{
	"id": "2aab645b-6437-4ebc-a58c-9802457214a9",
	"created_at": "2026-04-06T00:11:41.825603Z",
	"updated_at": "2026-04-10T03:21:25.6267Z",
	"deleted_at": null,
	"sha1_hash": "c305d60abdc8306f578bc17d4fb7a3bae952eef9",
	"title": "Alreay (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 29693,
	"plain_text": "Alreay (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 16:09:46 UTC\r\nAlreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C\u0026C server.\r\nIt uses either RC4 or DES for encryption of its configuration, which is stored in the registry.\r\nIt sends detailed information about the victim's environment, like computer name, Windows version,\r\nsystem locale, and network configuration.\r\nIt supports almost 25 commands that include operations on the victim’s filesystem, basic process management, file\r\nexfiltration, command line execution, and process injection of an executable downloaded from the attacker’s C\u0026C\r\nserver. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values\r\nlike 0x21A8B293, 0x23FAE29C or 0x91B93485.\r\nIt comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked\r\ncode from open-source libraries like Mbed TLS or zLib (version 1.0.1).\r\nAlreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.\r\n[TLP:WHITE] win_alreay_auto (20251219 | Detects win.alreay.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.alreay\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay"
	],
	"report_names": [
		"win.alreay"
	],
	"threat_actors": [],
	"ts_created_at": 1775434301,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c305d60abdc8306f578bc17d4fb7a3bae952eef9.pdf",
		"text": "https://archive.orkl.eu/c305d60abdc8306f578bc17d4fb7a3bae952eef9.txt",
		"img": "https://archive.orkl.eu/c305d60abdc8306f578bc17d4fb7a3bae952eef9.jpg"
	}
}