs/1902.0257\r\nhttps://vixra.org/abs/1902.0257\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://vixra.org/abs/1902.0257" ], "report_names": [ "1902.0257" ], "threat_actors": [ { "id": "1f6ae238-765f-4495-9d54-6a7883d7a319", "created_at": "2022-10-25T16:07:24.573456Z", "updated_at": "2026-04-10T02:00:05.037738Z", "deleted_at": null, "main_name": "TA511", "aliases": [ "MAN1", "Moskalvzapoe" ], "source_name": "ETDA:TA511", "tools": [ "Agentemis", "Chanitor", "Cobalt Strike", "CobaltStrike", "Ficker Stealer", "Hancitor", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "542cf9d0-9c68-428c-aff8-81b6f59dc985", "created_at": "2023-02-15T02:01:49.554105Z", "updated_at": "2026-04-10T02:00:03.347115Z", "deleted_at": null, "main_name": "Moskalvzapoe", "aliases": [ "MAN1", "TA511" ], "source_name": "MISPGALAXY:Moskalvzapoe", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434625, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b7e1375a2ee397e98b850d92dfd34ad4a3dcd1fb.pdf", "text": "https://archive.orkl.eu/b7e1375a2ee397e98b850d92dfd34ad4a3dcd1fb.txt", "img": "https://archive.orkl.eu/b7e1375a2ee397e98b850d92dfd34ad4a3dcd1fb.jpg" } }